It's a complicated time to be an employer. From ensuring compliance with state-by-state employment law regulations, to providing an OSHA- and EEOC-compliant workplace in the new "work-from-home/now-come-back-to-work" normal, human resources departments have their hands full.

Layer on the due diligence that employers are undertaking to ensure that their workers are not plotting nefarious activities or propagating extremist disinformation online that could negatively affect the brand, core values, codes of conduct, and safety of individuals both inside and beyond the workplace and that complexity becomes even more cumbersome.

Financial institutions uncovering and exiting employees for administration of extremist websites sound like prime-time dramas. However, they are real-world examples of where having a strategy for exiting dangerous employees from the workplace is a best practice now that home and work boundaries are increasingly blurred. And with most employers monitoring their workforces, it's becoming increasingly important to understand why more workers are under review.

The Cost of Free Speech
While the First Amendment grants all Americans the right to free speech, few corporate, legal, or HR teams have the appetite to proactively monitor their employees' non-work-related social media presence. This so-called Online Disinhibition Effect (ODE), coupled with the perceived anonymity of the Internet, can empower people to freely express their opinions about almost anything, from restaurants and political candidates, to foreign policy and ethnic groups, forcing employers to rethink traditional HR modalities that keep work and private domains separate.

Organizations must consider their public reputation — the brand, the company's board, and executives — who all have a stake in ensuring that extremism and other hate-based sentiments stay far from the workplace. When does it make sense to investigate reported behavior and when does it make sense to turn a blind eye? While extremely fact-specific, the ability for investigations to be actionable depends on whether extremist online content violates the company's policies embedded in its employee handbook, code of conduct, onboarding materials, or state-based privacy laws.

Once these policies are in place, a transparent culture of "see something, say something" can often be fruitful, allowing others within the organization to point to behavior that requires a deeper review.

Building a Compliance Framework
Legal and human resources are aware of the need to update employee handbooks to advise employees that all company-owned equipment will be subject to reclamation, monitoring, and examination, in line with a legitimate business purpose, which is necessary given federal laws that restrict workplace monitoring. However, not all in-house counsel and operation teams include proper language in handbooks to ensure that remedial action can be taken for social media postings by employees when not on company equipment or time.

Legal and HR practitioners must notify their employees of the company's ability and intentions to monitor, investigate, and take action for behavior that crosses the line, whether it takes place on corporate devices or online. If the notification language gets embedded in the code of conduct or BYOD policy, make sure there is a nexus between such policies and the employee handbook so that consent can be demonstrated.

Effective Monitoring in the Workplace
In reality, few companies have an appetite for devoting resources to monitoring employees' non-work-related social media proactively for threats, and such an approach would be ill-advised.

However, an agile security team that quickly responds to reporting on threats can benefit from focusing on:

While these elements may appear more manageable, corporate devices are the most efficient means to determine if an employee violated code of conduct or use of corporate systems by engaging in illicit or suspicious activity. Internal investigations and security teams must have visibility into appropriate endpoint, network, chat, email, and application log traffic to engage these types of investigations. Finally, they have to maintain a robust "outside the firewall" external threat-hunting capability, including open source and Dark Web intelligence attribution research, technical signature analysis, and direct threat actor engagement.

When to Take Action and When to Stand Down
After policies are established, tested, and the security team implements a monitoring strategy, they will be operationalized. Threats of violence using corporate or personal devices can justify termination of the offending employee. However, if an investigation finds allegations of membership in a known extremist group, even with robust policies in place, termination can still be controversial, therefore needing a stronger security, legal, and HR coordination. Depending on how robust corporate policies are and subject to state privacy laws, termination can typically occur when a corporate asset is used to participate in or solicit violent extremist activity during work or in off-work hours, including use of company email.

However, participating in or soliciting online extremist activities without the incitement of violence after work hours on personal devices may present an edge case that may not be actionable. In this situation, additional monitoring may prove necessary, to a point. The question of when to stop monitoring an employee is another issue that employers will have to address on a case-by-case basis.

Within any investigation, fact patterns are rarely black and white. It's important to get ahead of these issues before a significant event or violence occurs and an employee shows up on the front page of the news, forcing the company to do damage control. Close coordination between human resources, legal, and security functions within an organization, in conjunction with an open culture that empowers the reporting of abusive or threatening behavior, can stop violence and negative brand impact before it happens.