Editorial Note: This document has been edited in the summer of 2020 to reflect feedback from remote workers during COVID-19, as well as concerns raised through observation of events surrounding the Black Lives Matter movement. Revisions have been made in an effort to promote policies that are respectful and fair to all involved parties.
Introduction
In many cases, Employee(s) have been asked (or offered the ability) to use their Personal Device(s) while working remotely. Nevertheless, such equipment needs to be maintained, supported, and kept secure. It's our heartfelt belief that Employee(s) needn't have reason to fear their privacy might be invaded or their Personal Information shared with their Employer(s) or others.
We believe strongly that remote work from home is a necessary compromise between the financial interests of employers and the personal health, safety, and quality of life interests of their employees. Therefore, we adhere to the following Employee Bill of Rights, with respect to what we will and will not allow in terms of protecting and supporting BYOD personal computers and devices.
As such, we affirm that we will not Use any Personal Information from any Personal Devices, except for the purposes explicitly stated herein.
While Business Devices may contain Personal Information, and such devices being the private property of Employer's, it may be Used by Employer(s) or others, it is our mission to respect Employees' privacy to the fullest extent reasonably possible while performing our assigned duties.
To those ends, this document sets out our policies regarding governance of privileged access to personal and business information, which are a customary part of our role as an IT technology and support services provider.
Specific Assurances Above and Beyond EULA or Third-Party Terms of Service
Some Microsoft and other third-party services require that you accept security policies or terms of use to enroll in those services. For example, if your company requires it, you may be asked to accept terms to check company email using your phone or other mobile device. These terms often include:
- Acknowledgement that company files or email are company's intellectual property, even when stored on your personal device.
- The right to let company staff lock or wipe your device.
These EULAs and agreements are boiler-plate, and our ability to customize these is sometimes limited.
As such, herein, we make the additional clarifications and commitments to our customer's and to end-users of ours services such as customers' employees or affiliates. With respect to our conduct, these assurances override and supersede such terms as may be included in such boilerplate terms of service.
General Data Handling and Privacy Policies and Standards
We're highly committed to the principals of sovereignty and privacy for your information, both with respect to your organization and your personal information. To maintain this commitment, we hold our staff accountable for following specific policies with respect to information stored in your information systems - in the cloud, on personal devices, and at your place of business.
-
There must be clear written communication from the customer / client authorizing us to make any changes to your service or configuration.
-
We do not make changes without receiving instructions from you first.
-
If we notice something that needs to be changed to fix a problem, we will always try to contact you before taking any action, and we will notify you afterwards that the changes were made.
-
-
Your information is your private property and should always be treated as confidential.
-
Customer information shared with us should be treated similarly to doctor-patient or attorney-client communications. We are bound by multiple NDAs (with our clients, Microsoft, and other parties) from disclosing your information to others, and our Terms of Service include protections to keep your information private.
-
Any access to client information shall be made in the client’s interest, not our own.
-
We access only the information that is needed to complete our assigned duties.
-
Our internal policies restrict our access to your information as much as possible while maintaining our ability to support you technically.
-
We don’t retain any client information that isn’t directly relevant to our technical tasks.
-
It’s important to understand that limited legal protections exist to prevent us from being compelled by a court or law enforcement agency to share your information; it is our policy to work with Microsoft and other vendors to challenge any legal request for client information when known and appropriate to do so.
-
- Our staff must follow security procedures when using accounts that can access your data.
-
To protect the client from unauthorized use of privileged accounts, any credentials used to access client information must always be stored in a secure fashion.
-
This means credentials are kept in a secure and encrypted enterprise password management platform. (Our platform of choice is PassPortal by SolarWinds.)
-
Passwords are randomized and unique to the individual login. They are not re-used across multiple customers.
-
Access to credentials is compartmentalized on a "need to know" basis.
-
Access to credentials is audited, so we know who has knowledge of any given password.
-
When staff depart the company, their credential access is audited and passwords are rotated appropriately as needed.
