Time to Update Your Employee Monitoring Policy?

Computerworld - "You have no expectation of privacy!" So say most corporate privacy policies for employees, like a bullying reminder of the obvious. But the recent boardroom scandal at Hewlett-Packard Co. involving Web bugs and "pretexting" has employees asking if they should be afforded some basic privacy protections in the workplace. Companies that want a dedicated and productive workforce shouldn't hesitate to extend to their employees their often-stronger customer privacy policies, disclosing in that policy all the monitoring they will -- and won't -- do to detect insider wrongdoing.

The mantra of "You have no expectation of privacy" while you're in company facilities or using company computing systems has become a unanimous chorus across corporate America, a legacy of several court decisions in the 1990s. U.S. companies have welcomed these decisions, which effectively give corporations carte blanche to record their employees and monitor their Web and e-mail usage, so long as they inform employees ahead of time.

And many companies are doing just that. The American Management Association, which conducts the best ongoing survey on this topic, last reported in 2005 that three-fourths of U.S. employers conducted some form of electronic employee monitoring (download PDF). This is up from one-half of employers in 2003, and, as reported in Computerworld, just one-third in 2001 (see "Study: Monitoring of employee e-mail, Web use escalates").

Why are so many companies investing their limited IT resources in employee monitoring? Let me count the reasons:

1. The annual FBI/CSI report on corporate computer crime routinely proposes that insiders are the No. 1 threat to company information, often the most valuable corporate asset.
2. The list of over 300 security breaches posted on Privacyrights.org includes numerous incidents resulting from employee negligence. These publicized incidents cost companies $13 million on average, according to the Ponemon Institute.
3. Any company taking advantage of the free trials offered by Vontu and Vericept Corp. to scan its outbound electronic traffic has experienced a sinking feeling as it finally sees just how many sensitive e-mail attachments are leaving the company network.

Besides, corporate executives say, the network is our property, and it's our right to know how it's being used. These are all legitimate reasons for companies to continue some level of employee monitoring.

But isn't it obnoxiously overstating it to say to your valued employees that they have no privacy inside these walls? Don't we actually mean to say that we may monitor them but not without cause? Privacy, after all, is a much bigger concept than not being monitored. And monitoring, if done within the right parameters and restrictions, can stop short of what most people would consider to be a violation of their privacy.