Note to Staff: "That Computer Is Ours" — Implementing an Electronic Use Policy
A small St. Paul, Minnesota, law firm had a tough decision to make. A promising, young associate had downloaded pornographic images on his office computer, and others working in the firm had seen him do so. The firm shareholders were angry at the young attorney’s carelessness, as well as the difficult situation he had put them in. In the end, they knew he had to go.
As difficult as it was, the firm’s process might have been made easier had a formal electronic use policy been in place. Electronic use policies serve the vital purpose of protecting the integrity of a firm’s network storage and information systems, as well as sheltering a firm from potential liability resulting from misuse of its electronics and the release of private information. Such policies also put employees on notice that the firm may, at any time, monitor employee use of its technology tools.
In the case of the St. Paul firm, an electronic use policy that unambiguously prohibits downloading sexually explicit content would make it clear to employees that this conduct is prohibited and provide the firm with parameters regarding acceptable use of its electronic equipment. Such a policy wouldn’t make the consequential decision for the firm, but it would sure help those responsible for the final outcome.
“The advantage of a really good policy is that you can fire someone for violating it,” says Don Nichols, managing partner of the employment practices firm Nichols Kaster and Anderson, PLLP, of Minneapolis, Minnesota. “Otherwise, the employee can allege that the firing was for some other reason.”
For years, businesses and large organizations have turned to electronic use policies to define what is acceptable use of electronic equipment for employees, students, and other individuals with access rights. A good electronic use policy can prevent employee misconduct as well as thwart behavior that would typically corrupt a database.
Employers have found value in an electronic use policy to address several common concerns:
Acceptable use of email. Email messages designed to threaten, intimidate, or harass the recipient with racial slurs or sexual implications, or to forward information that is derogatory, defamatory, or obscene are disruptive to the workplace and may subject the employer to workplace liability.
Transporting confidential data off-site.Data involving confidential client information and proprietary information essential to the organization’s success can get into the wrong hands if it is transported off-site through the use of laptops, PDAs, and flash drives.
Password accountability. Most hacking is done through the keyboard, and a simple but strong password can easily thwart it.
Adding or removing software. The indiscriminate addition or removal of software increases the network’s vulnerability to viruses, Trojan horses, worms, and spyware, and also exposes the organization to potential licensing violations.
Limitations on the Internet. Sexually explicit and offensive websites may also subject the employer to liability concerns, and excessive personal use of the Internet generally affects overall employee productivity.
Copyright infringement.File sharing or the unauthorized transfer of copyrighted materials such as movies, music, and games violates federal anti-piracy laws and exposes the computer owner to confiscation and seizure of the hardware.
Control of company property.By engaging in private consulting and outside work, employees assigned electronic equipment may be engaging in personal use activities to an extent where the use comes in conflict with the organization.
Protecting the company image.Employees accessing the Internet or sending email containing the organization’s domain address (e.g.,firstname.lastname@example.org) may be perceived as reflecting on the character and professionalism of the organization.
Accessing external email accounts. Websites hosting private email accounts open a doorway through an otherwise secure firewall by allowing potentially damaging email attachments into a firm’s network or facilitating the unauthorized transfer of company data.
Implementing a Policy
Concerns about employee use of firm-owned electronics are often apparent, but creating a policy to alleviate the concerns is usually a more difficult task.
Employers who take up the task of creating a permissible electronic use policy are often surprised to find that a typical employee has an expectation of privacy when using the firm’s equipment for personal matters. Despite the complexity and expense of computers, PDAs, and other technology devices, employees will sometimes assume a degree of ownership of firm-owned equipment that is often used for personal activities.
To alleviate any confusion, many employers initially created electronic use policies that banned all personal use, and many of these policies are still in place today. Experts often warn employers who design bright-line rules that prohibit all personal use that they will be frustrated with an unworkable policy. “Many companies have ‘no personal use’ policies,” says Nichols, “And virtually everyone violates it.”
Instead, Nichols recommends employers implement a realistic electronic use policy allowing incidental and occasional personal use that does not interfere with the employee’s work performance or adversely affect the operation of the computer system. “The Internet is an extremely valuable resource for any business, and you can’t clamp it down,” says Nichols. “If [the Internet] is too restricted, you wind up not using the filtering system and leaving it wide open.”
When creating an electronic use policy, the firm should deal head-on with the issue of acceptable personal use and declare that employee activities are not private. By stating explicitly that no user should have any expectation of privacy in any file, image, or data created, sent, or retrieved, the policy sends a clear message that, although the firm might allow limited personal use in the work environment, monitoring by the firm may occur at any time and without notice.
Outlining acceptable personal use is largely a matter of defining what is not acceptable. For example, personal use of the firm’s electronic equipment should not be excessive or interfere with the normal operations of the information system. A statement that the firm’s information system should not be used to distribute offensive and disruptive information should be followed by examples of content that the firm considers to be offensive or disruptive, including content about sexual matters, racial slurs, sexual orientation, ancestry, and disability.
