Beware: Employee Monitoring Is On The Rise
Employee privacy gives way to business needs for electronic surveillance
Gary Mitchell didn't believe in electronic monitoring of employees. He thoroughly resisted it. "I thought that if your employees were doing wrong things, then you weren't doing your job as a manager," says Mitchell, manager of technical services for Marley Cooling Technologies, a cooling-tower manufacturer in Overland Park, Kan.
But that was last year, before the printer incident. An employee printed out several pages from a porn site--and forgot to retrieve them. That encouraged the company to take its corporate Internet policies to another level. While Marley already had a written policy in place indicating it could monitor Internet use by its 500 online employees, it hadn't actually done so.
- Aligning IT with strategic business goals: A proactive approach to managing IT risk to your business
- Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment
- Strategy: Building and Maintaining Database Access Control Permissions
- Strategy: How to Conduct an Effective IT Security Risk Assessment
Marley joined a growing group of businesses that electronically monitor employee work habits. Nearly half of companies monitor E-mail, up from 38% last year, according to a recent American Management Association survey, while Internet monitoring increased to 62.8%, up from 54.1%. Ninety percent of the more than 1,600 managers queried are at companies with revenue of $10 million or more. Another study by the nonprofit Privacy Foundation shows that Internet and E-mail use of one out of three employees is monitored daily. Big Brother is watching more employees, more closely, and more often than in the past.
Companies like Marley say they're motivated by legal liability: More than two-thirds of respondents in the American Management Association survey claim that concern over lawsuits is highly important in the decision to monitor. Recent U.S. Supreme Court decisions back up these fears. The court found that once a case of harassment comes to an employer's attention, the company must try to stop the abuse. Otherwise, the company would be held liable. Without monitoring, companies reason, how can they become aware of problems?
But other issues are spurring the trend, too. When monitoring started to catch on a few years ago, it was in response to several high-profile sexual harassment cases, says Susan Getgood, VP of marketing for SurfControl plc, a Web and E-mail filtering company. Now, employers are increasingly concerned about productivity and bandwidth.
That's certainly true at Marley. When the company first ran a report of Internet usage with SurfControl's product, Mitchell was surprised by the magnitude of nonwork activity online. "Companies are doing an awful lot of business through the Net, and when my bandwidth is tied up by casual use, that's a problem," he says.
Many businesses feel justified in finding out how spending time online affects productivity. But Mitchell also knows "there's no such thing as an eight-hour job anymore." As companies demand more of employees, they need to let them shop online or check on their retirement accounts.
Monitoring technology is getting more sophisticated, too. One product from filtering software company Elron Software Inc. includes a SurfTime Meter: Enter an employee's hourly wage, and it calculates a company's cost in lost productivity as a result of inappropriate Web surfing.
Despite what Mitchell sees as good reasons for the monitoring, Marley is aware of privacy concerns. The company notifies employees that they're being monitored, even though it's not required to by federal or state law. In fact, Connecticut is the only state that requires employers to tell employees if they're being monitored. The federal Notice of Electronic Monitoring Act was discussed in Congress last year, but never passed. It's expected to be reintroduced again this year.
Surveillance laws favor employers so heavily, they're even allowed to violate their own privacy policies. That's what happened in a 1996 case, Smyth vs. Pillsbury. The court determined that an employee did not have privacy in using the internal E-mail system to communicate with his supervisor, even though the company previously stated that E-mail communications would remain confidential. Accordingly, the court found that it was lawful for the company to intercept the employee's E-mail and terminate him for transmitting inappropriate communications over the company's system.
But are the scales tipping too far from employee privacy rights? Some backlash indicates that they are. In May, a group of San Francisco federal judges ordered their IT staff to disconnect an Internet monitoring program for one week. It has since been reconnected, but the debate isn't over--on Sept. 11, the Judicial Conference of the United States (the ultimate governing body of the courts) will meet to review this issue. Ninth Circuit Chief Judge Mary Schroeder said court employees were disciplined for unauthorized computer use, even though they weren't fully aware of the policy.
In fact, four out of every 10 employees don't know their companies' monitoring policies, according to a recent Harris poll of more than 500 employees. But many who are aware of such policies question whether workplace monitoring has become excessive. "The lines for justification of invading your privacy are becoming blurred by special interests and profit," says Gerald Lovell, senior electrical project engineer and IT manager at Advanced Handling Systems, a warehouse automation company in Lakeland, Fla. He believes that overzealous accounting departments and strong sales pitches from monitoring software salespeople are among the factors behind the current push for monitoring. He's concerned, too, about privacy breaches in everyday life as well as in the business world.
Some relief may be on the way: Sen. Charles Schumer, D-N.Y., and Rep. Bob Barr, R-Ga., will likely propose legislation this fall to limit employer surveillance. A similar bill was unsuccessful last year.
John Shaull, a senior technical analyst who serves as Lotus Notes administrator at Chicago Bridge & Iron, has oversight of 2,000 employees using the company's mail system. Thousands of messages travel through the company's gateway daily. Shaull's concern is inappropriate content and oversized attachments, so this year, the $630 million engineering and construction company implemented MailSweeper and PornSweeper from Baltimore Inc. With MailSweeper, the company can block large files from being sent. That's key, because the company wants to limit the cost of sending massive files to its offices around the world.
PornSweeper analyzes image attachments for nude or pornographic content and when an inappropriate message is caught, both the sender and recipient get E-mail letting them know that PornSweeper blocked the message. The E-mail is held until the sender contacts IT to explain why it needs to be sent. Shaull says about two or three E-mails are "quarantined" each week. Occasionally, PornSweeper will pick up false alarms, such as photos of newborn babies. That's not a problem, Shaull says. After the sender contacts IT, the photo is sent through immediately. "If the content is inappropriate, we don't hear from them," he says.
Some employees consider instant messaging the last bastion of workplace privacy. But not for long. Both Elron and SurfControl are examining the market potential for IM monitoring. Elron expects to have an IM-monitoring product within the next 18 months, but Larry Derany, the company's chief operating officer and VP of engineering, says there are myriad hurdles to overcome first. "It's a hard problem to solve--you've got a bunch of short messages with IM, so you need to aggregate the message flow." And IM users are more inclined to use shorthand than E-mail users, so the monitoring system would have to be familiar with scores of abbreviations and acronyms.
But as IM becomes an increasingly prominent collaboration tool, vendors are trying to keep pace. Raytheon Co. is already testing a new IM-monitoring feature for an existing product, Silent Runner. When such products hit the shelves, employers can expect even more dissent in the ranks. Still, it's something businesses say they have to do, considering the current economic and legal climate. Says Mitchell, "I don't know if we can ever get to zero liability, but we can at least make a fair stab."