The Office of Inspector General and a joint staff for two ranking Republican lawmakers recently issued critical reports on the FDA’s 2010-2011 employee monitoring for trade-secret leaks (see OIG and Joint Staff). They criticize the FDA for essentially “spying” on its employees without first assessing whether the computer monitoring may violate federal wiretapping laws and whistleblower protections. Coming at a time when the FDA is embroiled in litigation concerning this surveillance, these reports highlight how employers can avoid liability when trying to uncover suspected trade-secret or confidential-data theft.
The FDA’s employee monitoring was a response to several news articles that referenced specific confidential data when reporting on disputes between FDA scientists and managers about medical-device approvals (e.g., NYT 1/12/09 and NYT 3/28/10). After receiving complaints from companies whose secrets and data may have been disclosed, the FDA began real-time monitoring of employees’ computer activities to determine the potential leak. The FDA used two forensic monitoring tools. “EnCase” captured retrospective images of the employees’ computer hard-drives and attached external drives, while “SpectorSoft” captured real-time screenshots—every few seconds—of the employees’ computers and keystrokes. Immediately before and during the monitoring, the FDA also used a notice banner that appeared when an employee logged onto a network computer. It prompted the employee to click “OK” to continue, and read, in part:
USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING, OR CAPTURING AND DISCLOSURE. THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM.
The FDA’s monitoring captured nearly everything these employees had done and were doing on and through their FDA computers: including images of non-FDA thumb-drives plugged into the computers; passwords to personal email accounts; attorney-client communications; and communications with Congress. The FDA ultimately relied on what the monitoring uncovered to take employment actions against several employees suspected of leaking the confidential data.
But the FDA had no policies for conducting this employee monitoring. Particularly troubling, the FDA had no policies to ensure compliance with federal wiretapping laws, whistleblower protections, or the Fourth Amendment. The OIG found that it was therefore “particularly important” for the FDA to ensure it understood “the full extent of the limits on the agency and the rights of its employees,” and faulted the FDA for failing to plan its monitoring without “the timely assistance of counsel.” To prevent future failures, the OIG suggested that the FDA’s umbrella agency adopt internal controls that address:
- the agency’s authority to monitor employee communications or access employee files;
- protection of the rights of employees and the extent of an employee’s expectation of privacy while using agency IT resources;
- specific conditions for requesting access to employee communications;
- defined roles and responsibilities for initiating, reviewing, and approving requests to access employee communications and data; and
- retention of records that document the initiation, review, and approval of electronic monitoring, including opinions and recommendations of legal counsel.
Employers may find themselves in a similar situation to the FDA’s, with evidence suggesting an employee is disclosing or stealing trade secrets—or at least plotting to do so. And they will likely want to monitor employee activity to verify their suspicions. But before doing so, employers should confirm they have already instituted policies similar to the OIG’s suggestions, as well as—and just as importantly—seek immediate assistance from counsel.
Like the FDA, most employers are not in the business of “spying” on their own employees and may incur unexpected liability when merely trying to protect their most valued assets. Experienced counsel can help navigate this legal landscape—protecting employers from liability, as well as employee theft. If nothing else, the FDA’s current legal troubles make one thing clear. Counsel must be involved at each step of any anticipated employee monitoring. The last thing an employer wants to face is liability to the same employee who stole secrets and confidential data.