Forcepoint has announced that it has sponsored an in-depth whitepaper study in partnership with legal firm Hogan Lovells to explore potential issues for global workforce monitoring programs and identify the legal implications of 10 different monitoring activities across 15 countries. Managing Workforce Cyber Risk in a Global Landscape is an essential document for any organization planning and implementing data protection programmes where workforce monitoring is an element.
As global organizations review internal data management processes to comply with new, more stringent regulations and guidelines such as GDPR, the protection of personal customer data is becoming a much higher priority. One way to manage data protection and defend against internal and external threats is to monitor the use of information resources. Workforce monitoring presents a challenge for legal teams, HR departments, IT teams and business owners as they balance the need for data and IP protection with the privacy and legal rights of their own employees. For any organization working internationally, the different laws in each country pose additional challenges, forcing firms to develop multiple policies depending on the location of their workforce.
“As we built out our own, human-centric security programmes, we reviewed our Data Protection/Privacy Impact Assessments (DPIA/PIA) and realized we needed additional legal guidance,” said Allan Alford, CISO, Forcepoint. “We knew that our customers would also experience this challenge, so we commissioned the privacy and compliance legal firm Hogan Lovells to undertake this publicly available study.”
The study is believed to be the first published review of the international legal landscape that specifically addresses cyber-focused workforce threat program implementation, and offers a helpful guide for those charged with reviewing and refining their organization’s compliance programs. The team at Hogan Lovells, supported by select local counsel firms, researched and provided guidance on the three main areas of law that govern cyber defense programs involving workforce monitoring: data privacy and data protection laws; communications secrecy laws; and employment laws.
With a set of questions for organizations to ask themselves along with suggested privacy safeguards, the whitepaper study provides a set of best-practice steps for any organization to follow as well as specific information regarding requirements in fifteen different countries.
Changing Threat Landscape and Regulation Drive the Need for Workforce Monitoring
Traditional tools are failing to provide contextual information about human risk, and thus the demand for organizations to understand cyber behaviors at the human point — the intersection of users, data and networks – is growing.
“Numerous recent events have shown how cyber incidents can disrupt operations, damage reputation, and expose organizations to regulatory consequences and private litigation,” said Harriet Pearson, partner at Hogan Lovells. “An organisation’s workforce is a source of risk in this context, whether that risk comes from inadvertent or malicious intent. To effectively detect, prevent and mitigate the effects of cyber incidents, organizations need to address both external and internal threats, and what we see in working with clients across industries is that one of the ways to effectively mitigate this risk is to monitor how users interact with critical data and information resources.”
Understanding International Difference
Workforce monitoring differs in complexity across the 15 countries examined in the whitepaper, and Hogan Lovells gave an overall score to the legal compliance effort required in each country. In some jurisdictions, organizations have broad authority to monitor workforce use of information assets. In others, organizations may need to avoid processing personal communications, and analyze private communications and information only where there are reasonable suspicions of misconduct.
Many countries require that workforce monitoring programmes are only implemented after consultation and consent from workforce representatives or individual employees.
In the United States, for example, federal law provides that organizations are exempt from liability to the extent that they monitor their information systems for cybersecurity purposes. But in Finland, employers are generally prohibited from accessing the contents of communications sent to or received by employees.
“Any workforce monitoring program must be proportionate, respectful and transparently deployed to ensure the continued trust of the workforce,” Alford continues. “It’s a careful balancing act: employees and employers must work hand-in-hand to protect each other. We all want better protection for ourselves and our important information and data, but monitoring when, how and why employees interact with various corporate data has some clear and important privacy implications.”