Perhaps the most well-known data heist perpetrated by an “insider” was Edward Snowden’s appropriation and disclosure of data from the National Security Agency. The Snowden case demonstrated the cost of focusing on external threats to the exclusion of internal bad actors. In the aftermath, Companies are increasingly adopting sophisticated technologies that can help prevent the intentional or inadvertent export of corporate IP and other sensitive and proprietary data.
Enter data loss prevention, or “DLP” solutions, that help companies detect anomalous patterns or behavior through keystroke logging, network traffic Monitoring, natural language processing, and other methods, all while enforcing relevant workplace policies. And while there is a legitimate business case for deploying this technology, DLP tools may implicate a panoply of federal and state privacy laws, ranging from laws around employee monitoring, computer crime, wiretapping, and potentially data breach statutes. Given all of this, companies must consider the legal risks associated with DLP tools before they are implemented and plan accordingly.
There are several key questions companies should consider before deploying DLP software. First, whom are you monitoring? Second, what are you monitoring? Third, where are you monitoring? Let’s look at each in detail:
Whom are you monitoring? The first question is important, as the answer may require you to provide prior notice and consent. This may seem simple enough for employee emails, but presents challenges for third party messages and other online activities. For example, if a company is using DLP to monitor employees’ online activities, it should first consider and comply with employee monitoring laws. States such as Connecticut and Delaware expressly prohibit employers from electronically monitoring employees without giving prior notice.
The Human Element of CybersecuritySponsored by VaronisShore up your company’s first line of defense.
Other laws that don’t target employee monitoring, but do restrict the monitoring of electronic communications more broadly, such as the federal Electronic Communications Privacy Act (ECPA), must also be taken into account. Although ECPA generally prohibits monitoring electronic communications, there are two exceptions that might apply to your company. The “business purpose exception” allows employers to monitor employees’ electronic communications if the employer has a “legitimate business purpose” for the monitoring; a catch-all with potentially broad interpretation. Employers also may monitor workplace communications if they have obtained their employees’ consent. Companies often do this simply by requiring employees to acknowledge and accept their monitoring practices at the time of onboarding and before being able to log onto company devices or networks and systems.
If DLP software may monitor and capture third party communications (e.g., relatives or friends that email employees at their work domain address), then companies should also pay attention to state wiretapping statutes and devise appropriate measures for reducing attendant legal risk. States like California and Illinois require all parties to a communication to consent to interception of communications in transit. That means that before companies can scan an email sent from a friend or relative to the employee, employers must figure out how to give notice of the monitoring to those third parties and how to get the third party’s consent. Absent that step, companies may face the risk of potential class action lawsuits and/or government enforcement actions. As recent proposed settlements involving technology companies demonstrate, third parties who did not give consent, but whose communications were scanned simply because they communicated with users who did are all too willing to sue using “all-consent” wiretapping laws. Companies have limited options given the practical challenges of obtaining consent from third parties. Many rely on the posting of a notice on the company’s website and including a statement at the bottom of all employee emails that all electronic communications to or from the company domain are the property of the company and subject to monitoring, and the implied consent that comes with a third party’s continued communications with the employee via the company domain following the above disclosures.
What are you monitoring? This question must be analyzed in two ways. First, it’s necessary to determine if your company intends to monitor data in-transit and/or data at-rest. Many state wiretapping statutes and, as noted, ECPA, prohibit electronic interception of data in transit without consent. Violations can result in criminal and civil penalties. On the other hand, monitoring and/or collecting data at-rest can implicate the Stored Communications Act (“SCA”), which generally prohibits unauthorized access and disclosure of electronic communications in storage in an electronic communications service provider’s facility (that is, data that is stored on corporate servers). While the SCA generally does not prohibit employers from accessing communications at rest on their own systems, companies may want to think twice before accessing communications stored by their electronic communications provider (e.g., Microsoft, Gmail, etc.), without the appropriate authorizations.
Second, it is necessary to consider what types of internet usage or electronic communications may be monitored, as certain types are protected. For instance, approximately 25 states prohibit employers from requiring or requesting an employee to verify a personal online account (e.g., social media, blogs, email), or provide log-on information to personal accounts. DLP technology—whether through keystroke logging or taking screenshots—could circumvent these laws by inadvertently acquiring log-on information to an employee’s personal accounts. In the context of workplace monitoring, courts and state legislatures have recognized privacy interests in geolocation data, attorney-client communications, and union organizing activities. In most of these instances, the employee’s privacy interest must be analyzed and balanced against the legitimate business interest in conducting the monitoring in the context of the specific circumstances.
Where are you monitoring? This third question is especially important if companies plan to install DLP software on personal devices that are used for work. This can implicate state computer crime and spyware laws, which prohibit and in many instances criminalize accessing a computer without authorization. Many states such as California, New York, and Massachusetts have such laws on the books. Breaking these laws can result in onerous penalties, up to and including fines, damages, and/or imprisonment.
Apart from these privacy laws, unauthorized access to data, or data loss resulting from internal bad actors, may trigger state breach notification laws depending upon the circumstances. Forty-eight states have data breach notification statutes which may require notice to individuals whose personally identifiable information (PII) is accessed by someone who was not authorized to access the data.
Companies that are considering using DLP tools also should bear in mind global privacy laws. For example, the European Union General Data Protection Regulation (GDPR) and applicable member-states’ privacy laws offer significantly more enhanced protections to employees than granted under U.S. law. Globalization has made it possible for both startups and large multinationals to engage employees or independent contractors located in the farthest reaches of the world. The flip side, however, is that all companies availing themselves of an international workforce need to work within global privacy laws, including those that govern employee monitoring. Companies with personnel around the globe must then devise a compliance strategy that affords the appropriate protections under global law while avoiding unintentionally enhanced privacy protections for U.S. employees beyond those required by U.S. law.
While the considerations above are by no means exhaustive, they offer a useful starting point for assessing the privacy impacts and legal risks involved with using DLP technology to address internal threats. Of course, there is no one-size-fits-all approach to incorporating this technology into a data loss prevention program. Accordingly, it is a good idea to first conduct an assessment to understand the privacy impact and legal risks resulting from the use of DLP tools. Once the impact and risks are understood, companies will then be well-positioned to identify risk mitigation measures appropriate for its particular situation. At a minimum, such measures should consist of a suite of technical, organizational, and policy-related means including:
- Policies that clearly (i) articulate the business case for the monitoring; (ii) explain that neither employees nor any third parties with whom the employees communicate over company domains should have any expectation of privacy in those communications; and (iii) broadly define corporate property to include not only all computing devices, but also log-on credentials, passwords, and all communications to the company.
- A risk-based approach for monitoring.
- Narrowing the scope of the monitoring by using tagging or similar technologies to track when data leaves a database and travels throughout a corporate network.
- Encrypting all data and restricting access to a “need to know” basis.
- Considering a plan that socializes the monitoring with their workforce, to build a sense of common purpose and shared value in protecting corporate IP and other data assets.
Recent high profile data breaches have resulted in a heightened awareness of external threats to corporate IP and other confidential data. Those events should not distract companies from assiduously guarding against potential internal threats. Companies are wise to consider implementing proactive protections, such as incorporating DLP software into their data loss prevention programs. In doing so, they should be thoughtful and perform the up-front legal analysis necessary before deploying such technologies.
The authors would like to express their appreciation for the assistance of Michelle Sohn, an associate in Goodwin’s Privacy + Cybersecurity practice.