As many organizations learned over the breach-heavy course of 2017, the greatest threats to network security often come from within, whether through employee negligence or explicit theft of company data. In fact, among 874 incidents reported in the latest Cost of Data Breach Study from the Ponemon Institute, 65 percent were attributed to employee misconduct or carelessness.
As a result, more businesses are considering data loss prevention (DLP) solutions in 2018 that track for anomalous behavior that could indicate a breach in progress. These tools give insight into all the traffic on the network, and can get granular in not just attributing activity to users, but even gaining insight into the programs and apps – professional and personal – that users are accessing.
While this is an essential asset in the digital age as threats to network security are coming at organizations from all angles, businesses need to be cognizant not to overstep and inadvertently open themselves to fine-worthy violations. Companies then need to keep three questions in mind as they roll-out their DLP and employee monitoring initiatives:
Where are you monitoring?
For starters, depending on what’s dictated by local legislation, enterprises may need to give employees prior notice before implanting monitoring software. In Delaware and Connecticut, for instance, this is mandatory practice, although other states have more nuanced restrictions that might not require an employee’s explicit sign-off before DLP initiatives can be enacted. The safest route is to read the laws extensively on the outset.
Who are you monitoring?
The Electronic Communications Privacy Act (ECPA), however, is a federal law that sets up broader restrictions than most state or municipal rules on the subject. The law doesn’t target employee monitoring outright, but instead puts restrictions on monitoring all electronic communications. While the ECPA prohibits monitoring in a general sense, the rule allows the “business purpose exception” – where a “legitimate business purpose,” itself a catch-all with broad interpretations, allows for monitoring – as well as the allowance of monitoring once employee consent is obtained.
Where the rules get tricky is when third-party communications are involved, usually when employees are communicating with friends or family on the work network for non-work-related reasons. This is another state-by-state nuance that companies need to be mindful of, as states like Illinois and California require consent from all parties to a communication, or else a company could be liable to local wiretapping statues.
What are the global implications?
Even businesses that are based stateside and don’t consider themselves “global businesses” may still find themselves prone to international noncompliance fines. The General Data Protection Regulation (GDPR) from the European Union, for instance, notes that any organization collecting any data on residents of the EU – even if the company doesn’t have a branch office on the continent – could be privy to significant fines, in some cases starting at $20 million.
That means that even if a company is working with a third-party vendor in Europe, collecting any personal information on that remote business contact without assuring ample data protections are in place could leave them vulnerable to fines.
Luckily, many DLP solutions were designed with GDPR in mind and actually help give organizations the posture they need to be prepared for the legislation’s enactment in Spring of this year. This isn’t a guarantee, however, as businesses need to be as exhaustive in vetting their security software as they are in knowing the potential legal ramifications of improper employee monitoring.
Chris Park brings over 13 years of technology experience in corporate network security to his position as CIO, where he is responsible for creating and driving the company’s IT strategy. As the resident expert in all aspects of iboss solutions and infrastructure, he is responsible for iboss’ entire IT operation, including network and system engineering, front-end development, data center operations, and customer service and support. Under Chris’ strategy and guidance, iboss has achieved an industry-leading customer retention rate of 98.5%. Prior to his CIO position, Chris served in a variety of product management and network architect roles, working with public and private companies to troubleshoot and support their network security infrastructures. As a proven IT leader, Chris is dedicated to helping drive the company’s IT operations with a focus on building and supporting global IT strategies that ensure future growth.