Striking a Balance Between Cybersecurity and Employee Privacy
Most successful approaches for striking the proper balance involve having clear policies.
May 31, 2019 at 02:40 PM
8 minute read
Various regulatory regimes require companies to implement reasonable cybersecurity measures, which generally seek to protect company systems and confidential data. As a result, companies are increasingly expending resources to mitigate the risks to their sensitive information posed by external threats, including organized criminals, hacktivists and hostile nation states.
At the same time, insider cyber threats, such as deliberate theft or destruction of sensitive information, as well as innocent mistakes that result in lost control over confidential data, are primary risk factors for most businesses. To protect sensitive information and meet their regulatory obligations, many companies feel compelled to closely monitor the activities of their employees.
Determining how far a company should go in tracking its employees, however, requires a delicate balance between (1) reasonable efforts to detect and prevent wrongdoing or carelessness that could harm the company, and (2) respecting employees' reasonable expectation of privacy. Although the appropriate measures should be determined on a case-by-case basis, over time, a few principles have emerged that provide guidance on where to draw lines. As summarized below, most successful approaches for striking the proper balance involve having clear policies.
|Principles From Established Data Privacy Challenges
Work Emails and Internet Use. Generally, a company can monitor employees' work emails and other activity on work applications hosted on a company network. See, e.g., United States v. Finazzo, 682 F. App'x 6, 16 (2d Cir. 2017). For example, employers may implement software that looks for employees who may be (1) using their work email to send confidential company data to their personal email accounts, (2) downloading large amounts of sensitive company data to a portable device, or (3) using phrases in their work email that may be associated with fraud (such as “let's not discuss this by email, please give me a call, we don't want to get in trouble”). Similarly, monitoring and limiting employees' Internet use is usually an acceptable way for companies to reduce the risk of hacking and other data leaks.
Personal Emails. By contrast, absent a compelling reason or express policy, employers generally should not monitor the personal email accounts of employees, even if such emails are being accessed using company-owned devices, because employees have a reasonable expectation of privacy over their personal email accounts. See Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548, 559-60 (S.D.N.Y. 2008).
Phone calls. Employers can generally monitor an employee's phone calls, as long as the employee is aware of this. See United States v. Rittweger, 258 F. Supp. 2d 345, 354 (S.D.N.Y. 2003), although some states, like California, require consent of both parties on a call before the call can be recorded. Cal. Penal Code §632.
Video surveillance. An employer may generally film employees at their desks during working hours as part of an investigation. See Clark v. Elam Sand & Gravel, 4 Misc.3d 294, 295 (Sup. Ct. 2004). But, if the cameras are hidden, the employer needs to demonstrate a legitimate business reason for the surveillance and it should not place cameras in areas where the employees have a reasonable expectation of privacy, such as bathrooms. See Mendez v. Starwood Hotels & Resorts Worldwide, 746 F. Supp. 2d 575, 598 (S.D.N.Y. 2010); N.Y. Labor Law §203-c(1). In some states, such as New York, video recordings are subject to state wiretap laws, and the audio function on the video cannot be turned on unless an employer has the employees' consent. N.Y. Penal Law §250.00; see also DeVittorio v. Hall, 589 F. Supp. 2d 247, 258 (S.D.N.Y. 2008), aff'd, 347 F. App'x 650 (2d Cir. 2009).
|The Importance of Having Clear Policies
Applying these general principles to new technologies and current data threats can be tricky. Perhaps the most important step employers can take to reduce the risk of inadvertently infringing on employees' privacy rights is to have clear policies.
To see how this works in practice, consider the challenge that companies face in determining when they can demand access to employees' personal phones that are used for both work and personal communications. Some companies allow their employee to have confidential work emails on their personal smartphones. Those companies may want to have policies that allows them to monitor those devices to ensure that they are updated with the latest security patches and software updates, and that no malicious apps are downloaded that could access sensitive company data.
Many companies are also adopting policies on what kind of communications can and cannot take place on personal apps. So, if for example, an employee uses iMessage to communicate about a substantive work issue that becomes important for a regulatory investigation, the policy could make clear that failing to copy that message to the company's system within a reasonable time is a violation of policy, and the employer has a right to access those messages and to discipline employees who refuse such access.
Another example where having clear policies can avoid problems is social media. Companies may have a legitimate interest in monitoring their employees' use of social media to ensure that employees are not (1) saying things that are defamatory to the company, individual supervisors, or clients, (2) improperly disclosing confidential company or client information, or (3) making statements on behalf of the company without authorization. But such monitoring should not be done to investigate employees' political or social positions. Moreover, §7 of the National Labor Relations Act provides some protection for employees who are discussing the terms and conditions of their employment or their working conditions, so long as their statements are not false. Accordingly, employers would be well-served by having clear policies on the proper use of social media so that any monitoring can be clearly justified as an expected effort to ensure compliance.
|Departing Employees
Insider threat risks do not end when employees leave the company. Sensitive company data in the hands of a disgruntled former employee is a serious potential risk, as is unauthorized access to confidential company information by a former employee who may be acting in good faith.
Some companies require departing employees to identify all the locations where they may have confidential company data, including old company computers and phones, personal computers where company data has been saved, and personal email accounts or messaging applications. They also ask departing employees to identify all of their employment-related accounts, such as a sharepoint, FTP sites, and extranets, to make sure the accounts are properly closed. Other measures that reduce the risk of former employees leaking confidential company information include:
- Prohibiting and disabling the use of portable electronic data storage devices, such as thumb drives, on work-issued electronic devices.
- Employing software that can isolate and remotely wipe work-related apps and data from employees' personal devices.
- Monitoring the web, including sites like GitHub and LinkedIn, for sensitive company information.
The Coming Challenges
As more employees work from outside the office using their personal devices, finding the right balance between cybersecurity and employee privacy will be even harder to maintain, especially as the increasing number of high-profile data leaks make employees more concerned about their privacy, and companies more focused on protecting data from various threats, including insiders. In addition, new privacy laws are coming into effect (such as the California Consumer Privacy Act) that require companies to protect confidential data, but also place constraints on what data employers can collect about their employees, which may limit companies' ability to engage in certain kinds of monitoring.
To further complicate these issues, recent advances in technology allow employers to easily monitor every keystroke and every step that employees make. And the combination of location tracking of phones and widely available facial recognition technology will introduce a host of new privacy challenges. There is little doubt that companies gain substantial security benefits from knowing where all of their employees are located at any given moment. Such data can greatly reduce the risks of unauthorized physical access, and can be extremely valuable in determining whether a suspicious remote login, or phone call to the technology help desk, is legitimate or not. But location tracking can also be used to see who is meeting with whom outside of the office, who is coming to work late or leaving early, and what employees are doing on days they report in sick.
These are only a handful of the dozens of new monitoring options that will become available to employers for which the proper lines between protecting legitimate company interests and unreasonably infringing on employee privacy will not be easy to draw. Previous experience with technological developments shows that having clear policies and training for employees on the proper use of company information and devices, and what they should and should not expect to be private, can go a long way in gaining employee trust and avoiding legal and reputational problems.
Avi Gesser is a partner in the litigation department of Davis Polk & Wardwell, representing clients in a wide range of cybersecurity issues. Matthew Kelly, Will Schildknecht and Anna Marienko are associates in the firm's litigation department.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250