News Archive
2008 Articles
2007 Articles
2006 Articles
2005 Articles
2004 Articles
2003 Articles
2002 Articles
2001 Articles
2000 Articles
1999 Articles
Past Articles
|
|
Insight
Magazine
October
15, 2001
WATCHERS:
Think
nobody’s looking? Think again.
In many offices at many companies
around the world, Marcia and Greg might as well pack their bags
before the delete buttons on their computers get cold. And they’d
better forget about those clients, too. Because, in the world of
today’s technology, says Steven Helland, a member of the eBusiness
and Employment Law Groups for Fredrikson & Byron in Minneapolis,
"Email is forever. Delete does not equal delete."
Keeping an eye on employees has gone
far beyond occasional strolls past the water cooler. First, the
water cooler is gone: It’s been replaced by email, which can fly
back and forth between office cubicles like so many bullets at a
firing range. What’s being said in those emails? Most are
legitimate business communications, experts say. But more and more,
they add, there are personal messages, racist jokes, confidential
client information and company secrets changing hands.
What are those employees working on so
feverishly in their cubicles? Are they pounding out a report, or
tooling around the Internet, playing the latest version of Elf
Bowling?
While hidden computer cameras and
monitored telephone calls can provide a narrow window into employee
activity in a typical office, a host of software programs and
technological advances can give employers a wide glimpse of just
what employees are writing and doing on their computers.
But how much can employers monitor? How
much do they want to monitor? And what does this do to the work
environment and employee morale? All are questions employers should
be asking, particularly CPAs and other financial professionals with
a plethora of confidential financial information on their hard
drives and a host of potential legal pitfalls.
Employee monitoring seems to be a
growing trend in the workplace. A recent survey conducted by the
American Management Association found that 67 percent of about 1,000
major companies conducted some form of electronic monitoring and
surveillance in 1999, up from 63 percent in 1997.
But the more telling numbers may lie in
the type of monitoring. The number of firms checking email messages
jumped from 15 to 27 percent from 1997 to 1999, while reviews of
employee computer files rose from 14 to 21 percent. Video and
telephone surveillance grew at much slower rates. The survey also
found that 51 percent of professional service firms—such as
accounting practices—use some form of monitoring, which is second
to industries such as banking and insurance.
And the trend is growing, says Michael
G. Kessler, president and CEO of Kessler International, a forensic
accounting and investigative consulting firm with headquarters in
New York. “We’re finding more CPA and professional service firms
monitoring their employees,“ he says. “Businesspeople are
becoming more aware of the technology,“ which, says Kessler, is
readily available, easy and affordable to use. “You can know every
keystroke an employee makes,“ he comments.
Not only can keystrokes be counted, but
emails and files that are supposedly deleted also can be easily
traced and read, says Sandi Smith, a CPA and technology strategist
in Dallas, Texas. “Any employee who thinks their emails are going
to be private is foolish,“ she states. Employers also can plug
suspicious “hot-button“ words into a software program so that a
blind copy of the email is sent to human resources, says attorney
Helland.
But why monitor? In a world of high
finance, global competition and rapidly changing technology,
corporate privacy and secrecy are becoming more guarded than ever,
Smith and Kessler say. While many firms fret over hackers getting
into their systems, “employee theft and fraud is the bigger
risk,“ Smith admits. In the case of CPA and financial services
firms, employees have “a person’s private financial information
right in front of them,“ she adds.
Employers also need to be wary of what
their employees are writing and watching under the auspices of the
company. There have been cases successfully brought against
companies whose employees used racial slurs in emails, says Kessler.
Employers must be particularly wary of
those multiple-forwarded emails filled with lists of gender-and
sex-oriented jokes, such as “25 Reasons Beer is Better than
Women.“ That email, among others, was cited by four women in a
sexual harassment lawsuit filed against Chevron Corp. They claimed
that the emails showed that the company promoted and tolerated a
work environment that harassed women. Chevron later paid $2.2
million to settle the case, although they denied any wrongdoing.
Kessler says similar sexual harassment arguments can be made against
companies that don’t do anything about employees who openly log on
to pornographic Websites.