-
-
Wherever feasible, accounts must correspond to individual persons rather than shared roles. When infeasible to create individual logins, access to all shared credentials (e.g. service accounts) must be audited as described above in "i.4.", above.
-
Junior or temporary staff shall not have direct access to sensitive credentials; they must be entered by a supervisor.
-
All reasonable efforts shall be taken to prevent unintentional access to such credentials.
-
They shall only be accessed using web browsers that leverage isolation technologies (such as in-private / incognito mode, containers, or virtual machines) to limit what applications may be able to access the credentials used.
-
-
-
Unless such system is itself secured by an equally stringent credentialing mechanism, they may not be retained in the browser or OS (e.g. remember me), except using company sanctioned enterprise password management plug-ins.
Specifically, this means that in order to save passwords to the browser, the Windows login must itself be secured through MFA or stronger means of identity management. This would definitely not be permitted on a work-from-home personal device or a shared computer.
-
Additional safeguards are used whenever these are available, including:
-
Multi-factor authentication, ensuring that a secondary means of validation is required in addition to username / password.
-
Privileged identity management, meaning that privileged access is granted on a just-in-time / per-user / as-needed basis and subject to supervisor or client approvals where appropriate.
-
-
All known or probable breaches shall be promptly reported to management and/or security officers for both Liquid Mercury Solutions and the applicable client(s).
-
In addition to terms within our Employee and IC Agreement, all staff of Liquid Mercury Solutions have been required to read this policy document and sign an agreement indicating their understanding and acceptance of these policies.
Employer Rights and Limitations
Generally speaking, it's an open question regarding whether Employer(s) right begin only where Employee(s) rights end or if sometimes it should be the other way around. This is a legal question, and it is not our area of expertise.
Employer(s) have a right to property, which generally included Business Device(s) and Business Information. In certain cases, this may also include rights to the fruits of Employee(s) labor and the right to be protected from theft, fraud, or negligence.
Many of these rights are contractual, being part of an agreement between Employer(s) and their Employee(s), rather than being coded into the law. Much of what's permitted within such agreements is something addressed by state and federal laws. Thus, most Employer/Employee rights disputes are civil matters rather than criminal ones - whereas similar issues between two living people might well involve a crime being committed.
In most cases, Employer(s) have the right to choose who they hire and under what circumstances they may end such employment relationships. But, there are many laws that constrain this freedom in different ways, and these vary from place to place. In most places, the relevant regulatory authorities tend to favor the rights of the individual Employee(s) over those of the Employer with respect to personal privacy.
Our position herein reflects our agreement that this is generally correct.
Employee Rights Under Law
It is our position that Personal Information is the property of the individual Employee(s) to which is pertains. In many cases, this is true even when it is stored on Business Device(s). In recent years, this has been codified into laws such as Europe's GDPR and California Consumer Privacy Act.
As such, Employee(s) have the right:
- To be informed about what Personal Information is being Used by Employer(s) and how;
- In certain cases, to have such Personal Information deleted and/or prevent its Use;
- That they are the sole sovereigns of their Personal Device(s) and the terms under which access to these are authorized are at their discretion;
- That using their Personal Device(s) not be required in the course of work for their Employer(s), and to request a reasonable alternative
Acceptable Usage of Personal Information
Personal Information may be Used for any of the following:
-
When it is for the purpose of documenting a support case in the course of providing IT service(s) to Employee(s) or behalf of Employer(s);
-
When it is done in a good faith effort to assist in keeping Device(s) in good working order;
-
When it is necessary to ensure that Device(s) remain secure, meaning free from access by unauthorized parties, viruses, malware, backdoors, other harmful software, or the like that may injure Employee(s) or Employer(s);
-
When it is done with the knowledge, consent, and/or permission of the Employee(s) or user of Device(s), such as when provided by the user themselves, when control over the Device's user interface is granted, or when explicit written notice is provided;
-
When providing confidential archival storage for vital information used for recovery purposes, such as maintaining a backup copy of private disk encryption keys in escrow, or performing scheduled system backups;
-
When it is done in a good faith effort to prevent imminent danger, injury, or serious harm to any person(s);
-
When required under law or in order to avoid becoming accessory to any criminal activity (please see Interpretation of Criminal Behavior, below, for details);
Prohibited Usage of Personal Information
While all the examples below go well beyond any reasonable Use cited above, we wish to make the following assurances.
