YOU ARE HERE: LAT HomeCollections

Watching workers: a delicate balance

Policies on monitoring staff haven't kept up with technology, raising the risk of missteps.

March 10, 2007|Molly Selvin and Abigail Goldman | Times Staff Writers

Most large companies rely on in-house technology departments to monitor office phones and e-mail. Employees generally accept the practice as necessary to protect business from rogue colleagues and outside threats.

But this week's revelation that Wal-Mart Stores Inc. fired an IT employee for snooping has some asking who watches the watchers.

The technology used to monitor communications is advancing faster than corporate policies governing its use, experts say, leaving workers vulnerable to invasions of privacy and putting employers at risk of legal liability.

"The IT staff now knows a lot about everyone -- they've become the keeper of secrets," said Lynn Lieber, founder of Workplace Answers Inc., a San Francisco company that conducts training in legal compliance issues.

For years, many employers have cautioned their employees against visiting e-commerce, gambling or pornographic websites from work.

And many companies monitor employee communications to safeguard proprietary information, ensure worker productivity and head off sexual harassment claims.

Wal-Mart, the nation's largest private employer, said the fired employee acted on his own in monitoring and recording telephone calls between the public relations staff and a New York Times reporter who had written about the company. Wal-Mart said the employee also intercepted electronic messages.

The employee, part of an internal security threat team, told the Wall Street Journal that he had felt pressured to discover who was leaking embarrassing information about the company. He could not be reached for comment.

Howard Schmidt, the White House's former cyber-security advisor and onetime chief security officer for Microsoft Corp., said a small group of IT security personnel can get carried away with their special privileges to monitor or look in on colleagues.

"It's the big unknown how widespread the abuse is," said Schmidt, who also serves on the board of ISC Squared, which certifies high-tech security personnel. "Many of us in the security business talk and worry about the inside threat."

Many companies use e-mail filters to block or flag references to company products and to words or websites with pornographic connotations. Newer software sorts the contents of e-mail and websites by "the level of threat severity," said Devin Redmond, the director of security products for Websense, a security software company in San Diego.

But people are still the heart of every company's security operation.

"A lock on an outdoor shed is going to keep an honest person honest," Schmidt said. "But if you have a person who is looking to do something bad or take some advantage of their privileges, they're going to figure out a way to beat your controls and minimize the likelihood that you're going to find out about it."

Most companies allow employees to send personal e-mail or make phone calls on company time so long as they get their work done.

But about half of employers have disciplined workers for e-mail abuse, according to a 2005 survey from the American Management Assn.

California's privacy laws, among the strictest in the nation, require employers to disclose that they are monitoring workers, said Richard Simmons, a Los Angeles employment lawyer who represents companies.

Many employees say they assume the company can read their correspondence or follow their trail on the Internet.

"I might e-mail a friend saying, 'Hey, let's meet up for lunch,' not, 'Hey, I'm planning on quitting tomorrow,' " Raina Yoo, a 24-year-old accountant, said during a lunch break in downtown Los Angeles.

Receptionist Susan Lane, 31, says she's careful about Web surfing. "I wouldn't shop at Victoria's Secret online at work," she said with smile.

Sometimes IT staffers can't help but see personal information.

Rocket Science Consulting of San Francisco installs and maintains computer systems for small businesses. New corporate clients often warn owner Matt McGraw to not read company e-mails, McGraw said.

"Our response is, if you're the administrator of their e-mail, by definition you have access to everything," he said

A former Wal-Mart IT security employee, Perry Carpenter, wrote on his blog that this week's incident was probably a case of "human nature run amok."

He said monitoring communications was as close to malicious computer hacking as a legitimate technician gets.

"There's a natural instinct as you're doing that to poke and prod," Carpenter said in an interview. "You've got to make sure there's the right kind of oversight in place."

Companies generally instruct their IT administrators to turn over troublesome communications to company lawyers or human resources managers. A complaint about a worker lodged by a customer or another employee can also trigger a review of e-mails or phone records.

Los Angeles Times Articles