Content Cops

Many businesses expect IT to use the equivalent of a radar gun and monitor employees for infractions. But laying down the law can have serious repercussions, both for employees and the IT departments doing the watching.

When Mick Montgomery was hired as an Internet/intranet technologist by Ontario, Canada-based Wescast Industries five years ago, he knew that part of the job would be wearing the "Content Cop" badge, enforcing the company's Web and e-mail usage policies.

It quickly became the most despised part of his day.

"I'd literally have to go through logs … line by line and look for abuse," he recalls of the manual process then used to investigate complaints. "It was painful, extremely painful."

That pain is felt everywhere in organizations that conduct employee monitoring. Employees may feel like Big Brother is checking up on them, the IT department is usually tasked with slogging through logs and records and reporting findings, the human resources unit has to take action to discipline a wayward worker, and the legal department must decide what employee behavior crosses the line.

IT normally finds itself in the uncomfortable middle. Even with the policy and technology advances of the past few years, ever-present conflicts over the who, how and why of employee monitoring remain.

If you haven't yet found yourself caught up in this issue—poring over logs to determine if a .jpg was purposely downloaded, dealing with HR issues you'd rather not know about, struggling through the many ethical and legal quandaries that can arise—chances are you soon will.

Legal Liability
One of the main reasons companies implement employee monitoring and filtering tools is to protect themselves from legal liabilities like sexual harassment, discrimination and insider trading. Due to recent regulations like Sarbanes-Oxley and HIPAA (the Health Insurance Portability and Accountability Act) in the United States, these concerns are only growing.

Those laws are a big factor in the push for monitoring, according to Doug Towns, a labor and employment lawyer with Atlanta-based Jones, Day, Reavis & Pogue, who counsels corporations on employee monitoring and privacy. Employers that don't monitor could one day face a lawsuit for a possible (and arguable) "affirmative obligation" to do so. "We all know … the employer has to keep the workplace free of sexual harassment, which includes making sure that inappropriate comments or conduct are not occurring in the workplace," Towns explains. "Well, does that extend so far to say that the company does not just have the right to—but has the duty to—go out there and filter something?"

While all company departments—IT, HR, legal and corporate—can usually agree on at least the legal benefit of such monitoring, it's the other uses, as well as IT's role and responsibility in maintaining and enforcing such policies, that have turned this chore into one of the most dreaded in all of IT.

Crimes and Misdemeanors

Before you pin on that content cop badge, make sure you're aware of the many legal issues surrounding the responsibilities you're about to take on; if not to better protect your company, at least to protect yourself.

The most common legal issue surrounding employee monitoring is privacy. According to labor and employment lawyer Doug Towns, however, this issue has pretty much been decided in favor of employers by U.S. courts, including a case where it was determined an employer had the right to monitor, even though the company in question told its employees it wasn't monitoring (Smyth v. Pillsbury Co.).

In fact, U.S. case law is so favorable to employers that only one state—Connecticut—requires employees to sign a policy acknowledging that they're being monitored. Still, it's a good idea to do so, no matter where your company is located, Towns says.

Because privacy is an “all-or-nothing” right, he explains, issues of how companies implement monitoring—the extent of monitoring and whether it's applied unevenly—are usually not grounds for bringing lawsuits against a company under privacy statues. However, other liabilities could be applied; for example, there could be a discrimination suit if repercussions for violating usage policies were stronger against women or minorities.

"If you ever see [child pornography], push away from the computer and do not touch anything again, until [police] are on the scene."

Stephen Northcutt, Director, SANS Institute

Misusing information gleaned from monitoring can also get an IT employee in hot water. For example, if an IT staffer shares information learned via monitoring with someone who doesn't “need to know,” he can be sued under defamation statutes, if the information is untrue, or “public disclosure of private facts,” as it's called in many states, if the information is true. According to Towns, IT employees have been sued under such “gossiper” statutes, making it imperative that IT managers ensure that those handling employee monitoring duties are experienced enough to do so.

Another issue is employee misuse of such systems. An IT employee who reads every e-mail of an employee they're not supposed to be monitoring is probably not opening up the company to a privacy lawsuit because of the aforementioned “all-or-nothing” nature of privacy laws. However, he can be individually sued for harassment, stalking and/or other liabilities if he acts on the information gleaned.

The biggest issue—and one that the experts we talked with say can arise more often than you might think—is child pornography. Because possessing child pornography is a crime, IT employees must be extremely careful when they run across suspicious images. “If you ever see [child pornography], push away from the computer and do not touch anything again, until [police] are on the scene,” says SANS Institute Director Stephen Northcutt. “That [rule] must not ever be violated.”

