Employee Privacy Expectations and Legal Rights | Critical Incident Management

< Day Day Up >

In years passed, electronic communications were not issues. However, today's employers are being named in lawsuits with claims of harassment, copyright violation, invasion of privacy, discrimination, and defamation. Often, these matters are related to inappropriate e-mail, Internet, and software use by employees. Laws, regulations, and court cases are deciding the means by which companies may govern the conduct of their employees. Organizations can take protective measures in the development and implementation of comprehensive written policies addressing employee expectations.

Exhibit 4: Expectation of Privacy

Computers, computer systems, and computer accounts are provided to assist users in the performance of their jobs. Computers, computer systems, communications systems, and related media equipment are the property of the XYZ Corporation and may be subject to monitoring, recording, or audit at any time. Users do not have an expectation of privacy in anything they speak, communicate, create, send, store, or receive on these systems.

Exhibit 5: Waiver of Privacy Rights

Users expressly waive any right of privacy in anything they create, store, send, or receive on the Internet or any other computer network. All users consent to allowing personnel of the XYZ Corporation or its assignees to access, audit, and review any and all materials users create, store, send, or receive on the computer or through the Internet or any other computer network.

Exhibit 6: No User Privacy in Communications

The XYZ Corporation reserves the right to monitor any and all aspects of its computer system, including but not limited to monitoring workstation usage, computer network usage, monitoring sites visited by users on the Internet, monitoring chat rooms, newsgroups, messaging services, reviewing materials downloaded or uploaded by users, as well as e-mail sent and received by users.

Exhibit 7: Automated User Monitoring

Users understand that the XYZ Corporation may use automated means to monitor material created, stored, sent, or received on its computer network.

In most organizations, employees believe their e-mail and Internet activities are private and businesses do not have a legal right to monitor their electronic communications.

ECPA

Under the provisions of the Electronic Communications Privacy Act (ECPA), an employer-provided computer system is the property of the employer, and as such the employer has the right to monitor all e-mail traffic and Internet browsing on its system. In spite of the ECPA language favoring the employer's right to monitor electronic communications on company systems, there has been a significant rise in lawsuits where employers are being sued for allegedly invading the privacy of their employees. Many of these cases are based on an employee's reasonable expectation of privacy. If an employee might convince a court to rule against the employer's right to monitor the employee's activities because the employee has a reasonable expectation of privacy, then the employee will prevail.

Privacy Arguments

It is possible that employees could successfully argue that because the employer had not monitored e-mail in the past, there was an expectation the employer would never do so. Consequently, by inaction the employer granted a de facto expectation of e-mail privacy to the employee. If organizations reviewed employee conduct only under selective circumstances, offended employees could logically argue their cases did not fit those circumstances.

Privacy Acknowledgments

Most organizations have solutions at hand to avoid legal actions of this nature. Use written policies to deliver explicit notice to employees that they do not have any expectation of privacy. A wise business practice would deliver such notices as part of new or transferring employee orientation with signed acknowledgments from the employee. Employers should advise their employees that they do not have an expectation of privacy and accept their written acknowledgment to that effect at least annually. These documents should be archived for future retrieval.

Reasons to Monitor and Audit Employee Behavior

An organization demonstrates respect for its employees and concern for its future by explaining that only authorized persons will be allowed to review the staff's electronic activities. Educate employees that the purpose behind monitoring their activities is not spying, rather it is managing the organization's risks. Review risks facing the business and the benefits employees enjoy, mostly in the area of profit, if the company reduces their risks.

Employee activities may be subject to monitoring, including but not limited to telephone conversations, office areas, and common areas such as gyms or lunchrooms, hallways, equipment rooms, etc. Employees have levels of privacy in areas such as restroom stalls, private restrooms, and clothes changing areas.

Before drafting policies addressing employee privacy, consult with competent legal counsel specializing in employee privacy matters before implementing relevant policies. There are many laws, regulations, and court cases affecting these matters. Do not depend on outdated information; seek the most-current legal interpretations before adopting a privacy policy (Exhibit 8 and Exhibit 9).

Exhibit 8: Privacy Statement

The XYZ Corporation provides office facilities, supplies, and equipment to each employee for business use only. XYZ Corporation may monitor and access any and all office facilities at any time without notice to users. No one has an expectation to privacy or confidentiality in their use of office facilities. Office facilities include but are not limited to desks, cabinets, computer workstations, networks, correspondence, e-mail, Internet usage, work rooms, lunchrooms, restrooms, gymnasium, hallways, telephone usage, voice mail usage, locker rooms, and parking areas.

