- Email: [email protected]
Monitoring Employees to Prevent and Detect Fraud
feature
Monitoring Employees to Prevent and Detect Fraud Steven Philippsohn, Philippsohn Crawfords Berwald, Solicitors
Introduction In the previous article I discussed the threat that companies currently face with regard to fraud and the Internet. In this article I will concentrate on the methods available to a company to monitor employees and other third parties’ use of different methods of telecommunication, in order to detect and prevent fraud.
Scale and prevalence In February 2002, it was reported that the German foreign minister Joschka Fischer put the annual figure of losses caused by cybercrime at £28 billion in an address to an international conference on the matter1. In January 2002, the Computer Emergency Response Team ("CERT") reported that the total number of attacks on the Web in 2001 climbed almost 160% compared to the previous year. Cert said that virus outbreaks, network attacks or inside abuse accounted for 52 658 incidents in 2001, compared with 21 756 in 2000. Cert documented 9 859 reports in 1999, and 3374 in 19982. Mi2g the Internet security group, reported in November 2002 that worldwide economic damage estimated to have been caused by all forms of digital attack so far in 2002 was between $35 and $43 billion. Around 60% of frauds were perpetrated from within but it was found that as much as 58% of this fraud was uncovered ‘by accident’! In light of this, and the fact that many organizations do not act on lessons learned, it is perhaps not surprising that while recovery rates remain low (with as few as 20% of organizations able to recover half or more of the losses suffered as a result of fraud), the scope for such fraud remains as high as ever with only 18% of victims ‘very confident’ about their safety in the future. Twice as many believe that the threat will be even greater in the next five 12
years. Indeed, just under half the 3500 respondent organizations felt cybercrime was ‘the’ risk of the future.
The Regulation of Investigatory Powers Act 2000 It is widely accepted that the biggest threat to the computer system of a business is internal. Businesses are however actively encouraging staff to embrace IT in their every day work. The potential importance to business to be able to monitor its staff to detect fraud cannot be underestimated. The Human Rights Act (HRA) and Regulation of Investigatory Powers Act 2000 (RIPA) came into force at the beginning of October 2001, granting, amongst other rights, rights of privacy to staff enforceable against their employers through the UK Courts. In doing so, the RIPA, designed to comply with the HRA and the European Telecommunications Data Protection Directive, placed restrictions for the first time on the interception of communications on the internal system of a non-public body. RIPA provides that a business that monitors the communications of its staff unlawfully is liable for damages. To be lawful, such monitoring must be in accordance with regulations made by the Secretary of State. The Lawful Business Practice Regulations came into force on 24
October 2001. Following a period of consultation, the draft regulations were amended in an attempt to strike a balance between protecting the privacy of individuals and enabling industry and business to obtain the maximum benefit from the new technology. The amendments included the removal of the requirement to inform third parties with whom staff communicate, that such communications are liable to be intercepted. This was due to the cost and practical difficulties involved in so doing. Employees must be warned of the possibility that their communications will be monitored. This could be done by the insertion of a clause in their employment contracts. However, the lack of a requirement for third parties to be warned has caused many to claim that the Regulations do not protect the privacy of those third parties. Indeed there is speculation that the validity of the Regulations may not be compatible with the HRA. The law does not give employers unlimited freedom to snoop on their employees by simply warning them that they may be monitored. The reason for the interception must be one of those specified by the Regulations. Below is a full explanation of the Lawful Business Regulations.
The Telecommunications (Lawful Business Practice) Regulations (Interception of Communication) Regulations 2000 Incoming calls or calls made to individuals outside a private telecommunication system may be intercepted and recorded by a business for a purpose listed under Section 3 of the Regulations without consent. (Subject to two minor exceptions set out below). If the interception is carried out for any other purpose (marketing, market research or a purpose outside the scope of section 3) then incoming calls and calls made to outsiders can only be recorded and monitored when the business concerned has
feature reasonable grounds to believe that the sender and recipient consent. The Lawful Business Practice Regulations suggest that businesses should take the following steps to obtain consent: • Insert a clause in staff contracts giving consent to recording and monitoring • A call operator should ask the incoming caller to consent; or • A pre-recorded message should state that the call may be monitored or recorded.
