These days, employee surveillance is omnipresent -- and potentially abusive. HR has an important role to play in deciding where to draw the line.
Back in the pre-Internet dark ages, policing the workplace meant, for the most part, reminding employees to keep their personal phone calls to a minimum and making sure paper clips, staples and pens didn't slowly disappear from the office.
But when the Internet debuted in the mid 1990s, the business of tracking employee behavior on the job suddenly got very technical. Apart from keeping the productivity tap flowing, human resources -- faced with threats from an entirely new multi-headed monster -- needed to help create guidelines and policies for the ways employees could use this new, ubiquitous technology.
From e-mails to Web surfing, the early days of the Internet brought new perils for HR in trying to maintain a good balance between policing workers and giving them the leeway they need to be productive, yet still feel trusted and comfortable on the job.
And while keeping tabs on employee behavior is neither new nor novel, today's very real threats to data security and the potential litigation (sexual harassment, etc.) arising from electronic communications means the practice of "spying" on employees is more prevalent in our growing surveillance society.
Critical questions include: Does employee monitoring help improve productivity and increase efficiency? Or does it only help to diminish the delicate trust between employee and employer?
There are no pat answers, according to John Heins, senior vice president of human resources at Spherion Corp., the Fort Lauderdale recruiting and staffing company. "The decision of what is appropriate when it come to employee monitoring is left to the company and its employees," he says. "But it's certainly very possible to strike a good balance."
Threat from Within?
New federal laws such as Gramm-Leach-Bliley (pertaining to financial services) and the Health Insurance Portability and Accountability Act (which assigns strict limits on the dissemination of employees' medical information) are putting serious pressure on companies to protect their data.
"There is a lot more regulation and compliance around auditing of user privacy, and it can't be done without having input and buy-in from HR," says Evan Wheeler, senior consultant for forensic investigations at Akibia, an IT security consulting firm in Westborough, Mass.
Wheeler adds that there often will be instances when HR is the first to learn of an employee's misuse of corporate systems, whether it's using the Internet to view or transmit pornography, accidentally transferring files outside the company (or doing so with malicious intent), or taking part in any other breach of company policy.
And, while organizations do need to worry about outside attacks on their computer networks from hackers and other high-tech criminals, a recent survey from the San Francisco-based Computer Security Institute suggests that employers need to focus a bit more on internal threats.
According to the 2006 CSI/FBI Computer Crime and Security Survey, 39 percent of companies responding said at least 20 percent of their organizations' financial losses came from the "inside." And 7 percent of respondents reported that insiders accounted for more than 80 percent of their organizations' losses.
"Even though most respondents do not see insiders as accounting for most of their organizations' cyber losses, a significant number of respondents believe that insiders still account for a substantial portion of losses," according to the survey.
Compound that growing insider threat with the sheer volume of electronic messages flying in and out of organizations today, and the stakes can go even higher.
A recent survey conducted by the Enterprise Strategy Group and Orchestria, a data security firm based in New York, found that companies surveyed (averages size was 5,000 employees) reported that their daily network traffic included 95,559 e-mail messages sent and received internally, 173,971 corporate e-mail messages received from the outside, and 150,944 instant messages sent and received.
Based on the stats from the ESG/Orchestria study, a large company can easily process 1 million e-mails daily. Orchestria estimates that one-tenth of 1 percent of that million represents some type of violation, which equates to 5,000 potentially problematic e-mails every single day.
"That's a lot of smoking guns for HR," says Michael Rothschild, Orchestria's vice president for products.
Given this internal threat and the increasing volume of electronic communications, HR is being asked to help out more on security policy development, implementation and enforcement. For example, Rothschild says his company sees HR represented more often at security meetings, providing specific input.
On the security side, he says, HR is being asked to identify "personnel at risk," which can be as simple as identifying employees who are sending out resumes.
"By identifying these people, more stringent security rules can be placed on them," Rothschild says. "In many cases, we have seen employees who leave organizations bring with them all kinds of IP [intellectual property]. By identifying these people early on, we can pre-empt the leakage of IP later."
Jim Hereford, the CEO of NextSentry, a Spokane, Wash.-based provider of security/monitoring applications, says he also sees more HR executives being included in security policy discussions. "Security software that alerts on end-user behavior will always involve HR," he says. "HR must respond to certain issues that are brought back to the IT department, including things like policy violations, surfing banned sites, stealing identity data and so on.
"Two years ago, most companies told us, 'Our employees are great, we don't have any issues,' " Hereford says. "Today, the tech staff is telling us internal threats are the biggest risk."
Why such a sharp turnaround? Hereford says there are two prime reasons: New laws now force corporations to make security breaches public, combined with an increased awareness on the part of companies about ways their reputations can be affected when sensitive customer and employee data is stolen or leaked to the public.
Hereford says that when NextSentry initially discussed its desktop monitoring software, called ActiveSentry, with potential customers, HR pushed back hard. "They saw it as 'Big Brother' watching," he says. "Now, we no longer see that pushback. It's seen as a powerful tool."
"Years ago, the big area of employee privacy was the telephone and the Wiretap Act," says Spherion's Heins. "Now, with today's electronic communications, it's more important than ever that HR be involved in setting policy and working with IT and risk management to ensure that employees receive open, honest information.