For Nichols, one of the top reasons a law firm should implement an electronic use policy is to guard against the trail of junk left in the wake of a rogue employee that can haunt the firm involved in an employment dispute. With information systems being what they are, employment litigators can pour over massive amounts of data showing e-mails and Internet activity detailing not only what the employee was looking at and the actions that they took, but the precise times that they were involved in the questionable conduct.
“The thought process is almost discoverable,” says Nichols, who recently handled a case involving allegations of male-on-male sexual harassment. The case investigation of the employee’s computer activity, Internet page history, and “cookies” revealed the employee spent much time observing web pages with sexually graphic depictions similar to those involved in the case allegations. Such an intimate look into the depth of an employee’s online activities causes Nichols to observe, “You can almost figure out what a person is thinking. The days of ‘he-said/she-said’ are over.”
The discovery process for an employer involved in a workplace dispute can be a painful ordeal that leaves the organization feeling exposed, embarrassed, and frustrated. Discovery requests under Federal Rules of Civil Procedure 26(b) and 34(b) involving electronic data are commonplace, often producing enormous amounts of email data spread wide and deep over an entire organization. Adding to that, the firm may be named as a deponent under a Rule 30(b)(6) subpoena, subjecting a firm representative to account for knowledge the firm may have had about an employee’s behavior revealed in old e-mails, text messages, web postings, and Internet activities. Such a process of suing an organization is aptly described as “taking the bark off the tree.”
Implementing an electronic use policy creates its own set of duties that the employer must adhere to. Those employers who take the policy a step further by actively and routinely monitoring employee Internet and web activity must be prepared to follow through on knowledge of objectionable behavior. For example, if in the course of IT activities it is revealed that an employee’s e-mail activity violates a prohibition on harassing and intimidating e-mails, anything less than prompt and effective remedial action leaves the employer exposed to allegations that, when made aware of a hostile work environment, the employer did nothing.
Moreover, if Internet and email monitoring is inconsistent and focused on just a few employees, such a sporadic method of monitoring can be alleged to be a discriminatory practice of invasion of privacy. To protect against the claim of discrimination, it is necessary for a firm to be consistent in its use of electronic monitoring.
What to Include in the Electronic Use Policy
In a survey conducted in 2007 by the American Management Association (AMA) and the ePolicy Institute, 84 percent of responding organizations revealed they let employees know that the company is monitoring their computer activity. Previous surveys by AMA have revealed that only 31 percent of employers have a policy regarding instant messaging (IM) in the workplace, 27 percent have a policy involving personal cell phone use at the office, and only 9 percent have a policy regarding the operation of personal blogs on company time.
Although many employers have acted upon and established policies addressing their concerns regarding email and Internet usage, many other common forms of electronic usage that can disrupt employee workflow or corrupt company data are often ignored or forgotten.
Also, because technology innovations change so rapidly, what may have been a good and thorough electronic use policy two years ago is likely to be stale and out-of-date today. The sheer speed of change in communications and e-tools, including social networking formats, smart phones, and personal blogging sites, may be one major reason why so many employers that have electronic use policies don’t address common technology matters found in the workplace today.
A good electronic use policy should address the acceptable use (and prohibitions) of all electronic tools, devices, and formats accessible to employees in the ordinary course of their workday. This is not easy to do, and the ever-changing nature of technology is one important reason why the policy should be reexamined every 12 to 24 months.
When writing an electronic use policy today, employers should consider including the following topics: business email decorum, personal use of business email, personal email accounts, instant messaging, text messaging, business phone etiquette, personal use of business phones, personal use of business cell phones, use of personal cell phones, appropriate use of Internet, web posting, personal websites, blogging, mass storage devices (such as flash drives and iPods), portable computer equipment, adding and deleting software, security and password maintenance, and file sharing.
The policy should also clearly provide employee notice that the employer intends to review any and all traffic in the system including messages, attachments, websites visited, files downloaded, and cell phone records including text messages, and that such monitoring can occur at any time without prior notice.
Any specific technology that is prohibited by the company policy should also be listed in the document. For example, a common practice for organizations concerned with the unauthorized transfer of company information is to prohibit access to private email servers such as AOL and Hotmail and to restrict the use of mass storage devices such as flash drives and portable transfer devices, including iPods.
It is important to craft an electronic use policy that is right for the firm. Many small law firm practitioners confess to never having an electronic use policy in place because the need for it never seemed apparent. Perhaps excessive personal use of the firm technology is something more likely to happen in a large firm environment where employee anonymity can sometimes exist.
Nevertheless, even the most basic electronic use policy that outlines prohibited activities is a good reminder to the staff that the firm’s electronics belong to the firm. Moreover, it may prevent a difficult and painful experience if ever the firm is involved in employment litigation. Such a policy would be paramount to helping guide the firm through a difficult time.
Todd C. Scott is VP of Member Services at Minnesota Lawyers Mutual, where he counsels lawyers on law practice management and avoiding malpractice. Follow Todd on Twitter @RUatRISK or read his blog at www.attorneysatrisk.com .
© Copyright 2010, American Bar Association.