Liquid Mercury Solutions' staff are prohibited by company policy to Use Personal Information for any of the following purposes:
-
Share or facilitate sharing of any Personal Information with Employer(s), whether on Business Device(s) or Personal Device(s), except as described in Acceptable Usage of Personal Information;
-
Go beyond the native capabilities of Employer(s)' business software to assess whether, when, or how often Employee(s) are (or are not) performing assigned work duties, idle, away-from-keyboard, etc.;
-
Collect Geo-location data from Employee(s)' Device(s);
-
Assist in any effort to reclassify Employee(s)' time spent working remotely or from home as vacation, sick-time, PTO, unpaid leave, or the like;
-
Assist in any effort to penalize Employee(s) who perform personal activities that are customarily considered routine in a professional setting, such as sending emails to family from a Employer(s) e-mail account, using Business Device(s) to access Personal Information (e.g. Gmail, banking sites); occasionally making or taking personal phone calls using Employer(s)' phone service or equipment, taking breaks (e.g. food/drink, lunch, restroom, chat with fellow Employee(s), short errands);
-
Track which applications (or websites) are running on Personal Device(s) over time, or other similar data, for the purpose of determining whether Employee(s) are actively using them at certain times of the day (e.g. working hours) or not, whether in aggregate or on a case-by-case basis;
-
Block or prevent Personal Device(s) from performing any specific activity, such as visiting a particular website, downloading/executing/installing a specific file, etc. - except as performed by automated system policy or security software for legitimate business or security purposes;
-
Wipe / format Personal Device(s) and/or delete / alter any Personal Information unless expressly requested by Employee(s), notwithstanding selective removal of Business Information;
-
Make configuration changes, perform system updates, or reorganize Personal Device(s) or Personal Information contained therein without the express knowledge and approval of Employee(s);
-
Collect information regarding specific ways Personal Device(s) are being used outside the context of work duties, excepting normal system maintenance, security, and diagnostic data;
-
Report to Employer(s) specific details regarding any security related assistance given to Employee(s) for Personal Device(s); (For example we will not divulge the origin of a virus, actual or probable.);
-
Report to Employer(s) or any other party, share, or facilitate sharing of any personal purchase history (e.g. Amazon, GrubHub, Instacart, Uber, etc.) whether for financial gain, health monitoring, or any reason;
-
Report to Employer(s) the presence of specific types of files, information, web site use, or social media activity;
-
Report to Employer(s) any information regarding Employee(s) personal financial dealings outside their relationship with Employer(s);
-
Report to Employer(s) any information regarding Employee(s)' actual or potential violations of Employer(s)' moonlighting / side-work policies, provided it isn't obviously apparent that Employer(s)' property and/or resources (including compensation for time/labor) are being used to conduct such activity;
-
Report to Employer(s) or any other party, share, or facilitate sharing of any personal health or family related information that is protected by HIPAA, FLSA, or the similar rules or regulations, even in cases where such information may be stored in Business Device(s) or systems (e.g. Outlook reminder for doctor's appointment, messages from pharmacy or insurance providers, Employee(s) birth date, anniversary, marital or family status, etc.);
Further, Liquid Mercury Solutions' staff are prohibited by company policy (and shall be terminated immediately) for Use (or attempted Use) of Personal Information for any of the following purposes:
-
To gain unauthorized access Employee(s) online accounts, such as social media or financial web sites;
-
To monitor or track Employee(s) personal habits, such as music or media preferences, web history, gaming, social media, or similar activities - excluding normal and customary use of online platforms through their own personal account(s);
-
To obtain any camera, video, or audio recordings (or broadcasts) without the knowledge and consent of all person(s) present;
-
To stalk, spy on, or otherwise invade the personal privacy of Employee(s) in any way;
-
To benefit (financially or otherwise) through the sale or trade of such Personal Information with others;
-
To impersonate Employee(s) or commit identity theft or fraud;
-
To extort, blackmail, intimidate, or threaten Employee(s);
-
To intentionally facilitate the execution of any criminal activity, without respect to whether Employee(s) or Employer(s) are the victims of such activity;
System Access Capabilities and Policies
We make the following additional clarifications and commitments to our customer's and to end-users of ours services such as customers' employees or affiliates.
