Watching workers: a delicate balance
Most large companies rely on in-house technology departments to monitor office phones and e-mail. Employees generally accept the practice as necessary to protect business from rogue colleagues and outside threats.
But this week’s revelation that Wal-Mart Stores Inc. fired an IT employee for snooping has some asking who watches the watchers.
The technology used to monitor communications is advancing faster than corporate policies governing its use, experts say, leaving workers vulnerable to invasions of privacy and putting employers at risk of legal liability.
“The IT staff now knows a lot about everyone -- they’ve become the keeper of secrets,” said Lynn Lieber, founder of Workplace Answers Inc., a San Francisco company that conducts training in legal compliance issues.
For years, many employers have cautioned their employees against visiting e-commerce, gambling or pornographic websites from work.
And many companies monitor employee communications to safeguard proprietary information, ensure worker productivity and head off sexual harassment claims.
Wal-Mart, the nation’s largest private employer, said the fired employee acted on his own in monitoring and recording telephone calls between the public relations staff and a New York Times reporter who had written about the company. Wal-Mart said the employee also intercepted electronic messages.
The employee, part of an internal security threat team, told the Wall Street Journal that he had felt pressured to discover who was leaking embarrassing information about the company. He could not be reached for comment.
Howard Schmidt, the White House’s former cyber-security advisor and onetime chief security officer for Microsoft Corp., said a small group of IT security personnel can get carried away with their special privileges to monitor or look in on colleagues.
“It’s the big unknown how widespread the abuse is,” said Schmidt, who also serves on the board of ISC Squared, which certifies high-tech security personnel. “Many of us in the security business talk and worry about the inside threat.”
Many companies use e-mail filters to block or flag references to company products and to words or websites with pornographic connotations. Newer software sorts the contents of e-mail and websites by “the level of threat severity,” said Devin Redmond, the director of security products for Websense, a security software company in San Diego.
But people are still the heart of every company’s security operation.
“A lock on an outdoor shed is going to keep an honest person honest,” Schmidt said. “But if you have a person who is looking to do something bad or take some advantage of their privileges, they’re going to figure out a way to beat your controls and minimize the likelihood that you’re going to find out about it.”
Most companies allow employees to send personal e-mail or make phone calls on company time so long as they get their work done.
But about half of employers have disciplined workers for e-mail abuse, according to a 2005 survey from the American Management Assn.
California’s privacy laws, among the strictest in the nation, require employers to disclose that they are monitoring workers, said Richard Simmons, a Los Angeles employment lawyer who represents companies.
Many employees say they assume the company can read their correspondence or follow their trail on the Internet.
“I might e-mail a friend saying, ‘Hey, let’s meet up for lunch,’ not, ‘Hey, I’m planning on quitting tomorrow,’ ” Raina Yoo, a 24-year-old accountant, said during a lunch break in downtown Los Angeles.
Receptionist Susan Lane, 31, says she’s careful about Web surfing. “I wouldn’t shop at Victoria’s Secret online at work,” she said with smile.
Sometimes IT staffers can’t help but see personal information.
Rocket Science Consulting of San Francisco installs and maintains computer systems for small businesses. New corporate clients often warn owner Matt McGraw to not read company e-mails, McGraw said.
“Our response is, if you’re the administrator of their e-mail, by definition you have access to everything,” he said
A former Wal-Mart IT security employee, Perry Carpenter, wrote on his blog that this week’s incident was probably a case of “human nature run amok.”
He said monitoring communications was as close to malicious computer hacking as a legitimate technician gets.
“There’s a natural instinct as you’re doing that to poke and prod,” Carpenter said in an interview. “You’ve got to make sure there’s the right kind of oversight in place.”
Companies generally instruct their IT administrators to turn over troublesome communications to company lawyers or human resources managers. A complaint about a worker lodged by a customer or another employee can also trigger a review of e-mails or phone records.
But Lewis Maltby, president of the National Workrights Institute, a Princeton, N.J., group pushing for tougher privacy safeguards, said those protocols failed to do enough to protect employee privacy. For example, he said, a quarter of companies do not have written policies explicitly barring IT employees from ad hoc snooping.
In its announcement Monday, Wal-Mart said it had changed its policy regarding monitoring and recording its communications. The Bentonville, Ark.-based retailer said it had “physically removed the recording equipment and any related hardware” from its system. The company said its legal department would directly supervise the use of those devices.
Hewlett-Packard Co. Chairwoman Patricia C. Dunn resigned after reports surfaced last fall that the company had hired private investigators who misrepresented themselves to telephone companies to illegally obtain the telephone records of board members and reporters.
A private investigator pleaded guilty to federal conspiracy and identity charges in January, and four other people, including Dunn, face trial.
The Palo Alto-based computer maker has since strengthened its privacy policy to include board members and outside contractors. HP said its chief privacy officer now has “formal responsibility for raising any concerns with senior executives.”
Still, experts agree that neither technical fixes nor policy changes can completely prevent unauthorized spying.
The inherent problem is that monitoring for legitimate purposes -- such as protecting trade secrets or preventing access to inappropriate websites -- can end up invading employee privacy, said Cliff Palefsky, a San Francisco attorney who represents workers in employment disputes.
But ultimately, he said, “respecting the personal lives of your employees is good business.”
*
abigail.goldman@latimes.com
Times staff writer Michelle Quinn contributed to this report.