Exhibit 9: Electronic Privacy Statement

All information created, accessed, downloaded, uploaded, and stored using XYZ Corporation applications and systems is the property of XYZ Corporation. Users do not have any right to privacy relative to any activity conducted using XYZ Corporation's computers, computer systems, software, or equipment. XYZ Corporation may review, read, access, audit, or monitor any and all activities on XYZ Corporation's system or on any other system access by use of XYZ Corporation.

Employees Working at Home

Employees should understand that they do not relinquish their right to privacy in their personal dealings. They have an expectation of privacy, provided their activities do not have anything to do with the organization. It is the organization's responsibility to educate them so they understand that any time they access assets of the organization, it is possible these connections may be monitored and audited. Telecommuters must understand that policies that apply to the office also apply to them in the field. Do not frighten your telecommuters, but they should know that if they are accessing the company's computer equipment through their personal equipment, this equipment falls under the same rules as if it were in the company's space.

The risks are the same, whether the employee is located outside office or not. Consequently, it is a wise idea to provide telecommuters with company-owned equipment and policies governing its use rather than expect telecommuters to use their own equipment. If employees are sharing their personal data with that of the company, it could prove to be very embarrassing and expensive in the event of a lawsuit.

Part-Time and Full-Time Employees

Organizations should not distinguish between full-time and part-time employees in mandating that business equipment may only be used for business purposes.

Experience Note

Several years ago, a government official was asked to surrender his government-owned laptop computer. This equipment was designated for official use and was assigned to him for his use exclusively. Auditing the laptop discovered images that were objectionable on the hard drive. An official investigation followed. The official explained his son had made use of the computer on several occasions and the images were results of that use. Because the images and the son's use of the equipment were violations of policy, sanctions were sought.

Managers should remind their employees about official use of computers, supplies, and equipment. These items are not to be used for personal use under any circumstances, as the risks to the organization are too high. All employees should understand that computers used in official activities are subject to unannounced audits. Auditors will be reviewing the equipment and its use for policy compliance. Employees should understand that in the event of legal action, computer forensic experts will access hard drives and other storage media. It is likely that these experts will take steps to restore deleted or otherwise destroyed files. Whatever activity an employee might have engaged in would be open to review.

Experience Note

If there are no violations of official use policies, there will be no objectionable materials found.

Harassment, Discrimination, and Defamation

The most efficient way to control risks is to set policies and control content. Establishing policies addressing the rules of conduct and language will emphasize the point that employees are expected to abide by policies in their official conduct.

Professional conduct means no racially oriented content, no sexually oriented content, no harassment, no menacing, no ethnic slurs, no religious slurs, no sexual preference slurs, no profanity, and no obscenities.

As with most organizations, Human Resources management units have policies addressing matters of equal employment opportunity and the establishment of a work environment free of hostilities. Policies of this nature generally use language such as:

It is the policy of the XYZ Corporation to provide equality of opportunity for all employees or employment candidates regardless of race, color, religion, gender, national origin, age, physical or mental disabilities, or sexual orientation. It is the policy of the XYZ Corporation to promote full realization of equal opportunity through employment and to maintain a workplace free of discriminatory policies and practices.

Policies of this nature apply equally to recruiting, hiring, training, promotions, employee development, separations, and awards.

All employees must be allowed to work in an environment free from unsolicited and unwelcome verbal and physical sexual advances. Sexual harassment, in any form, undermines the integrity of the employment relationship. Policies of this character have the purpose of removing from the working environment all activities of a sexual nature which create an intimidating, hostile, or offensive work environment or impede the ability of a person to perform a job. Managers, supervisors, and executives are accountable for enforcing standards of office behavior and are expected to take immediate action addressing sexual harassment (Exhibit 10).

Exhibit 10: Language Use in Communications

XYZ Corporation employees are prohibited from engaging in any activities that would be interpreted as racial or ethnic slurs, religious slurs, harassment, intimidation, stalking, threatening others, or engaging in any illegal or unethical activity including but not limited to pornography, menacing, terrorism, espionage, theft, and trafficking in illicit drugs or paraphernalia.

Employee Copyright Concerns

Laws and regulations concerning copyrights extend to items such as text, images, music, video, audio, software, and presentations found everywhere on the Internet. All are protected under U.S. copyright laws. Just as employees are often in the dark about privacy, so are they usually ill informed about copyright infringement matters.