Technical Limitations of Access to Personal and Business Information
In general, we do not have access to most personal information stored on mobile devices. Below is a non-exclusive list of information on mobile devices that we do not have access to:
- Browser history
- Call history
- Physical/geographic location
- E-mail messages
- Text messages
- Contacts
- Passwords
- Calendar
- Camera Roll
System administrators do not generally have direct access to communications or personal files of employee's, whether or not they are the property of the business. Below is a non-exclusive list of information that we do not have access to:
- Contents of individual company e-mail boxes
- Contents of specific OneDrive [for Business] folders
- Contents of specific Teams chats to which we are not a party
Delegated Access in Specific Cases
It is important to understand that administrators may be granted indirect or "delegated" access to company email or files through other systems which are outside the phone or mobile device.
Also, in some cases, customer's company policies may enforce retention of these emails even after they are deleted.
In such cases, the following apply:
-
HR departments (and employment laws) typically require that administrators' access to these shall remain limited.
-
To prevent eavesdropping and provide accountability, the system generates clear notification to others (e.g. all system admins) indicating that such delegated access has been granted for a specific user.
-
Customers are responsible for communicating with end-users about their own privacy and electronic device usage policies.
System Monitoring Capabilities
Our systems do allow us to maintain configuration information, scan for security vulnerabilities, and (in some cases) grab a screen captures for support purposes. Below is a list of information that is collected from mobile devices:
- Model and serial number
- Operating system and version
- Names of installed apps
- Device owner information
- Device name
- Device hardware manufacturer
Where mobile device screen capture is possible, our policy is that we will only do so in a support context or to help recover a stolen device. The end-user and/or owner of the device will always be made aware that we are capturing screen data.
Global Administrator Access
Global Administrators have unfettered access to all systems in MS365 - at least in theory. Thus, over the years, the topic of Global Administrator level access comes up often. This section seeks to address the concerns and safeguards associated with this level of access and its use.
The following facts are true with respect to Microsoft's policies and guidance regarding Global Administrators:
-
Microsoft discourages the creation of more than just a few Global Administrator accounts within a given tenant.
-
All Microsoft Partners are required to use Multi-factor Authentication for all logins which have Global Administrator access. While this is not a requirement for accounts in the client's tenant, we strongly encourage clients to use it there also.
-
Client's are free at all times to revoke any granted Global Administrator permissions. This is implemented in Microsoft Admin Center and explicitly spelled out in the Microsoft Cloud Agreement.
There are several legitimate exceptions to this guidance:
-
For example, the industry is behind in providing support for modern authentication (e.g. MFA, ADAL/MSAL) and therefore not all tools will work with it.
-
It is considered best practice to create at least one "break glass" account that is an exception to MFA policies, for emergency use during outages of the MFA system.
-
Microsoft's own systems and distribution channels for delivering product licenses to customers often fail to work properly without Global Administrator access.
-
Though steps have been taken in recent years to reduce dependency on Global Administrator access, nevertheless there remain certain actions which can only be done by a Global Administrator in a manner that can't be mitigated.
-
Some of the recommended mitigation strategies are out of reach for smaller organizations due to licensing costs or technical complexity.
-
Large organizations may need more than just a few administrator accounts.
