When an organisation has an office in another country, and hires workers in that country or assigns employees to work in the office abroad, it’s important to monitor the remote employees to protect the organisation’s assets. At the same time, any monitoring must be adapted to each foreign country’s employee surveillance laws, the incident reporting requirements, and even the culture of the other countries.
Monitoring employees in another country
Employee monitoring activities must be governed by local legal guidelines, company policy and human rights and health and safety legislation. Legally, what can and can’t be monitored varies greatly from country to country, and is often open to interpretation. In many countries, the use of different forms of surveillance is restricted according to the severity of the incident and the intrusiveness of the surveillance. Romania, for example, allows state authorities to carry out surveillance of any type, regardless of the suspected or alleged offence.
Legally, what you can and can’t do varies greatly from country to country and is often open to interpretation.
Most countries allow monitoring of telephone call records, email logs and financial transactions captured by in-house systems. However, the use of intercept is usually restricted or prohibited (although in Singapore there are currently no legal restrictions). Be wary of using intercept in the UK for an investigation of employees abroad as, if it’s not properly authorised, it could constitute a criminal offence under the Regulation of Investigatory Powers Act 2000.
Generally, the police should be informed when a serious criminal offence has occurred. In this case, intercept may be used if authorised and conducted by the law enforcement agencies. Search or seizure of property is definitely a task for the police. If in doubt, consult a legal expert with local knowledge first.
Bear in mind that just because a particular monitoring or surveillance technique is permissible in a particular country doesn’t necessarily mean it’s appropriate for a company to use it on its staff. Monitoring should always be proportionate to the assessed level of risk. Employees should be made aware of the security measures the organisation has in place. They should be informed that monitoring systems don’t actually focus on a single individual, but rather looks at captured data as a whole in order to spot unusual or suspicious patterns compared to normal day-to-day activities.
Dealing with a security breach
No matter how security-conscious an organisation is, there is always the possibility that its overseas office will suffer a data breach. Therefore, it is important to know what legal obligations are involved if a breach occurs, particularly if it involves the compromise of personally identifiable information. Many states in the US, for example, require some type of notice in the event of certain types of data security breaches.
Be sure to stay up to date with new legislation too. According to California’s infamous SB 1386, the US’ first security breach notification law, breach notifications must include a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit-reporting agencies in California. An electronic copy of the notification must also be sent to the California attorney general if a single breach affects more than 500 Californians. This is quite different from Poland, for example, where private industry is under no obligation to report any insider incident, or Ireland, where the police must be involved from the outset if the hope is to prosecute the perpetrator.
Managing employees in another country
Overseas employees should be made to feel part of the organisation. Senior management must be aware of cultural differences that may cause problems or misunderstandings.
One example from my personal experience is the issue of politeness. In some cultures, politeness means an employee will never refuse to take on a task, even if they feel they lack the necessary skills or time to do it well, or even if it’s totally impossible! An employee who faces an impossible task may even feel compelled to bypass company policies to get the job done.
Nobody enjoys getting a dressing-down from the boss, and the issue of publicly losing face in some cultures should be considered when deciding how to handle disciplinary matters. Informal or private interviews may be a better way to establish the facts than a more formal British approach. The main thing is to ensure any problems and breaches are reported to the head office as soon as possible so the situation doesn’t rumble on without intervention, probably worsening day by day. Interestingly, the use of reporting hotlines is not always common practice in many countries. In fact, there is actually a conflict between America’s Sarbanes-Oxley Act and EU data protection legislation, as the former requires an anonymous reporting option while the latter requires hotlines to be confidential but not anonymous.
Maintaining a high standard of ongoing personnel security measures and ensuring employees are treated well will improve morale and increase commitment and loyalty to the organisation, hopefully reducing the likelihood of illegal activity. This can be particularly important in times of uncertainty as any perceived instability in the workplace can lead to disaffection amongst employees, which in turn can increase the risk of an employee being tempted to engage in malicious activity.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in January 2012