Interception Authorized by the Lawful Business Practice Regulations (Section 3) According to the Lawful Business Regulations, a business may monitor or record communications for the following purposes: • To keep records of transactions and communication in cases where it is necessary or desirable to know the specific facts of a conversation. • To check the business is complying with regulatory or self regulatory requirements. • For purposes of training or quality control. • To prevent or detect crime (fraud and corruption). • To detect or investigate unauthorized use. • Monitoring for viruses or threats to the system. A Business may monitor but not record without consent: • To check email accounts to access business communication in staff absence. • To monitor calls to confidential welfare helplines to protect or support helpline staff. If a business intends to make non-consensual interceptions they are required to make reasonable efforts to inform every person who may use their telecommunication system that communications may be intercepted.
• By placing a note in their contract or providing literature. If a business wishes to intercept communications outside the scope of these regulations they will need to obtain consent of the sender and recipient of the communication.
Gaining consent Steps that could be taken to obtain the consent of staff and outsiders are: • Clause in staff contracts by which staff consent to calls being recorded or monitored. • Call operator to ask outsiders at the start of the call if they consent. • Calls to be answered by pre-recorded message informing the incoming caller that the call may be monitored or recorded.
The Data Protection Act 1998 The Data Protection Act (DPA) must also be considered by any business in the UK that intends to monitor its staff. The Data Protection Act does not strictly speaking prevent monitoring. However, it will apply to any records made in the course of an investigation or during the exercise of monitoring. Personal data will often be involved in the interception or recording of communications and is therefore subject to the provisions of the DPA. For example, the first Data Protection Principle requires personal data to be processed fairly and lawfully and that the processing is necessary to a vital interest if not by consent. The Data Protection Commissioner has published a draft Code of Practice on monitoring in the workplace. The draft Code suggests how and when a business should conduct monitoring to comply with the DPA. The draft Code suggests that the DPA requires that any monitoring is justified on the basis of an ‘impact assessment’. This is an assessment of the adverse effect on an employee as compared to
the benefit obtained by the employer in carrying out any monitoring activity. The Draft Code suggests that where an employer can justify the monitoring of an employee on this basis, it will not be necessary to obtain the consent of the individual employee unless the monitoring involves data of a sensitive nature (such as data relating to the employees political opinion, commission or alleged commission of an offence or the employee’s health). Perhaps the most important consideration it emphasises is that of proportionality. Monitoring should be targeted on areas of high risk. Where intrusion into the personal affairs of an employee can be avoided by use of alternative means then those alternative means should be used. If the purpose of the monitoring can be achieved by the use of a record of email traffic than there should be no monitoring of email content. Random checks or audit should be used in preference to continuous monitoring. In addition, the draft Code recommends that businesses give consideration to the privacy of third parties when monitoring communications. This could be done by means of a recorded message at the beginning of calls. However the draft Code recognises the limitations on the ability of businesses to always inform third parties. It states that there is no practical way to ensure that those who send emails to employees of the business, can be warned in advance that the email is liable to be intercepted. The draft Code is clear that, particularly where covert monitoring is concerned, a business cannot circumvent the provisions of the Data Protection Act by instructing a private investigator.
The draft code and covert monitoring The draft Code draws a distinction between covert and non-covert monitoring of employees. Covert monitoring occurs if the subject of the monitoring and collection of data is unaware that it is taking place. 13
feature Covert monitoring of communications of an employee is not covered by the Data Protection Act. However once records are created the records themselves are caught by the provisions of the DPA. Covert monitoring may only occur where the storage of the data obtained by monitoring is covered by an exception permitted under the DPA. According to the draft Code this means: “circumstances where informing the worker that information is being obtained would be likely to prejudice such matters as national security, the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty”
There has been some criticism of the Code in that it suggests that one of the only times covert monitoring should take place is when the employer has grounds for suspecting that criminal activity is taking place. This would potentially prevent covert monitoring from taking place prior to the occurrence of any criminal activity and may therefore inhibit the use of covert monitoring from being implemented as a means of crime prevention. It would appear that the intention of RIPA was to restrict the use of monitoring to certain circumstances. One of the justifications for carrying out covert monitoring would be in order to prevent and detect crime. It may be that a
International Terrorism Response Ignores Privacy Marie A. Wright
Since the attacks in New York and Washington, DC on 11 September 2001, anti-terrorism laws have been passed, and their provisions enacted, with unprecedented haste. In most cases, the laws are controversial, calling for further search and seizure powers and increased communications surveillance, while simultaneously undermining individual rights to privacy. This article provides an overview of anti-terrorism laws recently enacted in a number of countries, and it suggests that privacy rights are being eroded in their wake. The article begins with the USA Patriot Act, a law that established the legislative agenda for the US, and by implication, for other countries throughout the world. Then it highlights provisions from anti-terrorism legislation subsequently enacted in France, the UK, Canada, Germany, Australia, India, Denmark and the Netherlands. 14
The United States of America The USA Patriot Act (an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism”) was signed into law on 26 October 2001.1 Among the key provisions of this law are the following: • Authorization of court-issued “roving wiretaps” that would allow law enforcement officials to wiretap any phone that a suspected terrorist might use, including cellular and disposable phones.2 Authorization may be nation-wide and need not be based on probable cause.3 Once a telephone used by a suspect is monitored, any other user of that telephone also will be subject to surveillance.3 • An extension of the pen register portion of federal wiretapping law,4 which requires a judge to grant an order that enables law enforcement to access the
suspicion that an employee may be planning to commit a fraud ought to justify the use of covert monitoring of their communications. However, until the final version of the code has been clarified the position with regard to covert monitoring is unclear. The above discussion of monitoring is in general terms. Before carrying out monitoring of staff a business should seek specialist legal advice tailored to its specific circumstances.