In light of the above, we adhere to the following standard policies and practices with respect to the creation and use of Global Administrator access for our clients:
-
We will create a single Global Administrator account for use by our staff when needed. This login will have the username "LiquidHg" and is always clearly identified as belonging to us. Its password is stored securely in the manner described elsewhere in this document, and the use is subject to auditing.
-
Access to customer data and/or systems via Microsoft Partner Center is restricted to those with a "need to know" and comprises a very small group of individual Liquid Mercury Solutions staff. All activities conducted through Partner Center are logged to the fullest of that system's capabilities and visible to both Microsoft and LMS.
-
If one does not already exist, we will create a Global Administrator login for the customer's use for which we assign a temporary password and do not retain the ability to use or access it. Credentials for this account should be changed and stored securely.
-
We will always and unconditionally enable security notifications to alert other administrators where Delegated Access to an individual's emails or files has been granted.
-
We will always and unconditionally enable all auditing capabilities within the target tenant so that any and all activities conducted with this privileged access are recorded. Not only does this provide accountability for our staff, but it is a vital aspect to co-management that allows us to know when other admins outside Liquid Mercury staff have made changes.
-
Where feasible and necessary, we will implement limited access roles through RBAC in order to reduce the number of logins requiring Global Administrator privileges. Please note that in this cases, clients will likely incur additional expenses for licenses and/or services that enable this approach.
-
Where required for compliance (e.g. NIST, ITAR, etc.), we will conform to requirements that such accounts be assigned to individual persons (and not shared), to support the account using only US domestic staff, implement Privileged Identity Management for as-needed elevation of access, or conduct required background checks and/or clearances. Please note that in these cases, clients will likely incur additional expenses for licenses and/or services that enable these approaches.
Service Account Policies
It's a given in IT that certain systems require privileged access at various levels and that this access is generally given through the creation of a service account. Such logins are stored within system applications, which run under the service identity and access data on behalf of the application users.
The following policies apply with respect to the use of such service accounts, wherever such service accounts provide an indirect or proxy means to elevated, privileged, or administrator access.
Any end-user logins for such systems or applications (having indirect access to such privileged information) shall adhere to all the same policies described herein as if those logins were equivalent to privileged credentials. Specifically, but not limited to:
- End-users shall not have direct access to the service account credentials.
- Privileged end-user accounts must implement MFA.
- Activity of end-users shall be logged and/or audited.
- Rights should be limited on a "need to know" basis.
- Peer notification for specific sensitive uses shall be enabled wherever feasible.
- Policies regarding "how to use", such as browser containers.
- Policies must be in place and followed for offboarding departing users.
- Any known or probably breach must be promptly reported.
Implied Administrator Access to Content
By contrast, certain systems are generally considered to be community spaces, and thus the role of administrator support is implied. Extra steps need to be taken to secure their contents in a manner that would prevent administrators from accessing their contents. These include:
- Files in SharePoint Libraries not housed in OneDrive [for Business]
- Files stored on individual computers
- Video recordings in Stream
Additional Privacy Methods Available to the End User
Those users or groups who wish to conceal information in such a manner as to be certain that administrators cannot access the contents may use any of the following methods to do so (listed by order of complexity):
- Create a password protected ZIP file.
- Password protect the contents of any Office document.
- Create an encrypted drive through BitLocker or TrueCrypt, which may include use of passwords or private keys.
- Implement Privileged Identity Management (AAD Premium Plan 2) to allow administrator access on an as-needed basis.
- Implement Azure Information Protection (Rights Management) to encrypt files or entire libraries and allow only specific users or groups to access the contents.
- Implement least-privileged access through RBAC or other methods.
- There are other more technically involved regimes to limit such administrator access, that are generally only within reach for large organizations.
If you require instruction in the use of any of the above methods, our staff are happy to support you in this, subject to applicable service charges.
Remote Wipe Capabilities and Policies
The following apply to our treatment of device "remote wipe" capabilities:
-
Not every device has the same capabilities, which depend on the OS and software in use. For example, older smartphones may only support "full wipe", which is tantamount to a factory reset.
