Posted April 7, 2014
by Tobias Losch, GLEG
In this blog series on social media and online monitoring, we’ll discuss five best ways for companies to address compliance regulations – and protect their organizations – while respecting employee and third-party privacy concerns.
In our previous post, we discussed why it’s important to have a clear understanding of what you are looking for and what your objectives. In today’s post, we’ll examine why you need to set boundaries.
2. Set Your Boundaries
Only the outer boundaries are described by law, from the Wiretap Act, Computer Fraud & Abuse Act, and Electronic Communication Privacy Act, over the splattered landscape which outlines American privacy protection, to the important and influential European Data Protection Directive. But any kind of overreach, whether by a monitoring vendor or internal team, can expose your organization to the consequences of vicarious liability. Rather than mourning undiscovered intelligence, companies should value and enforce proper and ethical behavior. Hacking social media accounts or asking for employee passwords, using social engineering to entrap possible targets, and other deceptive or invasive practices are outside acceptable boundaries.
The storage and protection of data, especially Personally Identifiable Information (PII), is a particularly important issue. While it may not be possible to protect data from every possible attack or loss, collecting and storing it does require at least reasonable efforts, measured against industry standards, to protect it from unauthorized access. Having a formal policy on the dissemination and destruction of data is not only an operational task, but an ethical imperative separating good organizations from bad. Storage might be cheap, but a conscience is… well, we don’t want to infringe on someone else’s tagline here!
In our next post, we’ll take a look at why you should strive for transparency if you’re monitoring your employees.
The author received his legal education at the University of Göttingen (GER), practiced law previously as an attorney in Germany, and is GIAC certified for Law of Data Security & Investigations. He serves as a leader of Cyveillance’s Global Intelligence Team. Disclaimer: This blog post is a general reflection of certain topics and is not intended as a comprehensive discussion of the law. It does not constitute legal advice for any particular situation. If you need specific legal advice, please consult your own counsel.