Forwarded from: Mark Bernard <Mark.Bernard@private> Dear Associates, Employees do have a right to privacy and organizational policies cannot overly favour the company without providing a balance for employees. For example. While working with an international organization conducting policy compliance and penetration testing I measured compliance with a policy that granted employees the right to privacy. This policy stated that the top desk drawer of the employees cubical/office was designated as private and would never be searched (without a warrant). Additional assurances where given, included that monitoring would not be conducted in sensitive areas such as washrooms and changing rooms. Based on my extensive research of our Canadian Federal Privacy Commissionaire's investigation archives, many businesses have been brought into focus for the over use and misuse of digital surveillance equipment. For instance, in most cases involving the transportation industry investigations have resulted in the removal of surveillance camera(s). Most employee cases where based on the fact that the business was monitoring employee productivity and that surveillance camera had not helped to prevent theft, as the business had eluded to. All the best, Mark. ======= beginning of excerpt ========= http://www.csoonline.com/read/090105/hiddencamera_3824.html The Hidden Camera ...and other surveillance missteps can sour employees, threaten your success or get you sued. These six dos and don'ts will keep you in focus. By Todd Datz Drip.Drip.Drip. That's what caught the new employee's attention-water dripping from the ceiling of her office. Why was water leaking from the ceiling, she wondered? Taking a closer look, she didn't find the source of the leak. Much to her surprise, what she did find was a hidden camera. The company shouldn't have been too surprised when she filed a complaint. That juicy (in a Court TV kind of way) incident took place a couple of years ago, recounts an attorney whose firm defended the company after the woman filed a wrongful termination lawsuit (the complaint was raised as part of the suit; the attorney asked to remain anonymous). Why was a camera secreted in the ceiling? Turns out that the company, with the blessing of the HR director, had installed a camera in that particular office to deter a worker suspected of stealing. It was a nonworking (fake) camera and, originally, plainly visible. After that employee resigned, the company remodeled the office, covering (but not removing) the camera. Ultimately, the company argued that it was a nonworking camera; the suit was dismissed on other grounds. "If the camera had been working, it might have been a different outcome," says the attorney. CSOs have a lot of leeway when it comes to monitoring employees. After all, companies own the computers, telephones and electronic equipment their workers use, and have the well-established right to monitor their usage. The same is true for video surveillance-the legal system gives organizations the right to place cameras in every nook and cranny of their workplaces, with the exception of areas where employees have a reasonable expectation of privacy (bathrooms and locker rooms, for example). But many companies don't actually have a written policy in the employee handbook stating that the company has the right to freely monitor the workplace. In research conducted for this special report, 44 percent of respondents copped to having no official video surveillance policy (see additional results from the "CSO Surveillance and Monitoring Survey" on Page 28). And if companies aren't spelling out their surveillance posture now, then the picture promises more static than clarity in the near future. Digital, IP-based video systems are beginning to make a dent in the old-line hegemony of CCTV systems, and cameras are getting ever smaller, cheaper and more powerful. Inattentive CSOs are sitting on ever more threatening legal landmines. On the bright side, a little forethought can largely defuse those dangers. "It's not rocket science," says Miles Bielec, director of security operations at software giant SAS. "Security, in my view, is rooted solely in common sense." Below are six tips-some dos and don'ts that are indeed mostly common sense-that can help you navigate the current world of video surveillance and prepare for its rapid evolution, while avoiding any of the boneheaded moves that can undo in a heartbeat all the goodwill you've spent years building up. DO create a corporate surveillance policy. This is the numero uno, smartest step toward intelligent workplace surveillance, so it's a little surprising that so many organizations fail to do it. A video surveillance policy might state where cameras can be placed, as well as the fact that employees have no right to privacy in the general working areas of a facility. It should also make clear the disciplinary consequences that can result from unprofessional employee actions caught on video. "It should be short and sweet," says Jennifer Shaw, an employment lawyer and partner at Jackson Lewis in Sacramento, Calif. "A lot of employers go crazy being super-detailed when they don't need to be." Shaw advises her clients to write the policy into the employee handbook and to make sure employees have signed off on the handbook, acknowledging that they have read and understood it. One of the nice things a policy brings to the table is it shows that a company has a regular, standard practice around surveillance. That's something Connie Sadler, director of IT security at Brown University, thinks may be lacking at universities. She's heard of cases where supervisors have independently installed video cameras in buildings in response to thefts, some in not so obvious places. Installing cameras "willy-nilly," as she puts it, makes