-
Where data wipe is requested by the employer, such as termination, we will perform "selective wipe" rather than "full wipe" in all cases where this is an option.
-
We will only wipe a device upon request, as is consistent with our overall policy. It is the customer's responsibility to make such requests on an individual basis.
-
We encourage all client's to take reasonable steps to cooperate in offboarding their departing employees and thus limit the need for draconian practices to those circumstances where they are justified.
-
One exception to the above is that if the end-user and customer notify us that a device has been lost or stolen, and both have agreed that a "full wipe" is recommended, we will perform "full wipe" of the device once we have done an identity check and confirm this is the case.
Interpretation of Criminal Behavior
We make reference above to certain exceptions where criminal activity is involved. Let us be clear what we mean.
Someone might make the argument "If you're idle while being paid to work, or you take home a box of pencils, then you're stealing from your Employer(s)." It's true that people often feel this way, but it is a hard line position to take. On the other hand, if you entered the office after hours and removed all the computers and furniture, few people would argue whether or not a theft had occurred.
What if you downloaded the company's customer database and took it home? What if you sold it to a competitor? Would it matter if you didn't?
Suddenly, we realize that what constitutes a crime isn't always clear. Considering that violating an individual's right to privacy might itself be criminal, we need to be thoughtful and cautious.
Therefore, when we speak of criminal activity, this shouldn't meant to be taken as justification for draconian surveillance of Employee(s). We believe that Employer(s) have sufficient tools through other methods to determine whether Employee(s) are productive, and do not wish to enable such authoritarian and toxic micro-management.
Even so, there are also serious crimes, and sometimes evidence of this becomes apparent during the course of otherwise boring IT work.
Consider just a few possible examples of varying degree:
-
Possession of copyrighted materials (for example: video games, music, or movies) where it's unclear whether the owner has purchased rights to these works.
-
Visibly smoking marijuana during a video conference, whether or not the location of the participant is known.
-
Video footage of person(s) committing criminal acts (for example, vandalism or setting fires), where the victims and time of the acts are unknown.
-
Images (or other work of art) depicting persons of questionable age, within a larger collection of adult materials.
-
Written evidence of chat or email communications that may involve extortion or intimidation.
-
A teleconference that gets interrupted in real time by an act of violence.
Some of these are common occurrences in IT tech support. Others are examples taken from recent or past news. One can see there is a wide range of activities that need to be considered.
There's no perfect answer here. As a company, we have no right to demand that any person (either our employees or customers) follow our interpretation of morality or the law, especially where it may be against their own interest to do so.
Compounding this complexity is the issue of witnesses' dilemma. Those who come across reportable criminal activities would often prefer to remain silent, rather than become directly involved. Sometimes this is a matter of inconvenience, but quite often it's due to concerns about personal safety.
Seriousness of Circumstances
The following circumstances apply when considering whether to act on activity that might be considered a crime:
- Certainty - Is this something that most reasonable people would agree with you that it is against the law, or would you need a lawyer to make that argument?
- Statutory Nature - Is the potentially criminal behavior simply a matter of regulation (a so called victimless crime) or is there a clear victim whose rights are being violated?
- Actual Harm - Is the damage done purely financial, or is an actual person's life or limb at stake? Is this a matter of a just few dollars in damages or are tens of thousands of dollars being embezzled? Is the damage done something you can point to directly, or is it only hypothetical?
- Effort - How hard did you have to dig to find this information? Was it stumbled upon or was it deliberately sought out?
- Imminence - Is this something that's happening right now, likely to happen very soon, or already happened at some point in the past?
- Intent - Is it clear the person committing the act knows that it is wrong? Are they aware this is a crime for which they may be punished?
- Justice / Fairness - As the observer do you believe the law is fair, or would be applied fairly in this case?
