Drawing the Line Between Company Security, Employee Privacy
What is the tipping point between ensuring your company’s digital security and invading employee privacy?
There are no easy answers, because, to a certain degree, it depends on your organization’s business.
- Does security involve personally identifiable information (PII)? There are laws governing the release of that data that make the level of security required more obvious.
- Is it a matter of safety? If security is inadequate, and a violation could cause people to die, it’s pretty clear that organizational security trumps employee privacy.
But other times, it’s less clear, and organizations are struggling with finding a balance between security and privacy.
A recent survey of support staff found that employees tend to be far too cavalier about securing sensitive information or discussing sensitive information where it could be overheard. For example, the CareerBuilder survey found that:
- 53 percent of support staff workers have overheard confidential conversations at work.
- 10 percent have found something in the trash or lying around the workplace that could get a worker or the company in trouble.
- 11 percent have found information that could cause someone to be fired.
It’s eye-opening to see the amount of sensitive information workers leave out in the open whether they’re conscious of it or not, Rosemary Haefner, chief human resources officer at CareerBuilder told USA Today.
Support staff encounter all sorts of interesting material. “Among the snippets of personal information and incriminating evidence found in the trash—or even in full view on a desk—were a list of employee salaries, a photo of a partially dressed co-worker, an old love letter from one co-worker to another, a predetermination request for a breast augmentation procedure, a pregnancy test, a letter from the boss’s mistress and a full set of keys for the entire facility,” describes NBC.
Employees also tend to find sensitive documents left in the printer or copier—just one more reason to move to electronic documents.
Listening to an employee’s phone calls or voicemail messages generally isn’t allowed, even if the calls are made using an employer-owned phone, writes FindLaw. “Under the Electronics Communications Privacy Act (ECPA), an employer may not monitor an employee’s personal phone calls, even those made from telephones on work premises. An employer may monitor a personal call only if an employee knows the particular call is being monitored and consents to it.”
The organization further explains, “The ECPA also provides protection for an employee’s voicemail messages at work. Employers face legal liability if they read, disclose, delete, or prevent access to an employee’s voicemail messages.”
What about the Internet? To what degree is it OK to monitor employees’ surfing habits? According to Business Law News, numerous courts have ruled that this monitoring is legal, particularly if the company has an Acceptable Use Policy for the Internet and ensures that employees are aware of it.
“At minimum, an Internet Usage Policy should make it clear that employees are expected to use the Internet exclusively for job-related activities and that personal use is not permitted,” writes attorney Ramon Rivera. “In addition, it is imperative to expressly state that the company reserves the right to monitor an employee’s Internet activity that takes place on employer-owned devices, including the data that is composed, sent or received through its online connections.”
Examples of monitoring employee Internet use include:
- Packet sniffers to oversee the network
- Desktop surveillance to watchdog the employee’s computer
- Remote access of employee computers
- Examination of employee log files
On the other hand, monitoring can introduce its own problems, warns writer Matthew Greiger. First, such monitoring can actually make things less secure if supervisors using it to get access to sensitive information they wouldn’t otherwise have.
Similarly, supervisors could find out employee information in areas where employer discrimination is prohibited, such as race or religion, writes the law firm of Modrail Sperling. Social media, in particular, “raises potential discrimination issues given that most individuals’ social media sites include personal information, such as a person’s gender, age, ethnicity, or religious beliefs, which could be used in violation of state and federal discrimination laws.”
Second, especially when monitoring is used to enforce behavior rather than watching for security issues, it can rebound by making employees feel resentful and untrusted. “The fallout from this type of treatment can be a workforce bent on finding ways around efforts to monitor their behavior or other means of exacting revenge,” Greiger writes.
In fact, some employees say they would actually leave a job, or not accept a job offer, if policies banning social media sites were implemented, writes Aaron Gouveia, citing a Salary.com survey. “Eight percent said they would consider leaving a job if such a policy was enacted, and 14 percent said it might cause them to reject a job offer.”
It’s important to make sure that information isn’t being left around, physically or virtually, for security reasons. However, it’s also important to remember that employees are adults, and don’t need to have their behavior monitored every second.
A particular distraction the Salary.com survey found? March Madness. Get ready.