In a perfect world, protecting privacy is a laudable ideal. But in today's world, the urgency to defend against computer crime can far outweigh the ideal of individual rights. According to the ICSA survey, three out of four organizations experienced a virus last year, up from 68% in 1997. These numbers echo the Computer Security Institute (CSI) 1998 survey, in which respondents cited financial losses of $136 million due to computer invasions -- an increase of 36% since 1997.

Unfortunately, employee attacks represent the bulk of the incidents. According to the ICSA, 54% of those surveyed experienced an employee access abuse in the last year, an increase of 35% over the previous year. More than half of the respondents in the CSI study "perceive internal systems as a frequent point of attack," and 80% attribute this to disgruntled employees. An additional study conducted by the United Nations Commission on Crime and Criminal Justice also reports employees as "the greatest security threat."

Balancing privacy vs. security
In the face of these threats, information security is a must. But how does an organization balance the need to protect with the right to privacy? Employee training can make a real difference, according to David L. Carter of the School of Criminal Justice at Michigan State University and Andra Katz of the Administration of Justice Department at Wichita State University, co-authors of a paper on computer crime. "Across the board, increased employee training consistently helped minimize theft (and) diminished crimes and computer abuse such as harassment via email," they write.

Though training is effective, the only way to equalize the scales of privacy and protection is through a written email policy. A properly written email policy will inform employees about how you expect them to use email within the organization and can reduce the potential of liability for harassment and other email-based employee actions.

An email policy should make it clear that the computer and the email system belong to the business. It should tell employees that email is to be used for authorized purposes only, and that the employer has the right -- but not the duty -- to monitor email. It should explain that email cannot be used for libelous, harassing or other illegal activities, and must include an explicit statement that employees cannot expect privacy. The policy should be distributed to, and signed by, all employees.

The laws
Despite the escalating need to protect against computer crime and explicit agreement to forfeit privacy in exchange for this protection, some employees may still challenge info security as a violation of their rights to privacy. They may seek support in state privacy laws, the Fourth Amendment's protections, the Civil Rights Act of 1964 and the Electronic Communications Privacy Act of 1986. A brief overview of these laws follows:

Common law invasion of privacy
Almost every state recognizes a common law right of privacy. To successfully maintain a claim for invasion of privacy under common law, the employee must prove that he had an expectation of privacy, that the employer engaged in highly offensive monitoring and (in some states) that the employer published the information received from the monitoring.