References 1http://news.zdnet.co.uk/story/0,,t1269-
s2104697,00.html 2www.vnunet.co.uk/News/1128250
list of numbers dialed from a suspect’s phone, based only on the certification of a prosecutor that the information sought is relevant to an ongoing criminal investigation.3 • The ability for law enforcement officials to have easier access to emails sent to, and received by, suspected terrorists. • The ability for the US Federal Government to detain non-US citizens suspected of terrorism for up to seven days, without filing specific charges.2 • An expansion of measures against money laundering that require financial institutions to implement further record keeping for “suspicious” transactions and mandate the identification of account holders.2 The international dimension of money laundering and its relationship to terrorist financing also was addressed in United Nations Security Council Resolution 1373.5 Among other matters, all member states are required to: • prevent and suppress the financing of terrorist acts, criminalize the willful provision or collection of terrorist funds by their nationals or in their territories, and freeze the assets of those connected with terrorism; • refrain from providing any active or passive support to those involved in
Monitoring Employees to Prevent and Detect Fraud Steven Philippsohn, Philippsohn Crawfords Berwald, Solicitors
Introduction In the previous article I discussed the threat that companies currently face with regard to fraud and the Internet. In this article I will concentrate on the methods available to a company to monitor employees and other third parties’ use of different methods of telecommunication, in order to detect and prevent fraud.
Scale and prevalence In February 2002, it was reported that the German foreign minister Joschka Fischer put the annual figure of losses caused by cybercrime at £28 billion in an address to an international conference on the matter1. In January 2002, the Computer Emergency Response Team ("CERT") reported that the total number of attacks on the Web in 2001 climbed almost 160% compared to the previous year. Cert said that virus outbreaks, network attacks or inside abuse accounted for 52 658 incidents in 2001, compared with 21 756 in 2000. Cert documented 9 859 reports in 1999, and 3374 in 19982. Mi2g the Internet security group, reported in November 2002 that worldwide economic damage estimated to have been caused by all forms of digital attack so far in 2002 was between $35 and $43 billion. Around 60% of frauds were perpetrated from within but it was found that as much as 58% of this fraud was uncovered ‘by accident’! In light of this, and the fact that many organizations do not act on lessons learned, it is perhaps not surprising that while recovery rates remain low (with as few as 20% of organizations able to recover half or more of the losses suffered as a result of fraud), the scope for such fraud remains as high as ever with only 18% of victims ‘very confident’ about their safety in the future. Twice as many believe that the threat will be even greater in the next five 12
years. Indeed, just under half the 3500 respondent organizations felt cybercrime was ‘the’ risk of the future.
