Many companies have sophisticated network tools that can monitor user activity, including e-mails and Web surfing.
In the United States, the courts have ruled generally that employee monitoring is legal as long as employees are given notice. But in the European Union (EU), the laws are starkly different, which is important for any multinational firm doing business within Europe.
Many EU member countries require written, individual consent for any form of monitoring whatsoever, says Lothar Determann, a partner in the Palo Alto, California, office of the law firm Baker & McKenzie. Even then, such permission can be (and has successfully been) challenged; in one case, the permission was dismissed based on the nature of the employee-employer relationship.
Employee monitoring in the EU should be avoided “to the greatest extent possible,” said Arabella Hallawell, a vice president at Gartner Research, speaking at the recent Gartner Information Security Summit. Companies should refrain from generating any report that identifies individual employees, she said. Any kind of “fishing trip” should be strictly avoided.
One way to avoid potential employee lawsuits is to use anonymization, or masking, software, she said, which vendors and third parties are increasingly offering for use with network security tools. Organizations must decide what kinds of information should be masked. Once the system is deployed, she added, only a limited number of managers should be able to change the controls.
Many organizations in Europe use masking software with data loss prevention (DLP) tools, she said. If, for example, an employee wanted to generate a report on DLP-related activity, such as e-mails containing sensitive data that might have been blocked, it might exclude information such as specific employee e-mail addresses. Another increasingly popular tool, called a security information management (SIM) solution, can analyze and cross-reference myriad data logs from throughout the network, but these are slightly more problematic to use within the EU legal framework, Hallawell said.
If suspicious activity is detected, the company should have procedures in place for investigating it. An example of such a situation might include, for instance, a large number of e-mails sent around the time of a sensitive business deal. In such a situation, IT staff could discuss the suspicious activity with the legal and human resources departments to help assess whether further investigation is warranted and to ensure that any inquiry (which could include reviewing unmasked data) would be conducted legally.
Companies should approach employee monitoring on a country-by-country basis in the EU, says Determann. Several countries, including France and the Netherlands, require filings with labor authorities; others such as France, Germany, Italy, and the Netherlands, require employers to consult or at least notify trade unions or similar representative bodies before using any form of surveillance.
As a rule, it’s better to err on the side of too much disclosure when informing employees about monitoring, Determann says. Aside from protecting companies from privacy lawsuits, such a strategy could have other benefits, he says, such as preventing an employee from committing certain crimes.