The news today is buzzing with discussions regarding civil liberties and privacy rights. Insider threat program (InTP) development deals directly with these issues, specifically the protection of employees. It is essential that management to familiarize itself with existing mandates, statutes, laws, and directives that are related to InTP implementation.

Hi, my name is Tracy Cassidy. I am an Insider Threat Researcher at the CERT Insider Threat Center. In this, the 15th of 18 posts in our blog series on establishing an InTP, I'll discuss some issues that are relevant to the protection of employee civil liberties and privacy rights.

Review Pertinent Information

When developing an InTP, it is important to ensure that legal requirements and actions are thoroughly reviewed and and abided by. Areas of legal importance regarding InTPs include confidential reporting, user monitoring, and protecting employee rights.

During the InTP development process, it is important to work closely with privacy officers and legal counsel. These and other appropriate personnel should be tasked with reviewing pertinent privacy and civil liberties rules, regulations, and laws such as the Bill of Rights.

Subject matter experts can provide input into the development of the InTP, ensuring that the program is created and executed in compliance with relevant policies, rules, regulations, and laws. These may include the Whistleblower Protection Act; the GSA Rules of Behavior for Handling Personally Identifiable Information (PII); or sector-specific regulations, such as the Department of Defense Authorization Act of 1987 and the Commercial Motor Vehicle Safety Act (CMVSA).

Examples of Important Considerations

There are many different arenas that need to be reviewed when protecting employee civil liberties and privacy rights. One example is conducting criminal background checks during the employment screening process. Most employers use criminal background screening procedures when hiring new employees and expect trusted business partners to do the same.

There are many guidelines and restrictions associated with conducting these screenings, such as those put forth by the U.S. Equal Opportunity Commission (EEOC) and the Federal Credit Reporting Act. The EEOC recommends that screenings be job related and consistent with a business need. If legally appropriate, they recommend 'targeted screening', where the employer considers

• the nature of the crime
• how long ago the crime took place
• the nature of the job

Several states and cities have also instituted so-called "ban the box" laws, which typically prohibit organizations from asking for the criminal history of job candidates until a specific time in the hiring process (e.g., after the first interview).

Likewise, conviction records may provide better evidence overall than an arrest record. An arrest alone doesn't prove that a person conducted a criminal act. The EEOC states that several states limit the use of both arrest and conviction records in making employment decisions. Knowledge of these varying laws is essential.

This example shows that laws and regulations surrounding criminal background checks, other civil liberties, and privacy rights are ever changing. Thus, they are important for employers to monitor. Any actions an organization takes regarding such issues should be done only with the review and approval of their legal counsel and privacy officials.

If you want more information regarding the protection of employee civil liberties and privacy rights in the development of an InTP, look into our Insider Threat Program Manager Certification. If you have any questions or comments please feel free to contact us!

Additional resources can also be found at the Equal Employment Opportunity Commission (www.eeoc.gov) or Department of Labor (www.dol.gov).