Protect data when it goes mobile

One of businesses’ biggest security concerns: keeping sensitive data safe when employees take it outside of the office. Here are some ways to minimize the risk:

  1. Don’t assume users know the rules — It may be obvious to IT that sensitive information shouldn’t be sent via e-mail outside the company network, but without an explicit policy, many users won’t know that.
  2. Use encryption — Instead of giving users a reason to use their personal USB drives to transport data, provide them with encrypted drives. Also make sure laptops, smartphones and other devices folks use for work are encrypted.
  3. Block the use of mobile drives — If users work with data that’s especially sensitive, you may want to configure their computers to restrict the connection of removable storage.
  4. Watch out for WiFi connections — Train users to avoid unsecure wireless public wireless networks.
  5. Control access to data — A key step in protecting sensitive data, mobile or not: Make sure only users who need the information have access to it.

Do employees have a right to privacy when using personal e-mail accounts, even when they send the messages at work? A recent court decision provides some answers.

In this case, an employee sued the company for discrimination. After the suit was filed, the company looked through her work laptop to save all of her files.

The files included e-mails she sent  via a personal, password-protected account. Copies of the messages had been automatically saved to her browser’s cache.

Some of the e-mails were conversations between the employee and her attorney, which contained evidence the company felt would help its case.

After the employer presented the messages in court, the employee claimed her rights to privacy and attorney-client privilege had been violated.

The company argued the employee had no such rights — its computer use policy stated that anything done on workplace computers could be monitored.

But the court disagreed. The judge ruled the employee had a “reasonable expectation of privacy,” because the policy didn’t mention that e-mails sent using a personal account would be saved to her hard drive.

It didn’t matter that she sent the e-mails at work — she was using a password-protected account, and therefore assumed the company wouldn’t be able to read them.

Add to that the fact that the e-mails were between the employee and her lawyer, and the court ruled the company was at fault when it read the messages and tried to submit them as evidence.

What can companies monitor?

In most cases, whether monitoring is legal or not comes down to one question: Who owns the e-mail?

In other words, are the messages stored on the company’s network or by a third party (as is the case with personal accounts, like Yahoo and Gmail)?

While employers are normally within their rights to monitor employees’ work e-mail, courts will usuaully draw the line when the data’s stored by a third party.

Also, keep in mind:

  • Have a clear-cut computer use policy — Employees can also win in court when they show they have a “reasonable expectation” of privacy. So inform all employees that their Web use at work will be monitored — and think twice before conducting any monitoring that isn’t clearly mention in the policy.
  • Train managers — Some supervisors will go to great lengths when they suspect an employee of wrongdoing. But they should be warned that an investigation could become an invasion of privacy.

Cite: Stengart v. Loving Care Agency