Seleccionar página

Companies considering using DLP tools should also consider global privacy laws. For example, the European Union`s General Data Protection Regulation (GDPR) and applicable member states` data protection laws provide employees with much better protection than U.S. law. Globalization has allowed start-ups and large multinationals to hire employees or independent contractors in the most remote parts of the world. The flip side, however, is that all companies that use an international workforce must operate within compliance with global data protection laws, including those that govern employee surveillance. Companies with employees around the world must then develop a compliance strategy that provides the appropriate protection under global law while avoiding the unintentionally enhanced data protection for U.S. employees that is required beyond U.S. law. Where do you monitor? This third question is especially important if companies plan to install DLP software on personal devices used for work. This may involve government laws on computer crime and spyware that prohibit and, in many cases, criminalize unauthorized access to a computer. Many states such as California, New York, and Massachusetts have such laws on their books. Violation of these laws may result in heavy penalties up to and including fines, damages and/or imprisonment. What are you watching? This issue needs to be analysed in two ways.

First, you need to determine whether your organization intends to monitor data in transit and/or data at rest. Many government interception laws and, as mentioned earlier, ECPA prohibit the electronic interception of data during transmission without consent. Violations may result in criminal and civil penalties. On the other hand, monitoring and/or collection of data at rest may involve the Stored Communications Act («SCA»), which generally prohibits unauthorized access to and disclosure of electronic communications on an electronic communications service provider`s facilities (i.e. data stored on the company`s servers). While SCA generally does not prohibit employers from accessing communications at rest on their own systems, businesses should think twice before accessing communications stored by their electronic communications provider (e.g., Microsoft, Gmail, etc.) without the appropriate permissions. Online medical and banking passwords/details: California laws prevent employers from requesting personal information such as social media usernames, passwords, social security number, online banking information, and details of a medical condition. Company workstations/devices: Employers can monitor company-owned desktops and devices as long as there are legitimate reasons to do so.

Guide: All employers must produce a comprehensive manual that includes mandatory and recommended guidelines. Handbooks should explain in detail what employees are allowed to do in the workplace and what is not. Employers should update manuals as labour laws or policies change. Who do you monitor? The first question is important because the answer may require notice and consent. This may sound simple for employee emails, but it presents challenges for third-party messaging and other online activities. For example, if a company uses DLP to monitor employees` online activities, it must first consider and comply with employee monitoring laws. States such as Connecticut and Delaware explicitly prohibit employers from electronically monitoring employees without notice. In general, legal experts tell their corporate clients that monitoring email and the Internet is acceptable as long as there is a legitimate business reason and they can prove that their actions are proportionate to the risk. Regardless of the technology they use, some business owners may not know how far they can or need to extend their powers to monitor employee activity. It`s always best to look to federal and state surveillance laws and regulations to set boundaries.

Yes. There are exceptions when an employee uses the company`s phone. In addition to the Fourth Amendment, the Electronic Communications Privacy Act (ECPA) of 1986 states that it is illegal to intentionally intercept wireline, oral, or electronic communications. However, there are standard exceptions: Service provider exception: The service provider is authorized to access electronic communications. Business Exception: Employers can monitor the use of enterprise systems as long as there is a legitimate business reason behind it. Exception to prior consent: Federal law permits the recording of telephone conversations with the consent of at least one party (One-Party Consent Act).