Experience Note

While looking for images to jazz up his presentation, an employee downloaded several pieces of clipart from a presentation he saw on the Internet. He included artwork that was copyrighted, exposing his organization to allegations of infringement.

Another case is the department head who, because of some recent budgetary restrictions, installs a popular office suite on several workstations from a single licensed copy, also exposing the organization to infringement allegations.

Organizations can protect themselves from this type of unlawful behavior through employee education and compliance auditing. Companies are responsible for the wrongdoings of their employees. Should an employee violate copyright laws, organizations and their offending employees could be held criminally and civilly liable for these actions (Exhibit 11 and Exhibit 12).

Exhibit 11: Copyright Sample

The XYZ Corporation does not allow the unauthorized use of copyrighted materials in any fashion. Materials that are marked as copyrighted or not should be considered as copyrighted and may not be used unless explicit permission is obtained authorizing their use.

Exhibit 12: Software Copyright Sample

The XYZ Corporation does not allow the installation of software that has not been authorized by correct licensing. In this same spirit, XYZ Corporation does not allow copies of software found on its computer equipment to be made for personal use. Users may not import, duplicate, copy, store, or distribute copyrighted materials without authorization. Doing so may violate licensing agreements and/or copyright laws.

Employees and Trade Secrets

The theft of proprietary information is likely one of the greatest threats to a nation's business competitiveness. Numerous subjects have been generally recognized as constituting trade secrets: computer programs, chemical formulae, plans, blueprints for products, manufacturing methods, certain databases, technical plans and data, and patent applications pending approval. There are several qualifiers for determining if information is a trade secret:

What measures have been taken to protect the information's secrecy?
Is the information generally known by other businesses?
What is the value of the information to the information's owner and its competitors?

In 1996, Congress passed a law, the Economic Espionage Act of 1996 (Title 18 United States Code Sections 1831-1839), imposing criminal liabilities on anyone who intentionally steals a trade secret. In the language of this act, trade secrets focus on information in the following forms:

…all forms and types of financial, business, scientific, technical, economic, or engineering information, including plans, patters, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing…

(18 USC 1839)

E-mail makes it easy for persons with authorized or unauthorized access to company plans, market strategies, client lists, manufacturing processes, materials pricing, and other critical information to transmit it to people who have no business reading it. It only takes a moment for information to be transmitted to competitors by disgruntled employees looking for revenge or a few extra dollars.

This is a policy point to emphasize with the organization's next training session. Company secrets and proprietary information should not be shared with unauthorized readers for any reason. Fortify the position by installing equipment and software to monitor employees' activities and advise them their activities are monitored (Exhibit 13 and Exhibit 14).

Exhibit 13: Proprietary and Sensitive Information Sample

XYZ Corporation does not allow sending proprietary or sensitive or confidential information to any unauthorized party. The authorized transmission of such information requires proper approval and may only be done through approved means.

Exhibit 14: Employee Responsibility Statement

I, __________________, acknowledge that I have read a copy of the XYZ Corporation policies and procedures regarding computer and computer systems use. I acknowledge that I do not have any expectation of privacy using XYZ Corporation equipment, nor do I have any expectation of privacy on the XYZ Corporation premises. I understand that the XYZ Corporation may access, read, and monitor my activities while engaged in my assigned duties. I further understand my work area, workstation, files, correspondence, Internet activities, and work product may be audited for compliance with policies, procedures, regulations, and the law at any time and without announcement. I further understand I may be subject to disciplinary action for violating these policies and procedures. If I have committed violations of law, then my actions will be reported to the authorities. I have read these policies and procedures and I understand them.

Signed ______________________________________________________ Dated _____________

Employee Labor Organization

E-mail or company-sponsored electronic bulletin boards provide easy and economical means for employees to organize themselves. Senior managers need to be aware of this fact and write their polices to address labor organization activities. Under current provisions of the National Labor Relations Act (NLRA), 29 USC 158 (a)(1), when employees use the property of the employer to self-organize, it must be weighed against the employer's property rights. It is an unfair labor practice for an employer "to interfere with, restrain, or coerce employees in the exercise of rights guaranteed" under Section 7.

Employers may not prohibit all labor-organizing activities by employees; however, employers may restrict the times and locations in which its equipment and facilities are used for organizing. Employees do not have a statutory right to use their employer's equipment for any reason, personal or labor-organization purposes. Employers have the legal right to mandate that their equipment and premises are to be used solely for official and business purposes. However, when an employer permits employees to use company resources for nonwork-related activities, such as personal messaging or homework, then Section 7 of the NLRA has been interpreted to require the employer not to discriminate against labor-organizing uses (Roadway Express v. NLRB, 831 F.2d 1285, 1290; 1987.)

