Insider data threats – which include the deliberate theft or destruction of sensitive information, as well as innocent mistakes that result in a loss of control of confidential data – have become a primary risk factor to most businesses. To properly maintain cybersecurity and protect confidential information, companies need to monitor the activities of their employees more than ever. How far employers can go in tracking the activity of employees requires a delicate balance between (A) reasonable efforts to find wrongdoing or carelessness that could harm the company, and (B) respecting employees, reasonable expectation of privacy. Over time, some principles have emerged to help achieve this balance.
Generally, a company can monitor employees’ communications and activity taking place on a company network. For example, employers may employ software that looks for employees who may be (1) using their work email to send confidential company data to their personal email accounts, (2) downloading large amounts of sensitive company data to a portable device, or (3) using phrases associated with fraud (such as, “let’s not discuss this by email, please give me a call”) in their work email or texts. By contrast, absent a compelling reason or express policy, employers generally cannot monitor the personal email accounts of employees, even if that email is being accessed using company-owned devices. See Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548, 559–60 (S.D.N.Y. 2008).
In terms of phone calls, employers can generally monitor employees’ phone calls, as long as employees are aware of this (see Griffin v. City of Milwaukee, 74 F.3d 824, 827 (7th Cir. 1996)), although some states, like California, require notice to both parties on a call before they can be recorded. For video surveillance, an employer may generally film employees in plain view at their workstations during working hours as part of an investigative process. If the cameras are hidden, however, the employer generally needs to demonstrate a legitimate business reason for the surveillance and should not place cameras in areas where the employees have a reasonable expectation of privacy, such as bathrooms. In some states, such as New York, video recordings are subject to state wiretap laws, and the audio function on the video cannot be turned on unless an employer has the employee’s consent.
But applying these general principles to current data threats is tricky. One important step employers can take to reduce the risk of inadvertently infringing on employees’ privacy rights is to have clear policies. For example, we have previously written on challenges that companies face when employees use personal applications on their personal phones to engage in work-related communications. To meet those challenges, we noted that many companies have adopted clear policies on what kind of communications can and cannot take place on personal apps, and what employees should expect in terms of privacy when they use personal apps for company-related communications in violation of company policy.
Similarly, as a condition for making work-related email available to employees on their personal devices, some companies have required employees to consent to the monitoring of those devices to ensure that they are updated with the latest security patches and software updates and that no malicious apps are downloaded. Companies may also have an interest in their employees’ use of social media, to ensure that employees are not (1) saying things that are defamatory to the company or its clients, (2) improperly disclosing confidential company or client information, or (3) responding to press inquiries on behalf of the company without authorization. But such monitoring should not be done to determine their political or social positions. Again, the ability of employers to monitor the social media of employees depends on the purpose of the monitoring, and employers would be well served by having clear policies on the use of social media so that any monitoring can be clearly justified as an expected effort to ensure compliance.
Several factors will make the balance between cybersecurity and employee privacy even harder to maintain in the coming years. First, employees are increasingly working from outside the office and using personal devices for their work. Second, technology is making it quite easy for employers to monitor every movement and keystroke that employees make. Third, large hacks will continue to make sensitive employee data public, and employees’ personal and professional lives are increasingly intertwined, which is making employees much more interested in protecting their privacy. Fourth, employers will come under more regulatory pressure to protect their companies from hacking, phishing, and spoofing, which will increasingly involve protecting employees’ personal phones and email accounts from compromise.
There are no easy solutions for finding the right balance between company cybersecurity and employee privacy. But, having clear policies and training for employees on the use of company information and devices, and what they should and should not expect to be private, can go a long way to avoiding a messy showdown the next time a company wants to get access to the contents of an employee’s personal phone and the employee refuses.