In recent years, companies have begun adopting data loss prevention (DLP) strategies at an increasing rate. These solutions use tech to help companies “detect anomalous patterns or behavior through keystroke logging, network traffic monitoring, natural language processing, and other methods, all while enforcing relevant workplace policies,” according to a recent article in the Harvard Business Review. While the argument is pretty clear cut on the business side of things, certain DLP tools operate on the shady side of federal and state privacy laws. If your company is considering employing DLP, there is some important information to consider beforehand.
HBR says you should look at three main questions before you use DLP software. “First, whom are you monitoring? Second, what are you monitoring? Third, where are you monitoring?”
Depending on who you are monitoring, you may need to provide prior notice and consent. You also have to make sure that the way you’re monitoring complies with state laws. “States such as Connecticut and Delaware expressly prohibit employers from electronically monitoring employees without giving prior notice,” Harvard Business Review explains.
Other laws, like the federal Electronic Communications Privacy Act (ECPA) prohibits the monitoring of electronic communications in general, with two exceptions. The “business purpose exemption” allows for employers to monitor employee electronic communications if they have a “legitimate business purpose.” Obviously this has a broad interpretation. The other exemption is if employers have received consent from their employees to be monitored.
Pay attention to whether or not your DLP software would potentially monitor third party communications, such as relatives or friends that would email your employees’ work domain address. This can infringe on certain states’ wiretapping statutes. HBR explains that “States like California and Illinois require all parties to a communication to consent to interception of communications in transit. That means that before companies can scan an email sent from a friend or relative to the employee, employers must figure out how to give notice of the monitoring to those third parties and how to get the third party’s consent.”
Without doing this, companies in these states can face class action lawsuits or government enforcement actions. One way companies amend this is by posting a notice on their website or by including a statement at the bottom of all employee emails that electronic communications from the company domain are property and subject to monitoring. By continuing communication after this notice, consent is implied.
The second question Harvard Business Review posed is what are you monitoring? The article explains it is “necessary to determine if your company intends to monitor data in-transit and/or data at-rest.” The ECPA as well as many individual states prohibit “electronic interception of data in transit without consent.” Violating this can actually result in criminal and civil penalties. But collecting or monitoring data at-rest can infringe upon the Stored Communications Act (SCA), which prohibits “unauthorized access and disclosure of electronic communications in storage in an electronic communications service provider’s facility.”
It is also crucial for a company to consider what types of communications are being monitored. Twenty five states have made it illegal for employers to request or require an employee to verify a personal online account, such as a blog, a Facebook or Twitter profile, or a Gmail account. DLP tech sometimes has the ability to inadvertently acquire log-on information to these personal account, causing the company to accidentally violate these state laws. It is better to know your state laws and your software’s capabilities than risk legal action.
The third question in HBR is where are you monitoring? They point out that this question is “especially important if companies plan to install DLP software on personal devices that are used for work.” If you do this, your company might be implicating state computer crime and spyware laws, especially if you’re monitoring in California, New York, or Massachusetts. Breaking these laws can result both in a fine or even imprisonment.
If you’re thinking of taking your DLP global, you’ll have to consider international laws. As HBR explains, “the European Union General Data Protection Regulation (GDPR) and applicable member-states’ privacy laws offer significantly more enhanced protections to employees than granted under U.S. law.”