Spamming, Spoofing, and the Organization

Many people feel that unsolicited e-mail, known as spam, is a demonic presence, and lawmakers have led crusades in an effort to eliminate it. There are legal liabilities assumed by those who engage in spamming practices.

Businesses sending spam may suffer the wrath of Internet citizens. Many spammers use spoofed (fake) e-mail addresses to avoid the flood of unhappy spam recipients.

Experience Note

Recently, a large ISP filed a successful lawsuit against a company in the spam business, and compelled the company to stop sending spoofed e-mail return addresses. Currently, there are no federal laws requiring spammers to use their true e-mail addresses in correspondence, but this may change soon as Congress and several states are considering legislation.

In the California Business and Professional Code, section 17538, businesses offering goods or services for sale through the Internet or other electronic communication means must reveal their identity and address. Violations are punishable by up to six months confinement and/or fines of up to $1000.

Spammers frequently search for poorly configured SMTP servers that allow relay e-mail from outside their organization's network. In other words, spammers can point their e-mail traffic to be transmitted to a poorly configured SMTP server and it will transmit their spam to be sent to thousands of addresses. Does this mean that if a company had a poorly configured SMTP service, it could be held liable for allowing a spammer to use it to send spam? This is a matter for the courts to decide (Exhibit 15).

Exhibit 15: Sending Unsolicited E-Mail or Spam

Users may not send unsolicited e-mail to persons with whom they have no prior relationship. Users may not send e-mail with "spoofed" information. Users must never alter the From line or any other attribute of origin in e-mail, newsgroups, bulletin boards, or any other means of communication. Users may not use any means to disguise or conceal their identities while performing their duties at the XYZ Corporation.

Administrators must configure all e-mail hardware and software denying e-mail relays from outside the XYZ Corporation systems.

Attorney-Client Communications Using E-Mail

Saving time and money, businesses are using e-mail to communicate with their attorneys. Communications of this sort might contain remarks regarding strategy in anticipated litigation, settlement offer amounts, details of negotiations, tax planning, employee information, and other highly sensitive information. For the most part, communications between attorneys and their clients are protected against review by third parties.

The crux of the attorney-client relationship is confidentiality. Confidentiality ensures that clients may speak freely with their attorneys revealing the complete facts of their cases without fear of having these facts revealed. Confidentiality between attorney and client is based on two doctrines:

The fact that every attorney is under ethical obligation to maintain client communications as secret. Purposeful or accidental revelation of attorney-client communications would likely result in disbarment and a costly lawsuit.
Attorney-client communications are shielded from being discovered in litigation, and prevent attorneys from having to provide testimony about those communications. In short, this privilege permits a client to refuse to reveal the communication and prevents others from discovering it from the client's attorney.

Many questions surface in addressing electronic communications between attorneys and clients: Is the privilege lost if the computer system suffers system errors and the communication is compromised? Are unencrypted messages sent over a public network, such as the Internet, considered confidential? Is it necessary for attorney-client communications to be encrypted? There are many bar associations and courts that have not thoroughly decided the matter as of yet. However, if reasonable precautions are taken to secure the confidentiality of the communication, this is at least a good starting place. If a communication is revealed by mistake and the client or his attorney is not negligent in revealing the message, the privilege will likely be upheld. But, if there is an indication that a public network is used to transmit attorney-client communications and if those communications could be easily be misaddressed, is it unreasonable not to use encryption to protect the integrity and authentication of the messages? In other words, if the use of encryption is a reasonable precaution protecting the confidentiality of the privileged communication, is it an indication the client did not intend to keep the communication confidential? Only the courts and legislatures can answer these questions.

Communications between attorneys and clients are protected as confidential. Organizations should take reasonable precautions to assure that messages are correctly addressed and are not forwarded to unintended third parties. It is very important that attorney-client messages are clearly identified as confidential. Organizations may consider using a form of encryption in the exchange of attorney-client e-mail (Exhibit 16 and Exhibit 17).

