The Regulatory Compliance Tug-of-War between the Adoption of Employee Activity Recording and the Need to Protect Employee Privacy
The Legal Obligation to Protect Sensitive Data
A growing number of laws and regulations are requiring companies and government agencies to do more to protect certain types of information from unauthorized access or alteration. While regulations differ significantly among jurisdictions and industries, organization managements worldwide have no choice but to improve the way they protect, manage and monitor access to sensitive information and systems.
Samples of these regulations include:
- Data Protection Code of 2003 – This Italian law details obligatory protections of health data, human resources data and electronic communications data.
- Federal Data Protection Act of 2001 – This German law controls the collection, processing and use of personal data by public and private bodies.
- HIPAA & HITECH – The US Health Insurance Portability and Accountability Act (HIPAA) specifies how organizations should manage Protected Health Information (PHI).
- ISO 27001 – This Information Security Management System (ISMS) standard was published by the International Organization for Standardization (ISO). ISO 27001 calls on any compliant business to examine information security risks, implement comprehensive information security controls for risk treatment and incorporate management processes in order to ensure the controls on an ongoing basis.
- PCI-DSS – The Payment Card Industry Data Security Standard regulation provides 12 high-level requirements covering a wide range of issues related to credit card and financial information management, from access rights to data storage to audit monitoring.
- SOX – The US Sarbanes-Oxley Act (SOX) is a wide-ranging act that requires all publicly-traded companies to deploy internal controls for the accountability and integrity of all financial reporting processes.
Employee Activity Recording
A rapidly expanding solution to many of the legally-mandated security compliance goals is “employee activity recording.” Similar to recording telephone conversations made by employees on the company telephone system or implementing video surveillance of the company’s premises, many organizations are deploying software to record the activities performed by their employees on company-owned workstations and servers.
The resulting recordings demonstrate exactly what actions an employee took while using particular software or systems (including operating system processes which resulted from user actions), and can include both screen recordings and searchable-text activity logs.
Employee activity recording is an excellent compliance solution because it provides:
- Faster and easier security compliance – Monitoring and recording all access to sensitive data by in-house employees, remote users and third-party vendors quickly satisfies compliance auditors.
- Bullet-proof legal evidence – The logs and recordings demonstrate exactly who did what and when, without the overhead and partial end-results of correlating and analyzing log files.
- Fast root cause analysis – The recordings and logs allow instant discovery of system configuration changes for swift troubleshooting or compliance breaches.
- Early data breach detection – Custom realtime alerts based on user, application, resource and/or keyword ensure early warning of both human error and malicious actions.
Pulling the Other Way: Laws to Protect Employee Privacy
While employee activity recording provides organizations with a powerful compliance tool, it may also risk infringing on legally-protected employee privacy rights. Some of the applicable regulations in this regard include:
- ECPA – The US Electronic Communications Privacy Act focuses primarily on government and law enforcement access to communications, but also includes Title II, which protects electronic communications.
- US State Law – Many US states have enacted privacy restrictions via state laws, such as California’s Workplace Surveillance Labor Code Section 435, which prohibits video surveillance in areas that employees can reasonably expect privacy, such as changing rooms and restrooms. Some regulations extend these privacy rights to computer messages.
- PIPEDA – Canada’s Personal Information Protection and Electronic Documents Act calls for employee privacy rights and addresses the monitoring of employee computer activity.
- BDSG – Germany’s Bundesdatenschutzgesetz defines strong employee protection statutes, calling for very specific protection of user privacy rights in almost any form.
- HRA – UK’s Human Rights Act allows employers to monitor communications within the workplace only as long as the employee is aware of the monitoring before it takes place.
- Data Protection Directive 95/46/EC –This European Union directive provides a wide range of guidelines for privacy assurance, and allows for reasonable employee monitoring under a set of well-defined conditions.
Striking the Proper Balance
The ideal balance between the monitoring needs of employers and the privacy regulations protecting employees is attainable. By implementing appropriate corporate policy along with effective communication, employers can achieve their security and regulatory goals while complying with employee privacy regulations.
The three key elements of achieving this balance are:
- Only monitor what must be monitored – Regulatory compliance applies to specific types of information, such as personal health information (HIPAA) and cardholder data (PCI). Limiting employee monitoring exclusively to activities involving these types of data steers clear of infringing on points of employee privacy.
- Clearly inform employees what is being recorded and why – Configure the activity recording software to present a concise policy statement to the user upon every system login. The statement should describe what will be recorded and why (e.g., “Due to regulatory compliance requirements, your activity will be recorded while using SAP and while working with any server-based files.”).
- Protect recordings from unnecessary and unauthorized playback – It is important to prevent someone (even executive management or IT administrators) from arbitrarily accessing recordings of employees’ computer activities. Requiring two separate passwords in order to access any employee activity recordings (e.g., one password would be held by IT and the second by a union representative or other legal counsel) protects employee privacy and assures that employee activity recordings can only be accessed for purposes of a security audit, data breach investigation or the like.