her uneasy. "The thing that concerns me is not really even whether they're used or how, but more what's our obligation to the community and employees in terms of what we tell them," she says. For example, should those supervisors have to ask permission to put up cameras? She also points out other gray areas: What if a student steals a laptop in a workspace such as one of the school libraries, and is caught on tape? "The student could say, 'I wasn't notified, there wasn't a policy,'" conjectures Sadler. Sadler would love to see consistent policies at universities. "I think people are looking for guidance. For so many things that are regulated, we look to industry standards, reasonable application. For video surveillance, I really don't see any reasonable standard." But the lack of consistent policies is not confined to the halls of academia. When asked to take a crack at estimating what percentage of companies have policies, Shaw figures only half-an estimate that roughly matches CSO's research. "More people are calling me wanting information about it. Some of the calls have been from employers who've been burned because they didn't have a policy in place," Shaw says. DON'T take a once-and-done approach to communication. When you've written a policy, don't be shy. Go ahead and shout it from the rooftops. Putting the policy in the handbook is a start, but only a start. (Here's an unshocking revelation: Not all employees read their handbooks.) Sure, you can take heart from the fact that the company is protected if an employee decides to sue for invasion of privacy, assuming that the cameras weren't filming anything off-limits. But why not remind employees of the policy periodically, so you can avoid any misunderstandings or ill will if employees for one reason or another feel like they're being watched inappropriately? Why wait for a potentially embarrassing and expensive lawsuit? Shaw believes that just communicating the fact that a company has a policy can act as a deterrent to potential wrongdoers. She cites three to four major retail clients with large distribution centers: "Once they announced their policies, theft went down because people knew [their companies] were watching." DO take the time to tell employees why you use cameras. This point goes beyond reminding workers that you have a policy, because a little bit of sensitivity can go a long way toward preventing employee resentment. Explaining the reason for the cameras has proven to be a critical step for Bielec at SAS. In 1993, the company built what's known as Building R on its Cary, N.C., campus. A security control center was located in the subbasement to monitor the new CCTV cameras that were being installed around the campus in lobbies, building entry points and the campus day care. (Before 1993, Bielec says, SAS's use of CCTV was minor.) Bielec was pleased. But he failed to anticipate the displeasure that spread its way through the employee ranks. Soon rumors started floating around that there were covert cameras. Questions arose: Why are they putting in cameras? What are they watching? Why do we need so much surveillance? When word started getting back to Bielec, "terror ran up and down my spine," he recalls. "I had done my best to develop a relationship with the employees," he says, but now he worried that he was about to take a giant step backwards. Bielec had an inspiration. Because two sides of the control center were glass, he decided to turn the monitor banks around, so that the monitor screens faced outward. With this change, any SAS employee walking by the control center can see exactly what the cameras are being used to observe. "I told employees, come on down, you can see what we're looking at. We can show you how [the system] works; we'll let you play with the joysticks," he says. "That alone allayed the monitoring fears." What Bielec came up against was a very open, creative corporate environment, not unlike that found on a college campus. To many employees, the installation of cameras screamed of Big Brother syndrome. Bielec assured employees that the system was more about customer service (such as letting employees back in the building if they accidentally got locked out during a smoking break), to give employees peace of mind and to keep an eye on more places than was otherwise humanly possible (data centers, for example). It was a good lesson for Bielec, one he fell back on recently. After a fire in the area of the loading dock outside SAS's production studio (a container of linseed-soaked rags ignited in the bed of a pickup truck), Bielec had installed a camera to monitor the racks where solvents are stored, intending to get a better chance of catching any accidental combustion early. The camera actually panned a little bit into the shop area, where workers built set pieces. The workers expressed some concern-they understood the need for the camera, but didn't want theirs to be the only work area under surveillance. So Bielec solved the problem by moving the camera 20 feet away, so that it looked only at the area where the flammable materials were stored. DON'T use dummy cameras without considering the risks. If cameras deter theft by their mere presence, CSOs may be tempted to nail up a few cameras that aren't activated. In CSO's survey, 23 percent of respondents said they include some fake or deactivated cameras as part of their surveillance practice. But are fake cameras worth the potential downsides? Douglas Durden, manager of safety, security and asset retention at Mallory Alexander International Logistics, thinks that often they are not. He believes fake cameras can impart a false sense of security. "Let's say someone is standing in front of what appears to be a camera. If a guy pulls a gun and takes a person's wallet, you should be able to pull