A similar inviolable rule is reporting any evidence of child pornography you find—even if your employer discourages or forbids it. Not reporting it will leave you personally liable. Michael Haisley, an incident handler for the SANS Internet Storm Center, found himself in such a situation when setting up a system for a district attorney's office a few years back.

For one job, his team found that an assistant district attorney was viewing child pornography. The attorney was fired, but the office told his team not to report it. “This was an election year—the prosecutor didn't want it to be pursued as far as law enforcement goes, because you don't want that type of scandal when you're facing an election,” Haisley recalls.

While his team didn't report it to local law enforcement, they did report it to U.S. Customs, the federal agency in charge of investigating child pornography. Customs “handled it directly with virtually no assistance from the local district attorney's office,” he says.

According to Haisley, the pressure to hide child pornography or other violations, such as fraud, isn't uncommon, and it's one reason he likes to design employee monitoring systems to instantly report violations to multiple people in various departments across the company. “If the information is disseminated quickly to several sources,” he says, “it gets a lot harder to silence that information, whether it be for a political motive or for a profit motive.”

— B.N.

Not in Your Job Description
Projects that start for legal liability reasons often expand to include monitoring employee productivity, which is when conflicts arise in the role IT should play.

While some don't have a problem monitoring employee usage—as one reader puts it, "The network belongs to the company, and they set the rules. What's the problem?"—others say they resent the chore because it places an undue burden on their shoulders.

Laans Hokanson, a network administrator in Petersburg, Va., says for years he's fought "tooth and nail" against implementing employee monitoring at his government agency, in part because he doesn't feel it's his job as a network administrator. "It's not that I have a moral problem with it, just that I don't want it to be part of my job description—it's not what I signed up to do," he says. "I like problem solving, I don't like running around and busting people. If I wanted to do that I'd have become a cop.

"I don't go to people's cubicles and see what magazines they read; why should the content of their Internet access be my responsibility?"

Dave Pratt, a network administrator in Diamond Springs, Calif., also believes that monitoring for productivity isn't his responsibility: "Would the facilities department be responsible for supervising an employee whose job included the use of a hammer or screwdriver on the production line?" he asks. "Are computers any different?"

Protector or Spy?
One way to minimize the conflict and gain IT buy-in is by changing the monitoring parameters. For example, Pratt says that although "it's outside the scope of IT's day-to-day job to provide carte blanche monitoring," he has no problem monitoring for evidence collection after a problem is identified.

Michael Haisley, Incident Handler, SANS Internet Storm Center

"The way a lot of [monitoring] systems have been developed in the past, we've had IT making policy decisions, and that's something IT's not really trained to do—they're just being stuck into that position."

Michael Haisley, Incident Handler,
SANS Internet Storm Center

Craig Reeds, manager of technology development for Western Construction Group, says he's much more comfortable conducting employee monitoring at his current job, where it's only performed on request, compared to the constant monitoring expected by his former employer. "You monitor people if you have a problem; you don't monitor people just to find a problem," he says.

Eric, a systems administrator from Maine who asked that his last name not be used, never quite felt comfortable with the chore, especially when he felt the monitoring was being used unfairly. Once he became suspicious that a manager was looking for any reason to fire an employee, so instead of sending his standard report (that would have detailed this particular employee's searching of job sites during his lunch hour), he sent over the raw, unedited logs, which were virtually indecipherable.

"I gave them exactly what they asked for," he says. "I was trying not to get too personally involved … but trying to make sure everyone had a fair chance."

Reducing the chance of unfair requests is one reason Reeds likes the way the system works at his 40-person headquarters, where all monitoring requests must be approved by the CEO, instead of being submitted to Reeds directly. "The dangers of having one person being able to request monitoring is that they may not have all the information or they may not have the [monitored subject's] best interests at heart," he explains.

Michael Haisley, an incident handler for the SANS Internet Storm Center, says he often designs his monitoring systems to alert more than one person to policy violations—preferably one in HR and one in IT. "It gives the information a balance," he says. "The way a lot of these systems have been developed in the past, we've had IT making policy decisions, and that's something IT's not really trained to do—they're just being stuck into that position."

Dealing with the Fallout
It's an uncomfortable position to be in, especially when the results of that monitoring start to bear bitter fruit. Many sources express dismay that their findings may be used to fire someone, especially when the system is being used unfairly.

