Tip

Week 9: Banners in support of system monitoring

When:
Review at least annually, or when legal guidance changes.

What:
A banner statement advising users that by using the system they consent to monitoring. If the

    Requires Free Membership to View

user proceeds after this banner appears on their screen then "implied consent" exists. "Express consent" is easier to prove should a case end up in court and is obtained through a signed or "click through" user acknowledgment that tells users their rights and responsibilities, and that their actions may be monitored. Using a network sniffer or auditing tools to monitor e-mail to see what employees are up to (a.k.a. "unauthorized monitoring") constitutes an illegal action.

Why:
There are two reasons to use a warning and monitoring banner: It states your policy on monitoring and acts as a "no trespassing" sign to let users know they are now entering your system.

Intercepting another person's communications -- including e-mail and stored information -- without their knowledge or consent violates privacy rights and the Fourth Amendment's prohibition on unreasonable searches and seizures. The key here is to establish in advance the rights and expectations of all parties -- employees, employers, IT staff, consultants, and, yes, even hackers. You should also consider questions like the privacy rights of customers and clients, business partners and even telecommuters. Three main federal statutes apply -- The Electronic Communications Privacy Act (ECPA), the Stored Wire and Electronic Communications and Transactional Records Access Act and The Computer Fraud and Abuse Act, which were amended by the USA Patriot Act. Many states have statutes that deal with the intentional interception of communications or with intentional unauthorized access to computers.

Strategy:
If asked to monitor someone, you should involve your legal counsel. Proceed carefully, as alerting a government agency may result in your system being seized for further analysis, and may create liability for you or your organization. Failing to report may likewise result in regulatory liability. If a government agency is going to be involved, make sure it's a decision by the highest levels of your organization, not you. In the meantime, post a banner on your Web site that reflects your legal counsel's guidance, and establishes expectations of privacy and the right to monitor.

For more information:
For details on the tatutes mentioned above, see http://www.usiia.org/legis/ecpa.html for the ECPA; http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/121/toc.html for the Stored Wire and Electronic Communications and Transactional Records Access Act; and http://www.epic.org for the Computer Fraud and Abuse Act.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to securityplanner@infosecuritymag.com.

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Mark D. Rasch, Esq., senior VP and chief security counsel at Solutionary Inc., contributed to this article.

Last week: Reviewing your policies and procedures
Next Week: Are you throwing out company secrets?

This was first published in February 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.