Corporate Cybersecurity: Protecting your Company without Infringing Privacy

Practice Areas

By: Varduhi Danielyan

Companies employ various cybersecurity measures to protect their sensitive information and classified data, and to mitigate the risk of information theft. Many cybersecurity measures may intrude employees’ privacy and are regularly argued by attorneys as illegal.  For such actions to be considered legal, the interference needs to be balanced between the reasonableness of cybersecurity measures and employees’ right to privacy.

Email and Data Monitoring as Forms of Cybersecurity

Business observation of employees’ work emails is commonly regarded as an acceptable and reasonable cybersecurity measure even if an employee sent a personal email using their work email account. Likewise, employers can place restrictions on when and how employees can download data from their work computers to other devices.

By contrast, employers cannot observe employees’ personal emails even if they are accessing them on the company’s hardware. Such a cybersecurity measure has been assessed to be an unreasonable interference of employees’ privacy rights. (Underhill v. Kornblum, 2017 U.S. Dist. LEXIS 170357). The one exception is if employees have authorized their company to access such information.

Developing a Cybersecurity Policy

To avoid lawsuits by current or former employees claiming privacy infringement, companies should have clear bylaws and handbooks in place. It is a basic cybersecurity measure to let employees know what information is considered sensitive and which actions may be alleged to be a breach of confidentiality, fraud, or data theft. Likewise, employers should also notify employees regarding the cybersecurity measures the company undertakes and how far those actions go.

If employees are required to download specific applications onto their personal phones, employers must make it clear that they may track the employee’s usage of the application. Employers must also establish that employees may be required to present their personal device to show that no confidential information has been transferred from the application to their personal device. These cybersecurity measures are increasingly important as a growing number of employees opt to work from home and may use personal laptops and phones.

It is also highly effective to get employee consent to monitoring before a problem arises, because the consent limits employee expectation of privacy. It is important to remember that consent is required if a company opts to record calls, otherwise the recording will be illegal. For video surveillance, consent is not required, but employers must notify employees about areas under surveillance. Employers are legally prohibited to place cameras in locations with higher expectation of privacy, like restrooms, locker rooms, or changing rooms.

Conclusion

Cybersecurity policies are necessary to protect sensitive company information. Companies should develop proper policies with a trusted attorney to protect themselves against data threats and also guard against legal trouble. Contact our Chugh, LLP team today for a free consultation on cybersecurity.