For example, some employees are treated differently from others for the same infractions, usually based on rank. One reader who asked to remain anonymous says that when his company implemented Web filtering, "lower-level employees had the book thrown at them, while higher-level employees whose habits sometimes bordered on the illegal, got away scot-free. It was a terrible thing to be involved in."

The inequality in reprimands is so widespread that Stephen Northcutt, director of the SANS Institute, a security training company, says most IT pros in his classes simply don't bother to monitor vice presidents and above.

While he understands the reasons behind such a policy, Towns says most of his law firm's clients instead appoint more senior IT people to monitor the highest-level executives. "Most companies would be reluctant to say there are certain individuals who do have privacy and who we would never review," he explains. "That's clearly not what most companies would want to argue if there was ever an allegation either of harassment, discrimination or some type of fraudulent misconduct by individuals at a certain level."

Reeds says what he dislikes most about being his company's content cop is "the knowledge that I'm stuck with afterward. Sometimes, it totally changes your perception of a person, and it's difficult to deal with them knowing what you know."

Given those concerns, it's important to choose your employee monitoring staff carefully. "There's a lot of research that shows certain personality types end up doing better in certain types of jobs," says Dr. Theresa Wellbourne, founder and CEO of the employee relationship consulting firm eePulse Inc. and a former human resources professor. Look for someone "who doesn't identify on an emotional level with people's problems, so they can just be very fact driven. They're probably going to be better at doing it."

Getting Help
While the human issues side can be significant, so can the monitoring burden, especially if you're still manually combing through e-mails and Internet logs, as Montgomery once did. "I'd get one or two [monitoring requests] a week, and as soon as I'd get them it didn't matter what I was doing—it was top priority," he comments. "I knew immediately that two to three hours of my day were going to be spent extracting this data."

Then, a few years ago, an HR representative asked whether Montgomery could automate the process such that HR could have direct control, running and analyzing the reports. "I had a small party in my office," he laughed. "I was right on board with it."

If your company makes the same choice, one possible starting point is reducing access to inappropriate material. "Rather than busting somebody for having 20 gigs of porn, just don't let them get there," Northcutt says.

Mick Montgomery
Mick Montgomery worked with his company's HR department to craft a monitoring policy that makes him more commissioner than beat cop.

But filtering alone won't work for many corporations. To further reduce the burden, Haisley recommends designing your system to limit what it tells you: "Configure the alerts and rules so that you [only] get a notification on something that obviously violates your policy, so you're not wading through literally everything everyone does."

Haisley is particularly fond of new reporting tools that allow an HR department direct access to reports and alerts, thus reducing both the time IT spends on this chore as well as its exposure to the information. He's found features in Microsoft's ISA Server 2004 particularly useful, citing its ability to filter based on user groups and its customized rule sets for e-mail alerts.

He also likes Snort, saying the open source tool is an excellent option for cash-strapped IT departments. Snort allows you to create the same kinds of reporting rules as ISA Server, he says, albeit with more work.

When developing custom reporting, Haisley strongly recommends building in context on either side of any alert—for example, all Web pages visited before and after a suspicious download—to make it easy to track back the history of reported violation.

But you don't have to rely on custom solutions. Some companies choose to outsource the chore, while others turn to off-the-shelf monitoring packages. These include PixAlert Suite, which scans employee desktops for pornographic images, and Wavecrest's Cyfin Reporter, a Web monitoring product that runs a number of custom reports.

Cyfin Reporter has allowed Wescast's Montgomery to step away from the day-to-day beat. Now, his main employee monitoring responsibility is watching the back end of the system—making sure the software and the reports are running correctly—while only occasionally delving deeper into reports.

And that's exactly the way it should be, according to Haisley. "By staying a little bit involved, [IT makes] sure the system is working, and they also make sure if there's a false positive or a problem with the system, they're dealing with it," he says. "They're going to have the technical knowledge to recognize things that HR will not be able to recognize."

Make Policy a Priority
Before you decide on a monitoring solution, though, you need to establish a policy. It's essential that the policy cover all aspects of not only why the company is monitoring, but what exactly it will monitor, how it will monitor and the steps for both reporting and dealing with violations (see "11 Questions to Drive Your Employee Monitoring Policy").

