Review at least annually, or when legal guidance changes.
A banner statement advising users that by using the system they consent to monitoring. If the user proceeds after this banner appears on their screen then "implied consent" exists. "Express consent" is easier to prove should a case end up in court and is obtained through a signed or "click through" user acknowledgment that tells users their rights and responsibilities, and that their actions may be monitored. Using a network sniffer or auditing tools to monitor e-mail to see what employees are up to (a.k.a. "unauthorized monitoring") constitutes an illegal action.
There are two reasons to use a warning and monitoring banner: It states your policy on monitoring and acts as a "no trespassing" sign to let users know they are now entering your system.
Intercepting another person's communications -- including e-mail and stored information -- without their knowledge or consent violates privacy rights and the Fourth Amendment's prohibition on unreasonable searches and seizures. The key here is to establish in advance the rights and expectations of all parties -- employees, employers, IT staff, consultants, and, yes, even hackers. You should also consider questions like the privacy rights of customers and clients, business partners and even telecommuters. Three main federal statutes apply -- The Electronic Communications Privacy Act (ECPA), the Stored Wire and Electronic Communications and Transactional Records Access Act and The Computer Fraud and Abuse Act, which were amended by the USA Patriot Act. Many states have statutes that deal with the intentional interception of communications or with intentional unauthorized access to computers.
If asked to monitor someone, you should involve your legal counsel. Proceed carefully, as alerting a government agency may result in your system being seized for further analysis, and may create liability for you or your organization. Failing to report may likewise result in regulatory liability. If a government agency is going to be involved, make sure it's a decision by the highest levels of your organization, not you. In the meantime, post a banner on your Web site that reflects your legal counsel's guidance, and establishes expectations of privacy and the right to monitor.
For more information:
For details on the tatutes mentioned above, see http://www.usiia.org/legis/ecpa.html for the ECPA; http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/121/toc.html for the Stored Wire and Electronic Communications and Transactional Records Access Act; and http://www.epic.org for the Computer Fraud and Abuse Act.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to firstname.lastname@example.org.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Mark D. Rasch, Esq., senior VP and chief security counsel at Solutionary Inc., contributed to this article.