Keeping tabs Featured

8:00pm EDT October 26, 2009

Taking the proper steps to protect some of the most critical information for how you conduct your business is paramount to its livelihood. There’s a lot at stake.

“There’s a 2005 statistic that says 70 percent of identity theft starts with an employee stealing personal data from their employer,” says Traci A. McGuire, director in the Litigation, Labor & Employee Relations and Health Care practices at Kegler, Brown, Hill & Ritter. “Although you want to be trusting of your employees, you also have to realize the far-reaching nature of technology and who has access to that information. You have to assume that once it’s out there on the Internet, it is available to the whole world.”

Smart Business learned more from McGuire about steps businesses should take to properly monitor their critical information.

What are the risks businesses face by not regulating employee access to information?

The No. 1 concern is that employees can steal confidential information and do a lot of damaging things with it. There are a number of cases where employees steal confidential information about, for example, a manufacturing process or something that would be of interest to a competitor. If they go to work for a competitor, they have information that’s going to be used against you.

An employer may have one view of what is confidential information. On the other hand, an employee’s job may be just one slice of how a company operates, yet that employee may have access to information he or she does not realize is confidential. An employee may think it’s appropriate to share information in an e-mail or on Facebook as part of a routine dialog, or even just in conversation. But the company views that as an egregious breach of sharing confidential information because of who their clients and customers are.

What can, and should, employers monitor?

Generally speaking, employers can monitor any kind of electronic media that they want, including an employee’s use of Facebook or Twitter, their cell phones, digital cameras, computers — so long as they create a realistic expectation of privacy or the lack thereof for the employee.

An employer needs to first focus in on what information is important to the company and what they really want to protect. They can write a policy as broad as they want, but that’s only good if that’s what they really need. You have to be practical and realistic about how employees actually use technology. Is it really realistic to think that you’re going to control and prohibit each employee from doing any online shopping at Christmas time or from checking Facebook during the day? And do you really want to have that level of control?

You need to identify first what information exists within the business and what employees have access to. Do all employees have access to trade secrets, client lists, customer lists, or billing practices? The policy you’re putting in place also needs to address the specifics of the technology that you want to monitor. Do you have a policy that restricts the use of company-provided cell phones to work-related things only? The more sophisticated a business is, the more thought needs to be devoted to that process. Employers need to consider whether they provide laptops that employees take home, or whether they have an external Web-based system that could be accessed from anywhere, even if it’s not on a company-provided computer. You need to be thorough when you think about all the ways employees can access a company’s information.

Once the employer determines the type of media that the company wants to monitor, they have to decide how to carry it out. How are you actually going to monitor it? What are you going to do if you find somebody has breached protocol? You need to have a policy in place that’s consistent and treats employees uniformly during that process. You can’t treat one employee better or differently than another employee when something unexpected happens because you could be looking at the possibility of some type of discriminatory treatment.

How should employers communicate their confidentiality policies?

Employers have to inform their employees and put them on notice of their privacy rights. You can’t just monitor things and not tell them and then try to crack down. That’s not really going to be helpful.

Typically these types of policies are written into the handbook. And certainly if you hire somebody new, you give them a handbook, allow them some time to read it and then you have them execute some type of document that acknowledges their receipt of the handbook. For ongoing employees, as technology changes, obviously it’s hard to keep up, so you want to update your handbook. The important part is to get the employee to acknowledge that they have received the information that is a supplement or update to the handbook, that they’ve had an opportunity to read it and they understand what it says. It is those documents that are going to be the key part to being able to enforce the policy down the road.

Traci A. McGuire is a director in the Litigation, Labor & Employee Relations and Health Care practices at Kegler, Brown, Hill & Ritter. Reach her at (614) 462-5408 or tmcguire@keglerbrown.com.