I was at the SC Magazine “Combating the Insider Threat” Conference yesterday, and one of the presentations raised a very interesting point.

Dave Chapman (Forensic Investigations Manager with TNT Express) was giving a presentation on “The Legalities behind monitoring employees to sensitively identify potential internal threats”.

He raised a couple of very interesting points

  • Contractual consent to allow monitoring of your email\Internet access is just that, Consent. This can be formally rescinded at any point. Your employer can take action against this (Disciuplinary etc.) but they CAN NOT continue to monitor your information.
  • “Fishing” for issues by looking through staff email\Internet traffic will not stand up in court as there needs to be a defined threat under investigation, to remove the possibility of entrapment.
  • Most companies contracts or Acceptable Use Policies define that a limited amount of personal use of company resources is allowed. With this in mind, if the company monitors your email\Internet Access they are knowingly potentially viewing personal information without direct consent.  This can be viewed as a breach of privacy. This can be, and has been, legally stated as a breach of Article 8 of the Human Rights Act (the right to respect for private and family life)

None of this necessarily means you can get away with things by arguing the above points, but It does mean that Information Security \ HR have to tread very carefully whilst investigating staff mis-behaviour.



Ethical Hackers pass Amsterdam’s Schiphol airport Biometric Security using a Hacked Passport with the details of a dead man.

Elvis Presley