Exhibit 16: Attorney-Client E-Mail Footer Sample

All attorney-client communications in the XYZ Corporation will use the following footer appended to confidential e-mail: This e-mail and any attached files are confidential and represent attorney-client communications. These documents are intended solely for the use of the individual or entity to which they are addressed. This communication contains material protected by attorney-client privilege. If you are not the intended recipient or the person responsible for delivering this e-mail to the intended recipient, you have received this e-mail in error. Be advised that any use, dissemination, disclosure, forwarding, printing, storage, or copying of this e-mail, or its attachments, is strictly prohibited. If you received this e-mail in error, please contact (Attorney Name, Address, and Telephone Number) immediately. Any costs incurred in notifying this attorney's office will be reasonably reimbursed.

Exhibit 17: Attorney-Client E-Mail

Attorney-client e-mail within the XYZ Corporation, either in-house counsel or any attorney representing the XYZ Corporation, should include this notification at the beginning of the communication: "ATTORNEY-CLIENT PRIVILEGED COMMUNICATION. DO NOT READ, COPY, STORE, OR FORWARD WITHOUT PERMISSION."

Passwords

Passwords are one of the methods by which access is authorized and authentication is performed. It is the same whether an employee is gaining physical access to an office space, file, or the company's computer network. Security is assured by allowing only authorized persons to access critical assets. Password usage is only one means to verify identity, and probably not the most secure means in itself.

Experience Note

There is an old adage that identities are verified by the following means: something a person is, something a person knows, and something a person has. Using any two of these will raise the odds that only an authorized person is allowed access. Having all three items as requirements for access almost guarantees that the requestor is the correct person.

Something that the Person Is

Something about the person would include biometric techniques measuring a person's physical attributes such as a voiceprint, fingerprint, signature, or retinal pattern, then transmitting the collected information to a system that is authenticating the person requesting access.

Something a Person Knows

Passwords or pass-phrases are items qualifying as something a person knows. They are the most commonly used method of controlling access. Strong passwords are a combination of letters, numbers, and special characters, preferably comprised of at least eight or more digits, and should only be known to the accessor. Pass-phrases are simple phrases where key characters are extracted and entered as passwords. For example: % The famous British Secret Agent was James Bond, 007 %, the password is translated as %TfBSAwJB007%.

Something a Person Has

Several techniques can be used in the authentication method of something possessed by an individual. One technique is a magnetically encoded card such as a smart card or bank cash machine card. Smart cards are credit-card-shaped devices embedded with a programmable electronic device. According to current literature, smart cards are extremely difficult to counterfeit and virtually impossible to spoof.

When someone attempts to gain access to a bank cash machine, they insert a card with a magnetic strip containing account and identity information along with their personal identification number. This accomplishes two of the three security methods.

Another example is a device held by the requestor where a password provides access to the device initially. A one-time password is generated by the handheld device and manually entered into another access device by the holder. This password is valid for only one entry attempt. This is another method where two of the three methods are employed to verify the person's identity.

If the password access method alone is used, it is possible for a third party to steal or guess the password, compromising entry. Any activities of this person are going to be attributable to the password possessor. To prevent possible theft of passwords, employees should never write them down.

Experience Note

In conducting an unannounced operational assessment, the auditor discovered that more than 80 percent of the workstations audited had valid passwords written on small pieces of paper and attached to the bottom of their keyboards or mouse pads.

Shoulder Surfing

Employees should be aware of "shoulder surfers" where someone, an employee or company visitor, is watching over their shoulder while the individual is entering their password for access.

Access software should be configured requiring passwords and other access devices to be changed at least every 60 days or less. Regardless of the access, it is imperative that passwords and other configurable access methods are changed on a regular basis for workstations, computer networks, office space, server rooms, washrooms, etc. Additionally, all employees must understand the policy that under no circumstances, regardless of the requesting person's position, may they share their passwords or access devices.

Experience Note

In an operational assessment, cold telephone calls were made from outside telephone numbers to company employees. In three of ten individuals, system access passwords were disclosed to the callers and one of the three offered the use of his smart card to the caller.

Security through Obscurity

There is an argument that is frequently made for security-through-obscurity. This is roughly translated into persons not having a need to know are not given information about the organization's security measures. As an example, employees should not disclose the means by which office space access is gained nor should they discuss the method by which workstation access is made. In this fashion, intruders are kept in the dark during their attempts to gain unauthorized access. The idea rests in that if intruders do not know, they have to attempt to gain access through multiple means. A frustrated intruder may go somewhere more attractive (Exhibit 18 and Exhibit 19).