And then there’s the issue of what
the employee does on company time. Helland recalls an incident where
a client was puzzled by a virtual shutdown of the company’s
computer system. A technician was summoned, and a review of computer
records showed that the problem occurred on the same day as the
premier of the Star Wars: Episode I movie. Dozens of employees, it
seems, downloaded a graphics-intensive Internet preview that clogged
the system.
“The employees are stealing from the
employers,“ says Kessler, who has conducted hundreds of probes of
employee Internet usage. “It’s amazing the amount of pornography
sites and game sites employees logged onto. There were so many, it
would make your head spin. And it was all saved for review.“
Predictably, what employees do on the
job and how employers watch them in the Electronic Age is a source
of debate, particularly in the area of privacy. “It’s a highly
misunderstood area of employment law. Employees feel they have
certain privacy rights,“ says William S. Hubbartt, a human
resources management consultant in St. Charles, Ill., and author of
The New Battle Over Workplace Privacy (AMACOM, 1998). “Employees
do not have the degree of privacy rights that they think they do.“
In many cases, state and federal courts
have held that company-owned computers are the company’s property,
and that makes email reading and Internet monitoring fair game for
company actions against an employee, says Hubbartt. But the question
of whether an employer should tell an employee that he or she is
being monitored—and whether that constitutes an invasion of
privacy—could be debatable in the courts, depending on the state
laws in place.
The key for employer protection,
Hubbartt and others agree, is a clearly defined policy that spells
out the company’s attitude toward email and Internet monitoring up
front. “My advice to clients is to define and communicate a policy
that defines a business purpose and reason for what they’re
doing,“ Hubbartt says. “If it’s not defined, if the employer
allows an expectation of privacy and then violates it, then there
could be a problem.“
What that policy states is key not only
to a company’s legal defense, but also its philosophy as a
company. “Do we want to be strict, or do we want to be
flexible?“ is a question employers should ask themselves, Hubbartt
explains.
A strict policy that prohibits all
forms of personal email or occasional “non-work related“
Internet browsing could turn off employees, sending a message that
they’re not to be trusted or that the work environment is rigid,
says Helland. But ignoring the possibilities is a danger as well.
“My clients really don’t want to
deal with this problem,“ he says. “But they’ve seen enough
cases in the headlines to know what the results can be.“ Kessler
adds that he encounters many employers, particularly in older firms,
who deny any potential pitfalls. “When we have the problem, then
we’ll solve the problem,“ he says.
An inevitable issue, he adds, is the
value of sifting through all emails and Internet usage data each and
every day. “Do you spend $50 thousand to save $5 thousand? I
don’t think so.“
While some employers might be
reluctant, the obvious trend is toward more monitoring in the
workplace. “I think we’ll see more companies using evolving
technology and software to monitor employee behavior and to enforce
the policies that are on paper,“ says Helland. And with that
trend, there is likely to a plethora of legal questions regarding
privacy, he adds, with courts and the government playing an
increasingly active role. In California alone, there are dozens of
proposed bills regarding computer privacy, workplace privacy and
Internet controls, says Helland. “If we’re not able to control
it in the workplace,“ cautions Hubbartt, “then the government
steps in and tries to control it.“
Helping clients audit their email and
computer usage is an increasingly lucrative field for accounting
firms, says the American Institute of Certified Professional
Accountants (AICPA).
“It’s a really viable service that
CPAs can offer,“ says Erin Mackler, technical manager of Assurance
Services for the AICPA. “External auditors are well positioned to
do this for their clients.“
Please note: The AICPA, in conjunction
with the Canada Institute of Chartered Accountants, has developed
SysTrust, a service for accountants that sets out procedures for
evaluating a company’s computer, email and Internet systems
controls. SysTrust looks specifically at a system’s availability,
security, integrity and maintainability. Potential users of SysTrust,
says the AICPA, are shareholders, creditors, bankers, business
partners, third-party users who outsource functions, stakeholders,
etc. The newest version of SysTrust (2.0) was released earlier this
year. For Information, visit ww.aicpa.org/assurance/index.htm.
Author - Robert J. Derocher
|
|