The critical part is that employees must understand what is expected of them when it comes to using company assets in the age of the Internet."
Heins says HR's primary role in maintaining the balance -- keeping the so-called "Big Brother" aspects to a minimum -- centers on delivering the communication piece.
"Employees need to know what is expected without any confusion," he says. "[Internet usage] policies have to be consistent in words and action.
HR needs to play a key role in helping to build the policy, and then deliver the communications around it."
Mainly, consistency means HR should play a role in building policy by focusing on fairness and accessibility among the employee population.
An example of inconsistency might be a situation in which a company has a policy regulating the handling and distribution of confidential information, but the constant use of e-mail could "informalize" communications and lead to the inappropriate distribution or accidental leakage of confidential documents or information, says Heins.
HR can prevent this from happening by conducting training to ensure that employees understand not only the organization's policies, but also their applicability to all mediums, including e-mail.
At Spherion, the company publishes a "computers and telecom resource policy" that spells out what it considers to be the appropriate use of computers, e-mail and so on, and a code of business conduct. Employees must read and sign both policies.
And every day, when employees log on to the company network, they receive an automatic reminder of the company's computer policy and code of ethics.
"We also discuss the topic where appropriate among employee groups and their respective management teams," he adds. "And in areas where privacy is critical, key controls related to Sarbanes Oxley are in place and reviewed monthly."
Heins says HR must integrate itself into corporate risk management. For example, Spherion has an IT risk/security team, which has members from HR as well as IT, internal auditing, finance, accounting and other company areas. Heins' role on the team includes reviewing and approving security initiatives and setting organizational priorities as they relate to information security.
Interestingly enough, Heins says, the growth of identity theft and spyware means that employees are more likely to be personally affected by data security these days. That fact has helped them understand the importance of data security to their employers' financial health.
"People have become victims, so they are more sensitized as to why we need to have usage policies," he says. "People will still do inappropriate things, but the frequency is diminishing."
When Monitoring is a Must
People problems aside, it helps to have effective technology that can help manage those issues. NextSentry offers an application that resides on a computer desktop, minding its own business until an employee's behavior triggers an alert.
The software uses a "whitelist" strategy to limit Web access, meaning that employees can access only Web sites that appear on a designated list. All others will be blocked and, depending on the company's discretion, could trigger a "You are violating policy" pop-up warning on the screen.
It also monitors e-mail, instant messaging, blogs, file transfers, printing, and removable storage devices such as USB drives, CDs or iPods (see sidebar). An employee who rings up four or five such messages might warrant a face-to-face warning or stronger disciplinary action.
"We don't watch anything until someone does something outside of established policy," says Hereford. For example, the NextSentry application can prevent an employee from visiting an external site to pay their bills online, or from opening up a cell phone account -- whatever is not on the whitelist will be blocked.
Hereford says the tool has helped clients identify employees who were up to no good. In one case, a call-center employee with access to online bank accounts went to her cell phone provider's Web site and paid her own bill by withdrawing money from someone else's account.
In another case, a commercial loan officer was caught burning account and credit information to a CD, and passing the information on to a new start-up bank in return for payment.
At Spherion, Heins says, monitoring employees' usage of the Web and e-mail is a must, considering the large volume of confidential information the staffing company has on file.
"We want our employees to have access to the latest information in order to be competitive, yet we are concerned about potential risks [in terms of] others attempting to gain access to our critical and confidential information," he says. "We handle hundreds of thousands of employee records every year. Maintaining that level of security and privacy is not taken lightly."
A security manager from a NextSentry customer, one of the world's largest banking organizations, makes it clear that HR has a role in balancing employee privacy with company interests.
But, he says, privacy is really not the issue. The company's financial health is tantamount, since every employee ultimately depends on it.
"It all begins with HR," says the executive, a former law enforcement officer who requested anonymity.
"With all the programs and policies in play, HR needs to help create a good policy."
He explains that his experience (and studies) has shown that employee data theft frequently occurs within the first 30 days of an employee's tenure or, on the flipside, when an employee has given the traditional two weeks' notice.
"Coming from law enforcement within the government, we knew there were sanctions [for stealing information]," he says. "But in the private sector, there is much more of an effort to keep people happy. That mindset has to change. People can be happy in their jobs, but for HR, it is always going to be essential to let employees know that their e-mail and Web use can be monitored."
Christopher Stief, a partner in the Philadelphia office of Fisher & Phillips, agrees that HR has a crucial role to play.
"A simple act, even an innocent one, can undo all the technological protections," Stief says. "The human side -- developing a policy, communicating it and applying it fairly -- is the big piece for HR."
HR can ensure fair application of a policy by investigating potential violations thoroughly and intelligently, he adds.
"It's important to be able to discern an 'innocent mistake' from something reckless, or worse yet, something intentional," says Stief.
HR also should play an essential role in helping employees understand why such precautions are necessary, he says. If employees understand the crucial business need for data protection policies and mechanisms, they are more likely to perceive and accept as "fair" both the types of monitoring that are necessary and the disciplinary actions that may be required to address violations.
"HR can help data-protection policies be perceived as necessary protection of company and client confidential data, rather than an 'oppressive Big Brother regime,' " says Stief.