employee privacyVarious regulatory regimes require companies to implement reasonable cybersecurity measures, which generally seek to protect company systems and confidential data. As a result, companies are increasingly expending resources to mitigate the risks to their sensitive information posed by external threats, including organized criminals, hacktivists and hostile nation states.

At the same time, insider cyber threats, such as deliberate theft or destruction of sensitive information, as well as innocent mistakes that result in lost control over confidential data, are primary risk factors for most businesses. To protect sensitive information and meet their regulatory obligations, many companies feel compelled to closely monitor the activities of their employees.

Determining how far a company should go in tracking its employees, however, requires a delicate balance between (1) reasonable efforts to detect and prevent wrongdoing or carelessness that could harm the company, and (2) respecting employees' reasonable expectation of privacy. Although the appropriate measures should be determined on a case-by-case basis, over time, a few principles have emerged that provide guidance on where to draw lines. As summarized below, most successful approaches for striking the proper balance involve having clear policies.

Principles From Established Data Privacy Challenges

Work Emails and Internet Use. Generally, a company can monitor employees' work emails and other activity on work applications hosted on a company network. See, e.g., United States v. Finazzo, 682 F. App'x 6, 16 (2d Cir. 2017). For example, employers may implement software that looks for employees who may be (1) using their work email to send confidential company data to their personal email accounts, (2) downloading large amounts of sensitive company data to a portable device, or (3) using phrases in their work email that may be associated with fraud (such as “let's not discuss this by email, please give me a call, we don't want to get in trouble”). Similarly, monitoring and limiting employees' Internet use is usually an acceptable way for companies to reduce the risk of hacking and other data leaks.