When this blogpost appears, the Presidential campaign will be history, but the sensational email hacks involving public figures like John Podesta and Colin Powell will live on to be dissected again and again. For the umpteenth time, we've learned that insecure electronic messaging can cause damage. In some circles, there's heightened anxiety about hacking and disclosure of private messages. Those who feel themselves at risk are exploring how to keep their communications private. A raft of privacy advisors, privacy advocates, and new technologies are ready to help them.
What does this focus on privacy mean for companies obligated to track and monitor employee messages? In highly regulated industries, such as financial services, companies have a duty to review and manage business-related communications, to promote legal compliance. Individual attempts to shield, hide, or destroy messages—or remove them from supervisory oversight—can create enterprise liability.
Here’s the paradox facing financial companies: Despite rising regulatory expectations for monitoring employee communications and the availability of improved monitoring tools, individuals are increasingly uncomfortable with corporate electronic oversight. Some are resisting what they perceive as over-reaching corporate surveillance. The Information Technology and Innovation Foundation (ITIF) uses the term "privacy panic cycle" to describe negative public reaction to technologies thought to be inconsistent with personal privacy. Widely reported email hacks could lead to a new round in this panic cycle, with employer-employee skirmishes on the communications monitoring front. These skirmishes will likely be short-lived; ITIF notes that privacy panic cycles usually subside when people understand that the benefits of innovative technologies outweigh their privacy drawbacks.
Financial enterprises must continue to monitor, archive, protect, analyze, and produce employee messages for regulatory compliance purposes and litigation. This task becomes more complicated if workers try to evade observation.
For instance, employees may turn to text messaging on their personal phones to avoid the watchful eye of employers, or use specific communications apps to shield their messages from view.
Some of these apps are based on encryption, but others are being developed specifically to provide off-the-record messaging for social platforms such as Facebook Chat or Yahoo Messenger.
Employees web-browsing in incognito mode can also shield their browsing data and file transfer activity.
Those who don’t want their employers to see content or retention of cell phone activity records can either install apps to hide mobile browsing data, or use burner prepaid phones without providing ID information to the carrier, preventing meaningful tracking of cell phone coordinates. And some employees, mindful of web and message monitoring, are going off the social media grid, or using social apps less often. Information on how to use privacy-enhancing options is readily available on the web. In fact, an entire industry has emerged to disseminate information about these options.
Financial companies might do well to approach this issue head-on, incorporating into social media policies their express expectations that employees will not try to hide, delete or obscure their social messaging activity when it is relevant to business. While “expectations” are more ambiguous than “lines in the sand,” diligent employees will understand such policy statements to mean that obscuring communications is unacceptable to their employers. An approach with more teeth might require employees to periodically certify – with risk of discipline -- that they have not hidden messages or avoided social media monitoring of their business-related communications.
The news-making email hacks raised awareness—and resistance—to corporate communications monitoring and preservation of individuals' online and social activity. But financial companies have no choice about whether to monitor and preserve these records. They have a legal responsibility to keep relevant business records, regardless of the privacy panic cycle or individual attempts to avoid detection. With employees becoming increasingly anxious about being surveilled online, companies must dig deeper, and work harder and smarter to find and preserve all relevant records.
- What Mortgage Companies Can Learn from Airlines in Social Media Crisis Responses - May 12, 2017
- Your Business Records are in Pockets and Purses - April 12, 2017
- 12 Free or Low-Cost Social Media Compliance Resources for Mortgage Lenders - December 23, 2016