it up on tape [but you can't]. Then you have to tell the person it was a fake camera," he says. Lawsuit, anyone? Walter Palmer, founder and principal of PCGsolutions, a retail loss-prevention consultancy, also advises caution. "One of the things you have to be careful of is, do you have an obligation to provide certain levels of security? If you don't have cameras and something occurs or you have dummy cameras, could you be liable for negligent security?" he asks. It depends on the circumstances, of course, but the short answer is yes. All things considered, Jackson Lewis's Shaw thinks, there are limited circumstances in which fake cameras are appropriate, but generally they do more harm than good. "They're a bad idea all around, in my opinion," she says. DO think long and hard before deploying hidden cameras. The rapid evolution of camera technology-smaller cameras, better resolution, cheaper prices-has made it easier for companies to gobble up more and more of them. But it also opens the door for more misuse of covert surveillance. Last November, nurses at Good Samaritan Hospital in Los Angeles were in a break room when, according to accounts, they spied a thin beam of light coming from a clock. They were shocked to discover a hidden camera with a tiny lens behind the number nine. The nurses immediately spread the word to their colleagues; eventually they discovered a total of 16 hidden cameras in the clocks of break rooms, a pharmacy and a fitness center, among other locations. In addition to the fact that the nurses hadn't been informed about the cameras, they were also upset because some of them changed their clothes in the break rooms. They felt that their right to privacy had been violated. In a press release, a California Nurses Association spokesperson said, "This is a pervasive problem throughout the hospital that is a disgraceful violation of the legal privacy rights of the RNs and reflects a deplorable attitude of the hospital administration towards its caregivers." Hospital officials defended their actions-they claimed the cameras were installed for security reasons, that it was standard practice in hospitals, that they had planned on informing the nurses and that the cameras hadn't been turned on. They also noted (see the first tip) that the nurses' employee handbook, which all must sign, states that surveillance might be used. Ultimately, the messy situation might have been avoided if hospital execs had informed the nurses of their plans beforehand, explained that the cameras were for their safety and made them overt instead of covert. By neglecting to inform the nurses until the cameras had been discovered, the hospital engendered suspicion and ill will among a core group of employees. There may still be a place for hidden cameras in a CSO's arsenal, of course. It just makes sense to deploy them wisely. DON'T overlook the special complications of a union workforce. Union employees have certain contractual rights that nonunion employees may lack. CSOs with unions in the workplace will need to review National Labor Relations Board (NLRB) rulings specifically concerning video surveillance. For example, the NLRB decided in the 1997 case Colgate-Palmolive Co. that the installation of hidden cameras is a mandatory subject of bargaining. (An employee had found a camera hidden in an air vent in a men's restroom.) That decision was reinforced in 2003 by a federal appeals court in National Steel Corp. v. NLRB. (The company had placed a hidden camera in a manager's office to catch the person who was making long-distance phone calls at night.) More recently, in July the U.S. Court of Appeals for the District of Columbia Circuit upheld a 2004 NLRB decision in a case involving Anheuser-Busch. In 1998, the king of beers had installed hidden cameras in work and break areas in one of its St. Louis facilities. Sixteen employees were later disciplined (five were fired) after being caught on tape taking lengthy breaks, sleeping, smoking pot and urinating on a rooftop. The court supported the NLRB, which had previously ruled that Anheuser-Busch was at fault for not giving notice to the union before installing the cameras (although the NLRB had also ruled that the workers were not entitled to back pay or reinstatement). The court sent the case back to the NLRB to determine whether the workers were entitled to any remedies. CSOs should also be mindful that any introduction of surveillance into the workplace could be cause for a union grievance, according to the Labor Research Association. A report titled "Employer Snooping: What Rights Do Workers Really Have?" says "When a company seeks to introduce video surveillance, monitor e-mail, conduct random searches or other workplace surveillance policies, it is attempting to change working conditions, according to the NLRB. As a result, the terms of these policies are considered a 'mandatory subject' of collective bargaining and must be negotiated with the workers' union." It goes on to cite some examples of what a employer and union might negotiate, including allowing workers to defend themselves against accusations and agreeing that nonwork areas remain camera-free. As technology progresses, bringing with it the ability to monitor the workplace more cheaply and easily than ever before, there's a concomitant increase in the chance that things can get messy. Taking the time to understand all the issues-to manage your surveillance risks-will ensure that your surveillance posture is no slouch. ======= end of excerpt ============= Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@private Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Warren Bennis: "The manager asks how and when; the leader asks what and why?" _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Sun Sep 11 2005 - 23:29:49 PDT