Michael Overly, technology partner at Foley & Lardner LLP, said companies should notify their employees that, "business systems should not be used for personal or private communications and other activities, and that the systems and data can and likely will be reviewed, including through automated means."
But he agreed with Nayyar that privacy is necessarily limited in the workplace. "Employees must understand that if they want privacy with regard to their online activities, they need to use a means other than their employer's computers, like a smartphone or a home computer," he said.
That is also the view of Troy Moreland, chief technology officer at Identity Automation. "In general, if employees are using employer-provided equipment, they have no right to privacy as long as it's clearly expressed," he said.
But Joseph Loomis, founder and CEO of CyberSponse, said such policies, if they are too heavy handed, can cause morale problems. "I believe it's justified," he said, "it's just that there are various opinions on what type of privacy someone is entitled to or not."
He said it would likely take significant "training, education and explaining" to eliminate the feeling of a "Big Brother" atmosphere in the workplace.
Gabriel Gumbs, vice president of product strategy at Identity Finder, said he believes the potential for morale problems is real. "At the core of UBA is an unspoken distrust of everyone, not just the rogue employees," he said.
Matthew Prewitt, partner at Schiff Hardin and chairman of its cybersecurity and data privacy practice, said one problem with predicting misconduct is that it can become self-fulfilling. "An employee who is viewed with mistrust and suspicion is more likely to become a rogue employee," he said.
He agrees that there is a limited expectation of privacy in the workplace, especially on the corporate network. But he said a "creative advocate" for an employee could argue that, "UBA is so different from other types of monitoring that some sort of express reference to UBA needs to be provided in the notice."
Loomis added that in states not governed by "right-to-work" laws, UBA, "will cause legal issues if one terminates without cause other than predictive intelligence."
And Gumbs said U.S. courts have ruled that workers have a reasonable expectation of privacy in the workplace. "I could not envision a scenario where behavioral prediction would not cross this line," he said. "Only matters of national security could plausibly supersede such rulings."
Advocates of UBA emphasize that it is not aimed just at tracking those with criminal intent. While malicious rogue employees can cause the most damage and tend to get the most headlines, they are relatively rare.
The much larger problem, they say, is from unintentional rogues — those with too many access privileges, who use "shadow" IT and/or who are simply lazy or careless.
Sign up for CIO Asia eNewsletters.