It's so important that employee-monitoring software vendors often consult for free with customers. "It is a way for IT and the business sponsors, whether it's HR, internal monitoring, compliance or even CEOs, to really work together to make sure they've looked at the issue from all angles," says Jack Managan, director of marketing for PixAlert. "You have to have a policy that's signed off on," says Montgomery. "Without a policy, you don't have anything to stand on, nothing behind you to say ‘This is why we're doing this, this is corporate policy, the executives have signed off, the board has signed off, you have signed a document saying you agree to this.' If you don't have that, you can't do anything."

11 Questions to Drive Your Employee Monitoring Policy

1. Why Are You Implementing Monitoring? Are you implementing it solely to protect the company from various liabilities, or will the company also monitor employee productivity? If liability only, how will you ensure that the system is used only for that goal?

2. What Violates Policy? What liability does the company want to protect itself from, and therefore what behavior is unacceptable? If you're also monitoring for productivity, you need benchmarks to determine what is considered acceptable personal usage, in terms of both time and actions (unacceptable sites, inappropriate language or jokes in e-mail and so on).

3. What Will You Be Monitoring? Question No. 2 will determine whether monitoring Internet usage will be enough, or if you'll also need to implement e-mail and desktop monitoring.

4. Will You Be Monitoring, Filtering or Both? Does the company have a “trust the employees” philosophy, or is it important to implement filtering to stop violations before they happen? What combination of technologies best fits the project's goals (as well as network security), yet preserves company culture?

5. How Will You Monitor? Will monitoring be constant, random, upon request or some combination? If constant, does human resources/IT have the manpower to take on the challenge? If random, what system will you have in place to ensure that it's truly random? If upon request, what checks and balances will be in place to ensure that the system isn't abused? If it's a combination, what will be used when?

6. Are Different Levels of Monitoring Needed? Some companies will have separate levels of monitoring depending on the employee group: Heavier monitoring for lower-level employees, less for higher-level and/or “creative” employees, to virtually non-existent monitoring for the highest levels. Does your company need such levels, and if so, what's appropriate for each?

7. Who Will Be Notified of Violations? Who should receive notifications of violations? Will they be kept within HR, or will IT be notified as well? Will several people be notified in order to ensure the information is fair and acted upon, without expanding beyond the “need to know” boundary?

8. How Quickly Should Violations Be Reported? Some companies need to know about possible violations immediately due to union contracts. Does your company have any such restrictions? What type of report schedule (daily, weekly, monthly) makes the most sense for all involved in the project (e.g., daily for HR to act upon, weekly or monthly for IT to check against false positives and fine-tune the system)?

9. What Software or Other Solutions Can Make the Chore Easier? What software options are available that can meet the exact monitoring and reporting needs of your project? Will these software solutions allow (or can they be customized to allow) the IT department minimum involvement in the process? If not, who will be responsible for the analysis of any reports: IT, or a properly trained HR resources employee, for example? Is outsourcing an option?

10. How Will You Handle Violations? What will the repercussions of any violations be? How do those repercussions grow as the number of violations grows? In what situations is a simple warning appropriate? Will the type of discipline vary depending on the level of the employee who violated the policy?

11. How Can the System's Fairness Be Communicated? According to Dr. Theresa Wellbourne, whose company monitors employee satisfaction and productivity, morale from a firing that employees don't see as fair—even if it's justified—can kill productivity for three to five weeks. “It ends up being a justice issue,” she explains. “When you take action, people need to understand why.”

— B.N.

Montgomery worked with his company's HR department to develop a policy and implement a technical solution that has all but eliminated his role in the process, making him more commissioner than beat cop. "The only time I get involved now is if HR gets into a situation where there's going to be a serious reprimand, up to and including termination of an employee," he says. "They'll ask me to go through the report and validate that what they see is correct."

A fair, detailed policy can also make all the difference for the individual IT employees charged with monitoring. Hokanson, who's fought against IT monitoring for years in his workplace, says he might be more open to the idea if a solid policy were in place. Until then, he says, "I don't want to get into the situation where IT is enforcing HR policies that are ambiguous."

While many argue that enforcing this policy shouldn't fall on the IT department's shoulders, Montgomery counters that it's the only way to create a livable employee-monitoring solution. "You're going to start dealing with Internet issues because [IT is the one] giving employees Internet access. That's the reality."

But monitoring doesn't have to be overly burdensome. As Montgomery points out, he and his crew have found a happy medium, a solution every IT department should explore. "If IT doesn't have a dialog with HR, then IT ends up bearing the entire brunt of it."

More Information

Products Mentioned in This Article:

More Resources on this Topic:


comments powered by Disqus

Subscribe on YouTube