Exhibit 18: Employee Responsibility for Entry Methods

Employees of the XYZ Corporation are responsible for safeguarding their passwords and other access-gaining methods. These methods must never be disclosed to anyone unless specifically authorized by the Chief Security Officer. Under no circumstances are passwords to be disclosed for any reason to anyone. Employees are individually accountable for transactions made using their access methods. Users may not disguise their identities while gaining access to any XYZ Corporation property, file, information, or device. Users have individual responsibility to report the actual or suspected theft or compromising access methods to their supervisor or CSO immediately.

Exhibit 19: Password Maintenance

XYZ Corporation employees have the responsibility to select obscure passwords having at least eight characters selected from alphabetic, numeric, and special characters. At least two of the password's digits must be capitalized and at least two must be special characters such as #$%&*. These password standards apply to all entry devices, physical and network. Systems administrators and security officers must configure appropriate software to ensure passwords comply with these security standards, and are changed at least every 60 calendar days. Administrators are responsible to configure software allowing three attempts before the user is locked out for period of at least 15 minutes.

Employee Software Installation

Employees who open e-mail attachments or download files from the Internet may cause severe damage to an organization's computer system, allowing unauthorized intruders to gain entry and possibly cause catastrophic data loss.

Employees who introduce media from outside sources into the organization's workstations could seriously jeopardize the organization's security and possibly create a critical incident. Viruses, Trojan horses, and other destructive software cost businesses millions of dollars each year and have spawned a major industry of computer-protection software companies. These examples of malware (malicious software) come from downloaded software and media introduced by employees from outside sources, and opening e-mail attachments. Recent advertising pronouncements claim that more than 200 viruses are released on the Internet each month. Additionally, downloaded software may contain applications that allow unauthorized individuals to take control of company hosts and workstations with devious persons accessing sensitive information such as credit card numbers.

Copyright Violation

Permitting employees to install personal software begs the question if there is correct licensing for this software. If an employee installs a copy of personal software on his company laptop and has the same copy installed at home for his family's use, and there is only a one copy license, the business may be in a position of legal liability.

Experience Note

While conducting a workstation audit, the auditor discovered an installed copy of very expensive three-dimensional imaging software. The employee explained that her son had copied the software from his employer. She had used the software to create attractive images for her last presentation made to the company's senior managers. Interestingly, not one senior technical manager asked how the images were created for the presentation. This situation could place the employee in serious legal problems, and could legally jeopardize her employer for allowing this to happen.

Introducing software or media from anything other than officially sanctioned sources allows the introduction of potentially harmful programs and from questionable sources and can raise serious problems with software licensing. In short, allowing employees to install software greatly increases the organization's risks (Exhibit 20).

Exhibit 20: Employee-Installed Software and Storage Media Use

Employees of the XYZ Corporation may install software from approved sources only, specifically the Workstation and Network Maintenance Unit. A list of approved software and sources is available from them. Downloading or installing software from any other source is strictly prohibited.

Employees are permitted to use storage media, floppies, zip disks, CD-R, CD-RW, DVD-R, and the like, purchased by the XYZ Corporation only. Before using any media, employees are requested to scan it with the latest antivirus application. No user is permitted to introduce media from any other source into any XYZ Corporation workstation, computer, or network.

Use of Banners

Log-in banners and entry notices should be incorporated as part of any business' official use policies. Banners remind users that they are using a system intended for business purposes only, and that accessing the system constitutes their consent to monitoring. Entry notices announce to employees and others that their activities are subject to monitoring and there is no expectation of privacy upon entering an organization's property. Because users see banners and notices each time they log in or enter the workplace, there are some doubts as to their effectiveness because users accustomed to seeing them ignore them. It is likely that an unauthorized intruder will enter the system or premises bypassing banners and notices altogether. Regardless, implementing log-in banner and entry notice policies, that specifically state that system use and company property are for official purposes only and use of the system or entry to the company property means that the user consents to monitoring, goes a long way to strengthen the organization's argument that a given user exceeded his or her authorization by accessing the workspace or using the system for unauthorized purposes (Exhibit 21 and Exhibit 22).

Exhibit 21: Entry Notice Banner

All persons accessing XYZ Corporation systems or property consent to having their activities monitored while on the premises. There is no expectation of privacy while on property owned by the XYZ Corporation. All activities conducted here by visitors and employees must be official in nature.

Exhibit 22: Log-In Banner Policy

All users of XYZ Corporation computing equipment, communications, and networks are advised their entry constitutes consent to monitor their activities. This system is for official use only.

< Day Day Up >