In the second article of this three-part series, we outlined how data analytics is an emerging tool that organizations are employing to detect hidden and emerging compliance and legal risks in their data. Now, we will explore the challenges of real-time data monitoring in an era of Big Data, and the role that legal plays in striking the right balance for the organization.
Prudent risk management or Big Brother?
It’s no surprise that the National Security Agency’s surveillance of social media sites and telecommunications, and several recent high-profile data breaches, are fueling an environment of mistrust regarding how companies collect and use the personal information of their customers and employees.
At the same time, organizations are looking to accelerate their monitoring, collection and analysis of data not only to gather business intelligence but also to improve risk management and data security practices. That means great scrutiny of both the organization’s networks and its employees. And as organizations move toward true real-time monitoring of their employees’ every electronic move, legal has a role to play in managing the risks associated with these monitoring activities.
The right to privacy
Does a right to privacy exist in the age of Big Data? Legally, the answer depends in large part on your geographic location. In many foreign jurisdictions, most notably the EU, privacy has been elevated to a human right. However, there are no comparable U.S. laws. And although the U.S. Supreme Court has ruled that the Constitution protects individuals against government intrusion, in the U.S. employees do not have a general right to privacy from employers’ monitoring of data on its own networks and devices.
The focus in the U.S. thus far has been on consumer privacy rights, not employee rights. On the federal level, the Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, Gramm-Leach Bliley Act and Children’s Online Privacy Protection Act are just a few of the laws that regulate data collection and management practices; in some cases, those laws may impact employee’s data. Enforcement agencies like the Federal Trade Commission, Consumer Financial Protection Bureau, and state attorneys general have brought enforcement actions against companies that fail to protect consumers’ personal information. Organizations can expect increased regulation and enforcement to continue on both the federal and state fronts.
Privacy in the workplace
In contrast to the increased attention on consumer privacy, employees currently are entitled to little privacy when it comes to their activities at work. Employers already have a right to, and in fact do, monitor employee behavior on an organization’s network and devices. But much of this monitoring is theoretical — employers generally do so only when they are alerted to potential problematic conduct. That dynamic is rapidly fading into obscurity.
With the proliferation of mobile devices and social media, the line between business and personal is increasingly blurred. Employees use personal devices and social media accounts for work — and use those devices and accounts for personal activities. As organizations increase real-time monitoring of employee activity to manage risk and to meet the challenges of data security, they are on a potential collision course with as-yet unchartered territory of employee privacy. We have seen this increased risk of data monitoring already with National Labor Relations Board rulings restricting the monitoring of employee activity on social media sites not sponsored or controlled by the organization. We can expect additional potential restrictions where the line between personal and business information are blurred (such as BYOD).
Effective privacy and usage policies
At present, the best way to minimize the risks of real-time data monitoring is for legal to establish clear data-related policies and procedures that provide guidance to employees about the organization’s rights to collect, use, retain and monitor data on its networks, devices and websites. They should have senior-management buy-in and reflect the organization’s corporate values and principles. Policies should reflect the following:
- Ownership: Confirm to all employees that the organization owns any and all business data in any form — and has the right to access and protect that data — even if stored on personal devices.
- No expectation of privacy: Employees should be notified that they have no reasonable expectation of privacy with respect to any systems or devices used to store business data or to access the organization’s systems.
- Monitoring: Inform employees that they are being monitored, specify the type of monitoring that you are using and explain the business purpose for that monitoring.
- Acceptable use: Define the acceptable use of company networks, email and devices, including whether and when employees may use company systems for personal reasons and the consequences of such use.
- Personal devices: If employees are permitted to use personal devices for work, have clear polices on the applications authorized for business activity, and provide technologies that, to the extent possible, separate business from personal information. Also, require employees to turn over those mobile devices for examination when the employee leaves her employment or if the organization has reason to believe the employee is storing business data on that device outside of what is permitted by policy.
- Prohibited technologies: Instruct employees regarding the forms of communication, applications and websites that may not be used for business purposes.
- Enforce policies: Inform employees of the consequences of failing to abide by company policy and enforce those consequences for policy violations. Consider periodic attestations from employees that they understand and are abiding by these policies.
Know your organization and its data
As a result of changes in technology, communication channels, and the legal and regulatory environment, the landscape of data risk management is in a tremendous state of flux. It is incumbent upon legal to lead the development of data management practices, ensuring that it properly analyzes and weighs the legal and regulatory risks and that their policies are consistent with the corporate culture and business needs.
SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:
- View Real-time Screen Snapshot
- Monitor Skype or Other Chat/IM Activity
- Record Emails
- Track web browsing history
- Block access to any website
- Remote PC Maintenance
- Program Activity
If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.
A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.