- Personal Liability - If you decided to look the other way, are you at risk yourself of being guilty as an accessory to a crime? Would you be ashamed if your chosen behavior somehow became public?
- Personal Risk / Safety - If you were to intervene or otherwise get involved, what's the risk that you might come to harm yourself as a result?
Protected Activities
Finally, when known or learned (either intentionally or otherwise), except when required to do so under the law, neither Liquid Mercury Solutions nor its staff shall be compelled or induced to report or share with Employer(s), relevant law enforcement authorities, or other parties any information about Employee(s) regarding any of the following:
- Political, religious, or philosophical beliefs, preferences, or affiliations;
- Exercises of protected speech under the US Constitution's First Amendment;
- Lifestyle choices, including but not limited to interests, hobbies, or other matters of taste;
- Economic status, creditworthiness, or evidence of financial hardship;
- Age, marital status, living arrangements, or family circumstances;
- Matters relating to gender identity or sexual preferences;
- Drinking, smoking, drug use, substance abuse, or addictions;
- History or current status of criminal, misdemeanor, or civil legal matters;
- Indications of physical, emotional, or mental wellness or illness;
- Any person(s)' citizenship, immigration status, or national origin;
- Matters for which legality is inconsistent and/or controversial among the various jurisdictions of United States (e.g. drinking in a dry county);
Our Process Regarding Compliance with Law Enforcement
As described above, it is difficult to determine what observed activity may be considered criminal or otherwise. And, if so, reporting that crime is another matter. At the end of the day, the choice regarding how to behave in a given situation is up to the individual(s) directly involved.
Therefore, we provide our staff a framework for "doing the right thing" in the safest possible manner. We encourage our staff to use their own good judgment, and make ethical choices wherever possible.
Cases of Clear and Present Danger
Firstly, if any observed activity:
- Is certainly a crime;
- Has clear victim(s);
- Is happening or about to happen now; AND
- Causes imminent or actual harm to life, limb, or property
Under the above circumstances, our staff are advised to act immediately and contact local authorities through 911 to report the incident immediately.
If the witness to such activity feels that they would be endangered by continuing to remain in voice or video conference, our advice is to first disable the camera then mute the microphone. Do not hang up or drop the call under these circumstances.
Acts of Cybercrime
We make a special exception to acts of hacking, cybercrime, cybertrespassing, or cyberespionage. These are generally understood to be criminal in nature, and it is certainly possible for there to be an insider threat which comes from a client's employees or other associates.
In these cases, we will always treat such matters as criminal in nature and causing a clear and present danger to the client's business or other individuals. We will act first to protect our clients' interests, and then to report such activity as needed to appropriate law enforcement agencies, such as the FBI.
While not an exclusive list by any means, here are some specific examples of hacking activity that may involve client's employees:
- Unauthorized access to another employee's email or other communications;
- Installation of malware, backdoors, or stalkerware on another employee's computer;
- Attempts to determine another employee's credentials, either by brute force or through surreptitious methods;
- Installation of hardware monitoring devices, such as a keylogger
Safe Alternatives to Law Enforcement
Certain cases don't quite rise to the strict standard cited above. However, the safety of individual people may be at risk. For example, a person may be experiencing mental or emotional distress, drug overdose or other medical issue, etc.
Further, as a company we are keenly aware of the fact that involvement of law enforcement in certain cases does not necessarily produce the best outcomes for individuals involved, whether they be victims or others.
In such cases, we ask our employees to consider viable alternatives to law enforcement that would best protect the lives of everyone involved. Where it is feasible to do so, we encourage our staff to directly contact community liaisons, social workers, or paramedics.
We recognize that the remote nature of our work sometimes makes this difficult or impractical. As such, for areas where we have many customers, we will provide a directory of resources to assist our staff in finding the right agency in a given area. Failing this, the final recourse in any given situation remains the use of and reliance upon emergency services.
Our Adjudication Process for Other Circumstances
For any matters that do not pose a clear and present danger, our staff are advised to use their own discretion to determine if an act rises to the need for reporting to law enforcement.