The Regulation of Investigatory Powers Act 2000 It is widely accepted that the biggest threat to the computer system of a business is internal. Businesses are however actively encouraging staff to embrace IT in their every day work. The potential importance to business to be able to monitor its staff to detect fraud cannot be underestimated. The Human Rights Act (HRA) and Regulation of Investigatory Powers Act 2000 (RIPA) came into force at the beginning of October 2001, granting, amongst other rights, rights of privacy to staff enforceable against their employers through the UK Courts. In doing so, the RIPA, designed to comply with the HRA and the European Telecommunications Data Protection Directive, placed restrictions for the first time on the interception of communications on the internal system of a non-public body. RIPA provides that a business that monitors the communications of its staff unlawfully is liable for damages. To be lawful, such monitoring must be in accordance with regulations made by the Secretary of State. The Lawful Business Practice Regulations came into force on 24
October 2001. Following a period of consultation, the draft regulations were amended in an attempt to strike a balance between protecting the privacy of individuals and enabling industry and business to obtain the maximum benefit from the new technology. The amendments included the removal of the requirement to inform third parties with whom staff communicate, that such communications are liable to be intercepted. This was due to the cost and practical difficulties involved in so doing. Employees must be warned of the possibility that their communications will be monitored. This could be done by the insertion of a clause in their employment contracts. However, the lack of a requirement for third parties to be warned has caused many to claim that the Regulations do not protect the privacy of those third parties. Indeed there is speculation that the validity of the Regulations may not be compatible with the HRA. The law does not give employers unlimited freedom to snoop on their employees by simply warning them that they may be monitored. The reason for the interception must be one of those specified by the Regulations. Below is a full explanation of the Lawful Business Regulations.
The Telecommunications (Lawful Business Practice) Regulations (Interception of Communication) Regulations 2000 Incoming calls or calls made to individuals outside a private telecommunication system may be intercepted and recorded by a business for a purpose listed under Section 3 of the Regulations without consent. (Subject to two minor exceptions set out below). If the interception is carried out for any other purpose (marketing, market research or a purpose outside the scope of section 3) then incoming calls and calls made to outsiders can only be recorded and monitored when the business concerned has
feature reasonable grounds to believe that the sender and recipient consent. The Lawful Business Practice Regulations suggest that businesses should take the following steps to obtain consent: • Insert a clause in staff contracts giving consent to recording and monitoring • A call operator should ask the incoming caller to consent; or • A pre-recorded message should state that the call may be monitored or recorded.
Interception Authorized by the Lawful Business Practice Regulations (Section 3) According to the Lawful Business Regulations, a business may monitor or record communications for the following purposes: • To keep records of transactions and communication in cases where it is necessary or desirable to know the specific facts of a conversation. • To check the business is complying with regulatory or self regulatory requirements. • For purposes of training or quality control. • To prevent or detect crime (fraud and corruption). • To detect or investigate unauthorized use. • Monitoring for viruses or threats to the system. A Business may monitor but not record without consent: • To check email accounts to access business communication in staff absence. • To monitor calls to confidential welfare helplines to protect or support helpline staff. If a business intends to make non-consensual interceptions they are required to make reasonable efforts to inform every person who may use their telecommunication system that communications may be intercepted.
• By placing a note in their contract or providing literature. If a business wishes to intercept communications outside the scope of these regulations they will need to obtain consent of the sender and recipient of the communication.
Gaining consent Steps that could be taken to obtain the consent of staff and outsiders are: • Clause in staff contracts by which staff consent to calls being recorded or monitored. • Call operator to ask outsiders at the start of the call if they consent. • Calls to be answered by pre-recorded message informing the incoming caller that the call may be monitored or recorded.
The Data Protection Act 1998 The Data Protection Act (DPA) must also be considered by any business in the UK that intends to monitor its staff. The Data Protection Act does not strictly speaking prevent monitoring. However, it will apply to any records made in the course of an investigation or during the exercise of monitoring. Personal data will often be involved in the interception or recording of communications and is therefore subject to the provisions of the DPA. For example, the first Data Protection Principle requires personal data to be processed fairly and lawfully and that the processing is necessary to a vital interest if not by consent. The Data Protection Commissioner has published a draft Code of Practice on monitoring in the workplace. The draft Code suggests how and when a business should conduct monitoring to comply with the DPA. The draft Code suggests that the DPA requires that any monitoring is justified on the basis of an ‘impact assessment’. This is an assessment of the adverse effect on an employee as compared to
the benefit obtained by the employer in carrying out any monitoring activity. The Draft Code suggests that where an employer can justify the monitoring of an employee on this basis, it will not be necessary to obtain the consent of the individual employee unless the monitoring involves data of a sensitive nature (such as data relating to the employees political opinion, commission or alleged commission of an offence or the employee’s health). Perhaps the most important consideration it emphasises is that of proportionality. Monitoring should be targeted on areas of high risk. Where intrusion into the personal affairs of an employee can be avoided by use of alternative means then those alternative means should be used. If the purpose of the monitoring can be achieved by the use of a record of email traffic than there should be no monitoring of email content. Random checks or audit should be used in preference to continuous monitoring. In addition, the draft Code recommends that businesses give consideration to the privacy of third parties when monitoring communications. This could be done by means of a recorded message at the beginning of calls. However the draft Code recognises the limitations on the ability of businesses to always inform third parties. It states that there is no practical way to ensure that those who send emails to employees of the business, can be warned in advance that the email is liable to be intercepted. The draft Code is clear that, particularly where covert monitoring is concerned, a business cannot circumvent the provisions of the Data Protection Act by instructing a private investigator.
