US: Cyber Risk: Facing Off Against Employee Monitoring Requirements

Authors: Carol A.F. Umhoefer and Alaa Salaheldin

Global companies face increased pressure to adopt strong cyber risk mitigation measures in today’s rapidly evolving cyber threat-heavy business environment. According to security company PurpleSec LLC, in 2020 alone, cybercrime is reported to have increased by up to 600% as a result of new incentives and opportunities for hackers – including many more remote work environments – in the COVID-19 pandemic. Notably, ransomware and phishing attacks have become increasingly common.

Where a cyberattack materializes into a loss of personal information, theft of intellectual property, or a business disruption, a company may be subject to significant legal, business, and reputational costs. For example, in 2020, the average cost of a single ransomware attack was reported to exceed $130,000, the average ransom payment made by large companies was $780,000, and the average business downtime caused by a successful ransomware attack increased by 200% (see PurpleSec: 2020 Ransomware Statistics, Data, & Trends).

But one of the measures designed to prevent, detect and manage cyberattacks – network monitoring – can involve continuous surveillance and processing of employee personal information, setting IT security and data privacy rights on a collision course. Consequently, when approaching cyber risk mitigation, it is important that companies consider data privacy and employee network monitoring laws in all jurisdictions in which they operate. Multi-nationals that wish to take a uniform global approach to cyber risk mitigation must decipher and implement sometimes inconsistent data privacy and employee monitoring requirements.

Network monitoring is crucial to a strong cyber risk mitigation posture

An increasing number of jurisdictions have adopted data security laws that require companies to implement “reasonable” or “appropriate”  technical, administrative, and organizational measures to protect against cyberattacks. The GDPR stipulates that both controllers and processors must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, albeit without specifying that monitoring must be adopted. Nonetheless, numerous supervisory authorities promote and expect monitoring (see Security requirements | ICO) as well as logging (see for example Sécurité : Tracer les accès et gérer les incidents | CNIL). Similarly, the Massachusetts state data security law requires companies that own or license electronically stored or transmitted personal information about Massachusetts residents to implement various measures to protect against cyberattacks, including reasonable monitoring of systems for unauthorized use of, or access to, personal information.

Even absent data security requirements imposed by law, network monitoring is particularly important for cyber risk mitigation efforts. Companies should proactively monitor their network environments to detect actual and attempted cyberattacks, and to verify the effectiveness of existing protective measures. With continuous network monitoring, companies can more quickly detect and mitigate risks stemming from unauthorized users, devices, and software on their systems. Continuous network monitoring helps raise a red flag when there is unauthorized activity on a company’s network, and allows a company to quickly engage in remediation efforts to prevent an attempted cyberattack from materializing into a costly data security breach or a business disruption.

Multi-nationals must consider inconsistent requirements in efforts to implement a uniform global approach to network monitoring

Many jurisdictions have adopted legal requirements – particularly data protection laws, but also telecommunication and employment or labor laws – that indirectly regulate network monitoring activities, since monitoring typically requires the collection and tracking of IP addresses, device IDs and other data that can be linked to a particular employee’s communication devices. The differences in these laws may impose a burden on company efforts to adopt a uniform globalized approach to cyber risk mitigation. Therefore, companies must reconcile varying laws of every jurisdiction in which they operate, to implement a uniform approach to network monitoring while complying with data protection and other laws.

For example, in Europe, network monitoring will generally not require any employee consent (with a notable exception in Austria, for example), but will trigger other requirements. In numerous Asian jurisdictions (for example, in China), monitoring will always require consent. In some LatAm jurisdictions, network monitoring will require only notice to employees, but in others consent will be required.

The general approach in the EEA and the UK requires employers to demonstrate the strict proportionality of the monitoring activities they carry out, and the necessity of those activities to meet the employer’s stated, and legitimate, objective. For example, companies may generally block access to websites with malware, deploy anti-malware scanning, and institute detection of identity theft. But in Italy, continuous monitoring of employee work activities is generally prohibited unless it is strictly necessary for the performance of the working activity. Or an employer may be prohibited from monitoring private employee emails (for example, in Slovakia), including those transmitted through company email systems, requiring a work-around for monitoring operations or explicit policies to flag private emails.

Another aspect of monitoring in the EEA and UK, particularly if it involves geolocalization of users, is that it may require the employer to conduct a data protection impact assessment prior to commencing monitoring activities. In some jurisdictions (for example, in Luxembourg), employers are required to take a two-step approach to monitoring, which requires that employers implement only generalized monitoring without identifying specific employees; if the employer identifies irregularities on its network through generalized monitoring, it may then proceed to identify the related employee and conduct more targeted monitoring.

For jurisdictions that rely on consent for lawful personal information processing, network monitoring involving the collection, use, or provision of personal information will require employee consent, and that consent must meet the requirements under the relevant data protection law. In Japan, network monitoring is generally permitted without employee consent, but only on company owned systems; consent is required to conduct monitoring on BYOD employee-owned devices. In some LatAm jurisdictions, monitoring on BYOD devices may be permitted without consent if the information that is subject to monitoring is stored on a cloud-based employer application installed on an employee-owned device. If the company engages in continuous “real-time” monitoring, it must obtain a separate consent, as required under the Protection of Communication Secrets Act. In some Asian jurisdictions, network monitoring will require employee consent unless an exception or another legal basis for processing applies (for example, monitoring conducted to prevent fraud does not require consent in Thailand). In Colombia, consent is required, but is not sufficient to conduct network monitoring; in addition to consent, employers must eliminate any employee expectation of privacy and must refrain from monitoring that is unrelated to work activities.

In addition to data protection obligations, employee monitoring may necessitate consultation of a works council or union, and compliance with co-determination rights (in Germany). Employer retention of network monitoring data may also be limited by jurisdiction-specific retention periods (in Hong Kong) or regulatory recommendations (in France).

The takeaway

Perhaps the most critical takeaway on network monitoring is the necessity of planning ahead. Too often companies are implementing new or enhanced monitoring tools in the aftermath of a harmful breach of their systems that have led to significant financial or reputational loss, as well as the prospect of litigation and enforcement. The urgency of standing up improved techniques against cyber attacks may come at the cost of thoughtful consideration and implementation of the varied obligations imposed by data protection and other laws.