If the individual encountering such activity is uncertain, Liquid Mercury Solutions will provide that staff member with written forms and interview process in order to make such determination as an organization.
These forms and process serve to evaluate the activity on the basis of Seriousness of Circumstances and Protected Activities as described below, as well as other material circumstances and factors. They collect the facts of the matter in the words of the individual witness, as well as any information regarding the disposition or whereabouts of supporting evidence. No actual material evidence is collected during this process.
The information collected by such form(s) and interview(s) are provided directly to our legal counsel, and shall remain anonymous and confidential under instructions from management to our legal team. No other member of our staff shall be privy to such information until such time that counsel deemed it necessary and appropriate to do so.
In the event that legal counsel determines that the described acts should or must be reported, our legal counsel will handle such communications on behalf of the staff. Should staff wish to remain anonymous, they may do so.
Once such matters are handed over to law enforcement, our staff shall not be required to engage in the collection of material evidence or further surveillance. We will cooperate with any lawfully issued subpoena or search warrant, as required.
Staff Right to Refuse Service
Our staff maintain always the right to refuse service to any individual, for reasons of interpersonal conduct or personal safety. Being witness to potentially criminal activity is among the other reasons that our staff may wish to avoid contact with individuals during the course of providing service.
As part of the above policy and adjudication process, staff will be asked if they wish to avoid further contact with the user in question. In such cases, we as a company will respect the wishes of such person(s) wishing to avoid further contact, and they will not be compelled to interact with the customer in question - or that customer's employer, if necessary.
In the event that no member of our staff wishes to engage with that particular customer, we will inform the customer's employer (our client). In certain extreme cases, such as if the individual in question is the owner of client company, this may require us to cancel the client's services. We reserve the right to do so, as needed.
Definitions
"Business Device(s)" are phones, tablets, laptops, desktop computers, routers/switches/firewalls, or other similar computing devices which are the private property of Employer(s).
"Personal Device(s)" are phones, tablets, laptops, desktop computers, routers/switches/firewalls, or other similar computing devices which are the private property of Employee(s).
"Device(s)" includes any combination of Personal Device(s) and/or Business Device(s), when taken together as a group.
"Device Usage Information" shall be taken to mean a broad category of information and metadata that describe the characteristics of when, where, and how Device(s) are operated, including but not limited to:
- Human Input Device information (or lack thereof), including specific keystrokes, mouse / clicks, including any resulting text produced by such input.
- Actual computer usage data, such as CPU activity, or information regarding which application(s) is/are loaded, running, or "in focus".
- Images captured from the computer screen, desktop, or digital camera.
- Audio information, whether taken from audio input device such as microphone, output to speakers or other device/channel, referencing files such as MP3s, or audio metadata.
- Network traffic, including content or metadata from streaming media services, file sharing applications, or other online resources
- Web site activity, whether obtained through the browser or by network traffic
- Information obtained through analysis or derivation of any of the above activities, either at a specific point in time, period of time, or overall frequency
- Other system logs, diagnostic data, or configuration information
"Personal Information" includes:
- Web browser history
- Personal files or data, whether content or metadata, including but not limited to photographs, images, media files, documents, emails, or chat messages or other interpersonal communications
- Social media account names or activities
- Any usernames or passwords used for personal accounts
- Device Usage Information, when gathered from Personal Device(s)
"Business Information" includes:
- Files or data that are the property of Employer(s), regardless of where they are stored or if they are content or metadata, including but not limited to photographs, images, media files, documents, emails, or chat messages or other interpersonal business communications
- Credentials or activities on accounts owned by the Employer(s), such as social media, business financial systems, or services such as Microsoft 365.
- Device Usage Information, when gathered from or pertaining to Business Device(s) or Employer's information services or systems.
In general, "Use" or "Usage" of such Business Information or Personal Information is taken to mean that it may be monitored, gathered, collected, retained, analyzed, or shared with Employer(s) or other parties.