Providing access for employees to email, the Internet, and other technology has become indispensable to your company's business operations. Your employees use of technologies like email, cloud computing, SaaS systems, and external social networks can greatly increase their productivity. But beware; potential liability may follow such use in ways you can't imagine. What follows are some hints for staying out of trouble.
Many employers have reacted to the risks associated with the employee's use of technologies such as email and the Internet by installing filtering and monitoring devices. While this may be the right step for some, it's not the most important step to take and it's not right for everybody.
The most important step for every company is the adoption of a policy addressing the acceptable use of the company's IT. No employee handbook is complete without it.
A well-drafted computer acceptable use policy (AUP) will address issues such as computer system integrity and security, employee productivity, preventing legal liability from claims of sexual harassment, copyright infringement, defamation, and protecting trade secrets. The goal is to provide a policy that protects the legal "backside" of a company, while respecting the privacy and free speech rights of its employees. It can be a tough balancing act, but when in doubt-protect the company.
Before beginning the process of drafting a policy for your company, some issues need to be addressed. What employee activities do you need to monitor for valid business reasons? What company information do you want to protect? Which employees should have access to sensitive data? What back-up and security measures are presently in place (passwords, encryption, etc.)?
In general, an employer can monitor e-mail and Internet activity for valid business purposes. Still, privacy laws differ from state to state and are still developing. The conservative route is to have employees sign a consent form.
An appropriate clause might read, "XYZ Corp. may engage in monitoring of Internet and e-mail activities for any business purpose, including employee supervision." While you may think that you want a broadly drafted AUP that allows you free-reign to systematically monitor your employees' Internet habits for any reason, you may want to balance this with an employee's expectation of privacy.
I often advise the adoption of a policy that you wouldn't mind fully describing to a potential employee. If you decide security or productivity concerns warrant screening your employees' e-mail and Internet activities, you should spell out these reasons in your AUP.
Additionally, you may want to include written procedures for the disclosure of an employee's e-mail messages or computer files to third parties. Typically, you would restrict third-party disclosure to situations where disclosure is compelled like a subpoena.
Providing an Internet connection for employees means they have quick and easy access to non-work-related material. Not only does this access threaten productivity, it can expose your company to liability.
For example, employees who visit adult sites while at the office could be creating a "hostile work environment" under sexual harassment laws. Furthermore, these sites can leave "cookies" on your hard drive that would be damaging evidence in a harassment or discrimination lawsuit. For this reason, prohibiting access to adult material on the Internet is an essential part of your AUP.
You may also want to further restrict Internet activities to work-related matters only. Not only would this address the productivity concern, but may also prevent a drain on your computer resources.
On the other hand, employees may not look too kindly on a policy that restricts their e-mail to work correspondence. Whether for financial or practical reasons, many people do not maintain an e-mail account outside of work. The occasional sending and receiving of personal messages to work e-mail accounts has become commonplace and isn't likely to strain your system. You'll have to decide if you want to permit it in your company.
It's Not the Phone
Many people treat their e-mail messages more like a phone conversation than a written letter. They speak their mind carelessly without thinking that the message will be saved on many hard drives and is disseminated all too easily with the "forward" button. E-mail also has this pesky habit of hanging around in in-boxes, recycle bins, backup tapes, and even empty sectors of a hard drive. These messages can come back to haunt a company during discovery requests. In fact, in recent years, e-mail has provided some of the most devastating evidence in harassment and discrimination lawsuits.
Your AUP should restrict the use of any type of offensive, harassing, fraudulent, defamatory, or otherwise illegal language in e-mail communications. Some companies even require the use of signature files or text that discloses the limitations of an employee's authority to speak on behalf of the company.
Your AUP should also address the protection of trade secrets or client information. It might state that proprietary company information should not be sent out over the Internet, or where appropriate, should be encrypted first. In addition, employees should be aware of their responsibility to safeguard their ID and password information.
Encryption creates its own unique set of issues. After all, what's the use of obtaining consent to read employee e-mail, if an employee encrypts them with their own encryption software? The solution is a clause that says something like, "Employees may encrypt their e-mail and files only with software approved by XYZ Corp. XYZ Corp. may require a copy of any key necessary to access encrypted e-mail messages or files."
You should also be concerned about the potential exposure of your company's system to computer viruses that accompany programs downloaded over the Internet. An employee who thinks they are downloading a harmless game or work-related program could end up crashing your entire system. Your AUP should tell employees the required steps and procedures to check files for viruses.
Copyright infringement claims can arise from such seemingly harmless actions as copying graphics for screensavers or wallpaper, forwarding an e-mail message, or from copying another employee's software or shareware program. Your AUP should include a clause that prohibits the dissemination or printing of copyrighted materials including software programs.
Finally, you should consider including a statement of the disciplinary actions you might take against an employee who violates the AUP. Such penalties may range from a warning to suspension of Internet privileges to termination.
While this article has mentioned some of the concerns that an AUP might address, it's in no way exhaustive. Professional advice is essential. Mistakes here could leave you open to substantial legal liability.
Still, there is no one size fits all policy. You have to consider your business needs, your corporate culture, and the law. Then you need to make policy decisions that work for you and your company.