Skip Navigation

across the bar

Benefits of adopting best practice in workplace interception and monitoring

by Steve - Posted 08 June 2006

 

By looking at electronic workplace monitoring from a wider perspective instead of only focusing on the provisions of RICA, employers will be able to:

- lay the foundation for successul discliplinary measures to be taken against employees who abuse e-mail and Internet facilities
- ensure compliance with existing and future laws relating to privacy
- follow international best practice for monitoring electronic communications in the workplace; and
- maintain a solid relationship of trust and mutual respect with employees        

 

 

permalink | comments (0) | back to top

MFSA on data protection & spam

by Steve - Posted 30 November 2005

The Marketing Federation of Southern Africa has a Data Privacy Code:

http://www.mfsa.co.za/pdf/mfsa_Data_Privacy_Code.pdf

& has issued anti-spam guidelines:

http://www.mfsa.co.za/pdf/MFSA_SPAM_GUIDELINES_v1_Dec_2003.pdf 

...we will evaluate these in an upcoming article.

permalink | comments (0) | back to top

Interception and monitoring - the shoe on the other foot

by Steve - Posted 22 November 2005

When we talk about the interception and monitoring of electronic communications, most of the focus is on bosses snooping on their employees' e-mails or Internet usage. But what if the shoe was on the other foot? In the US, a former claims adjustor employed by the Bristol West insurance company was caught using a keystroke logger device that he purchased off the Internet to tap his employer's computer.

The device was installed on a secretary's PC in an effort to expose alleged anti-consumer practices by Bristol West, including the illegal canceling of client's policies. The whistle blower was charged under the US's federal Wiretap Act for unlawfully intercepting electronic communications transmitted over a system that affects interstate or foreign commerce.

 

However, the case was dismissed on the grounds that the employee's conduct did not amount to an unlawful interception in terms of the Wiretap Act. The judge ruled that the interception of keystrokes between the computer's keyboard and its hard drive did not meet the Act's requirement that the intercepted communication/s were being transmitted over a system that affects interstate or foreign commerce, even where that computer was linked to the employer's internal network and/or where the intercepted communications may have been e-mails.

permalink | comments (0) | back to top

Privacy - should companies be forced to report data theft?

by Steve - Posted 19 July 2005

The spotlight has fallen on a number of high profile data theft incidents this year in the US where large databases containing personal information have been infiltrated. Although Choicepoint, Lexis Nexus and others were left with egg on their faces regarding their security, at least they came clean to their customers.

We know of a recent incident in SA where a large retailer had a similar problem. Unfortunately after being approached initially for help, we then heard nothing further and it seems like the company decided to close up shop on the issue.

Should companies be compelled by law to report incidents of data theft so that their customers can at least take steps to mitigate against any potential loss?

Legislation is currently being considered in the US where penalties will be imposed on companies that remain tight-lipped on this issue. With the rise of phishing and other identity theft attacks in SA, it may be wise for us to follow suit.       

permalink | comments (0) | back to top

Workplace monitoring - hell hath no fury like an employee scorned

by Steve - Posted 10 July 2005

According to a recent study conducted by the National Threat Assessment Centre of US Secret Service, most insider attacks on company information systems are carried out by disgruntled employees often with prior disciplinary records. This makes common sense, but what is more worrying is that only 17% of attacks are carried out by individuals with "administrator" status. 87% of attacks are carried out  using simple user commands.

So while you are keeping out the crackers and hackers, remember Joe in Accounting who was passed over for promotion last month.      

permalink | comments (0) | back to top

Not so funny...

by default - Posted 11 May 2005

The 2004 Information Security Breaches Survey (see the "Passwords, security and chocolate posting" below for more info) revealed that a staggering 71% of employees surveyed would download contacts or sensitive information from their current employer in order to take it with them to their next job.

This raises two initial questions:
1. would you even be aware of one of your employees taking sensitive information which belongs to your company?
2. what legal and technical steps have you taken to stop sensitive information leaving when your employees do?

permalink | comments (0) | back to top

funny......

by default - Posted 11 May 2005

What is more important to you – your morning cup of coffee or the ability to access the Internet for personal use while at work?

Tough question. A recent US survey conducted by Websense (Web@Work 2004 survey), revealed that while 46% of employees surveyed said they would pass up the Internet access, 49% would rather go without their morning java.

Astonishing - personal use of the Internet at work is obviously that important.

For a wrap of the survey results go to http://www.websense.com/company/news/pr/Display.php?Release=040428597

permalink | comments (0) | back to top

Laying the groundwork for disciplinary action

by default - Posted 10 May 2005

In another of many such cases, three employees at a Scotland Rolls Royce plant were recently dismissed for downloading porn from the internet. It is clear that all three were aware of the rule against viewing and/or downloading porn and that they knew that a monitoring system was in place.

A company spokesman commented that it was their belief that the action taken was fair but firm. Because the material downloaded was not illegal but rather inappropriate for the workplace, the matter was dealt with internally and not reported to the police.

Most local companies would react in the same way, but it is vital to remember that disciplinary action can only be taken where a company has laid down clear rules for use of the internet and has taken reasonable steps to ensure that their employees are aware of these rules and the possible sanctions for breaching them. Companies should also strive to be consistent in the way which they deal with those who break the rules.

A failure to formulate and publicise rules will most likely result in an employee being able to succesfully contest a dismissal or other discplinary action in the labour courts.

Probably the simplest way to lay the groundwork for future disciplinary action is through the proper implementation of an Electronic Communications Policy which sets out the rules for acceptable use of electronic communications and makes it clear that disciplinary action, including the possibility of dismissal, will be taken against employees who flaunt them.

An Electronic Communications Policy, or ECP, will also assist to protect companies against a variety of potential liabilities which may flow from employee use of e-mail and the internet. It might even contain a ban against employees agreeing to release their passwords to strangers in exchange for chocolate!!

If your company does not have an ECP we strongly suggest that you consider implementing one. It does not have to cost and arm and a leg and could well save you a lot of money and hassle in the future.

Contact us with your details if you would like a quotation.

permalink | comments (0) | back to top

Its a matter of taste

by default - Posted 03 May 2005

In an earlier article we posted some good practice recommendations for employers who want to monitor their employees e-mail and Internet usage at work. One of the points that were made was that when creating rules and standards for acceptable use of company e-mail and Internet facilities, employers must ensure that these rules and standards are clearly defined and made known to their employees. Employees are then able to clearly understand the parameters.

This is particularly relevant when using words such as “offensive” or “unacceptable content”. What is offensive to one person may not be offensive to another and employers need to clearly define what they mean by this and give some examples.

These issues were clearly highlighted in the UK* recently when the Royal Bank of Scotland lost an unfair dismissal appeal brought by an employee who had been fired for sending porn via e-mail. The Bank almost got it right by developing a matrix to grade offensive material into different categories with each category being linked to an appropriate disciplinary sanction for employees found to have sent and/or received such material.

Unfortunately, the Bank failed to bring this matrix to the attention of all of its employees, including the employee who was being fired. The appeal tribunal therefore held that she had not been given sufficient detail of the case against her to allow her to prepare a proper defence and overruled the dismissal on procedural grounds.

NB!It is not enough to simply draft a sound e-communications policy and slip it into the existing employment manual - employers must make sure that it is properly implemented in the workplace with proper notice, guidance and training for employees.


*According to a recent survey, e-mail and Internet abuse is still on the increase in the UK with the two main culprits being excessive personal use of e-mail and access to inappropriate websites by employees.

permalink | comments (0) | back to top

Viewing posts 1 - 9 of 9