The draft code and covert monitoring The draft Code draws a distinction between covert and non-covert monitoring of employees. Covert monitoring occurs if the subject of the monitoring and collection of data is unaware that it is taking place. 13
feature Covert monitoring of communications of an employee is not covered by the Data Protection Act. However once records are created the records themselves are caught by the provisions of the DPA. Covert monitoring may only occur where the storage of the data obtained by monitoring is covered by an exception permitted under the DPA. According to the draft Code this means: “circumstances where informing the worker that information is being obtained would be likely to prejudice such matters as national security, the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty”
There has been some criticism of the Code in that it suggests that one of the only times covert monitoring should take place is when the employer has grounds for suspecting that criminal activity is taking place. This would potentially prevent covert monitoring from taking place prior to the occurrence of any criminal activity and may therefore inhibit the use of covert monitoring from being implemented as a means of crime prevention. It would appear that the intention of RIPA was to restrict the use of monitoring to certain circumstances. One of the justifications for carrying out covert monitoring would be in order to prevent and detect crime. It may be that a
International Terrorism Response Ignores Privacy Marie A. Wright
Since the attacks in New York and Washington, DC on 11 September 2001, anti-terrorism laws have been passed, and their provisions enacted, with unprecedented haste. In most cases, the laws are controversial, calling for further search and seizure powers and increased communications surveillance, while simultaneously undermining individual rights to privacy. This article provides an overview of anti-terrorism laws recently enacted in a number of countries, and it suggests that privacy rights are being eroded in their wake. The article begins with the USA Patriot Act, a law that established the legislative agenda for the US, and by implication, for other countries throughout the world. Then it highlights provisions from anti-terrorism legislation subsequently enacted in France, the UK, Canada, Germany, Australia, India, Denmark and the Netherlands. 14
The United States of America The USA Patriot Act (an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism”) was signed into law on 26 October 2001.1 Among the key provisions of this law are the following: • Authorization of court-issued “roving wiretaps” that would allow law enforcement officials to wiretap any phone that a suspected terrorist might use, including cellular and disposable phones.2 Authorization may be nation-wide and need not be based on probable cause.3 Once a telephone used by a suspect is monitored, any other user of that telephone also will be subject to surveillance.3 • An extension of the pen register portion of federal wiretapping law,4 which requires a judge to grant an order that enables law enforcement to access the
suspicion that an employee may be planning to commit a fraud ought to justify the use of covert monitoring of their communications. However, until the final version of the code has been clarified the position with regard to covert monitoring is unclear. The above discussion of monitoring is in general terms. Before carrying out monitoring of staff a business should seek specialist legal advice tailored to its specific circumstances.
References 1http://news.zdnet.co.uk/story/0,,t1269-
s2104697,00.html 2www.vnunet.co.uk/News/1128250
list of numbers dialed from a suspect’s phone, based only on the certification of a prosecutor that the information sought is relevant to an ongoing criminal investigation.3 • The ability for law enforcement officials to have easier access to emails sent to, and received by, suspected terrorists. • The ability for the US Federal Government to detain non-US citizens suspected of terrorism for up to seven days, without filing specific charges.2 • An expansion of measures against money laundering that require financial institutions to implement further record keeping for “suspicious” transactions and mandate the identification of account holders.2 The international dimension of money laundering and its relationship to terrorist financing also was addressed in United Nations Security Council Resolution 1373.5 Among other matters, all member states are required to: • prevent and suppress the financing of terrorist acts, criminalize the willful provision or collection of terrorist funds by their nationals or in their territories, and freeze the assets of those connected with terrorism; • refrain from providing any active or passive support to those involved in