Explore the legal parameters of implementing an insider threat program, including the application of employee monitoring tools. Learn how to protect your corporate assets while respecting the privacy of your employees.
Employee monitoring rules – who, what, when, where, how and why
Employee privacy rights
Lawful employee screening procedures
Employee investigation rules
About Presenter
Shawn Thompson, J.D.
Over 15 years’ experience investigating, prosecuting, and managing insider threats.
Senior Litigation Attorney, Department of Defense
Insider Threat Program Manager, Department of Defense
Assistant General Counsel, Federal Bureau of Investigation
Board Member, National Insider Threat Special Interest Group
Special Assistant United States Attorney, United States Department of Justice
Vice President, Enterprise Security Risk Management, InfoTeK Corporation
Insider Threat Law: Balancing Privacy and Protection
1. INSIDER THREAT MANAGEMENT GROUP
SHAWN M.THOMPSON, ESQ.
Founder and President, ITMG
InsiderThreat Law: Balancing Privacy and Protection
www.itmg.co
shawn@itmg.co
410-874-3712
2. The story of me . . .
Founder and President, InsiderThreat Management Group
Board Member, National InsiderThreat Special Interest Group
InsiderThreat Program Manager, Department of Defense
Senior Legal Advisor, National InsiderThreatTask Force
Senior SpecialAgent, Department of Defense
Senior Litigation Attorney, Department of Defense
Assistant General Counsel, Federal Bureau of Investigation
SpecialAssistant United States Attorney, United States Department ofJustice
7. Privacy
Historical context
What is “privacy?”
Does it exist in the
employment context?
Collection v. Use
KeyTakeaway – Employee’s have limited privacy rights at the
workplace and on employer devices and vehicles outside the
workplace
8. Collection v. Use
Collection
• Less restrictions
• More responsibility
Use
• More restrictions
• Greater responsibility
KeyTakeaway – Businesses can collect more than they can use
10. Prevention
• Pre-employment screening
• Agreements
• Policies and training
• Continuous Evaluation
KeyTakeaway – Obtaining employee consent and developing
monitoring policies are best practices
11. Detection – HOW?
How can employees be monitored?
• Video
• Audio
• GPS
• Computer activity
• External data sources
12. Detection – WHO?
Who can be monitored?
• Everyone?
• Sub-groups?
• Third-parties?
KeyTakeaway – Different levels of monitoring require
documented justification
13. Detection – WHAT?
What can be monitored?
• Communications
• Movements
• Devices
KeyTakeaway – Important Distinctions between collection and use
14. Detection – WHEN/WHERE?
When and Where can employees be monitored?
• On-site
• Off-site
• “Personal” time v. “business” time
KeyTakeaway – Monitor for “legitimate business needs” only
15. Detection – WHY?
Why can (or must) employees be monitored?
• Requirements?
• Government v. commercial
Government minimum standards
Regulatory findings
• Prevent liability exposure
“We considered several factors [for closing the
investigation], including the fact that Morgan
Stanley had established and implemented
comprehensive policies designed to protect
against insider theft of personal information.”
August 2015 letter from FTC to Morgan Stanley
KeyTakeaway – User activity monitoring is essential
17. Insider Threat Compliance Program
(aka “Watch the Watchers”)
Important?
Business case
Elements and Components
Best practices
18. Key Takeaways
MONITORING is necessary
BALANCE = value
Collection “rights” are NOT king
POLICIES are vital
Maintain REASONABLENESS
Seek LEGAL counsel
19. QUESTIONS?
SHAWN M.THOMPSON, ESQ.
Founder and President
InsiderThreat Management Group
itmg.co
410-858-0006
Shawn M.Thompson, Esq.
Insider Threat Management Group, LLC
www.itmg.co
shawn@itmg.co
410-874-3712