Employees, the Net, and Trouble

24 May 1999
Co-written by Sara Santoro

If your company doesn't already know this, it will soon. Providing e-mail and Internet access for employees will be indispensable in the next century. As more companies edge forward into this new medium, potential liability may follow them in ways they can't imagine. What follows are some hints for staying out of trouble.

How much trouble can e-mail and Internet access in the work place cause? Well, some experts feel that in many ways e-mail abuses will pose a more significant problem in 1999 for employers than the Year-2000 problem. Many employers have reacted to this risk by installing filtering and monitoring devices. While this may be the right step for some, it's not the most important step to take and it's not right for everybody.

The most important step for every company is the adoption of a policy addressing the acceptable use of company computers, the Internet and e-mail. No employee handbook is complete without it.

A well-drafted computer acceptable use policy (AUP) will address issues such as computer system integrity and security, employee productivity, preventing legal liability from claims of sexual harassment, copyright infringement, defamation, and protecting trade secrets. The goal is to provide a policy that protects the legal "backside" of a company, while respecting the privacy and free speech rights of its employees. It can be a tough balancing act, but when in doubt-protect the company.

Before beginning the process of drafting a policy for your company, some issues need to be addressed. What employee activities do you need to monitor for valid business reasons? What company information do you want to protect? Which employees should have access to sensitive data? What back-up and security measures are presently in place (passwords, encryption, etc.)?

In general, an employer can monitor e-mail and Internet activity for valid business purposes. In fact, there is some legal support for the proposition that an employer can monitor all use of company computers for any purpose. Still, privacy laws differ from state to state and are still developing. The conservative route is to have employees sign a consent form.

An appropriate clause might read, "XYZ Corp. may engage in monitoring of Internet and e-mail activities for any business purpose, including employee supervision." While you may think that you want a broadly drafted AUP that allows you free-reign to systematically monitor your employees' Internet habits for any reason, you may want to balance this with an employee's expectation of privacy.

I often advise the adoption of a policy that you wouldn't mind fully describing to a potential employee. If you decide security or productivity concerns warrant screening your employees' e-mail and Internet activities, you should spell out these reasons in your AUP.

Additionally, you may want to include written procedures for the disclosure of an employee's e-mail messages or computer files to third parties. Typically, you would restrict third-party disclosure to situations where disclosure is compelled like a subpoena.

The Web

Providing an Internet connection for employees means they have quick and easy access to non-work-related material. Not only does this access threaten productivity, it can expose your company to liability.

For example, employees who visit adult sites while at the office could be creating a "hostile work environment" under sexual harassment laws. Furthermore, these sites can leave "cookies" on your hard drive that would be damaging evidence in a harassment or discrimination lawsuit. (A "cookie" is a file that is put on your hard drive by a website when you visit it. It's there so that the website can "remember" something about you when you go to the site the next time.) For this reason, prohibiting access to adult material on the Internet is an essential part of your AUP.

You may also want to further restrict Internet activities to work-related matters only. Not only would this address the productivity concern, but may also prevent a drain on your computer resources.

On the other hand, employees may not look too kindly on a policy that restricts their e-mail to work correspondence. Whether for financial or practical reasons, many people do not maintain an e-mail account outside of work. The occasional sending and receiving of personal messages to work e-mail accounts has become commonplace and isn't likely to strain your system. You'll have to decide if you want to permit it in your company.

It's Not the Phone

Many people treat their e-mail messages more like a phone conversation than a written letter. They speak their mind carelessly without thinking that the message will be saved on many hard drives and is disseminated all too easily with the "forward" button. E-mail also has this pesky habit of hanging around in in-boxes, recycle bins, backup tapes and even empty sectors of a hard drive. These messages can come back to haunt a company during discovery requests. In fact, in recent years, e-mail has provided some of the most devastating evidence in harassment and discrimination lawsuits.

Your AUP should restrict the use of any type of offensive, harassing, fraudulent, defamatory or otherwise illegal language in e-mail communications. Some companies even require the use of signature files or text that discloses the limitations of an employee's authority to speak on behalf of the company.

Your AUP should also address the protection of trade secrets or client information. It might state that proprietary company information should not be sent out over the Internet, or where appropriate, should be encrypted first. In addition, employees should be aware of their responsibility to safeguard their ID and password information.

Encryption creates its own unique set of issues. After all, what's the use of obtaining consent to read employee e-mail, if an employee encrypts them with their own encryption software? The solution is a clause that says something like, "Employees may encrypt their e-mail and files only with software approved by XYZ Corp. XYZ Corp. may require a copy of any key necessary to access encrypted e-mail messages or files."

You should also be concerned about the potential exposure of your company's system to computer viruses that accompany programs downloaded over the Internet. An employee who thinks they are downloading a harmless game or work-related program could end up crashing your entire system. Your AUP should tell employees the required steps and procedures to check files for viruses.

Copyright infringement claims can arise from such seemingly harmless actions as copying graphics for screensavers or wallpaper, forwarding an e-mail message, or from copying another employee's software or shareware program. Your AUP should include a clause that prohibits the dissemination or printing of copyrighted materials including software programs.

Finally, you should consider including a statement of the disciplinary actions you might take against an employee who violates the AUP. Such penalties may range from a warning to suspension of Internet privileges to termination.

While this column has mentioned some of the concerns that an AUP might address, it's in no way exhaustive. Professional advice is essential. Mistakes here could leave you open to substantial legal liability. Recent history with the Microsoft antitrust trial shows that even the largest companies can make serious mistakes with e-mail.

Still, there is no one size fits all e-mail policy. You have to consider your business needs, your corporate culture, and the law. Then you need to make policy decisions that work for you and your company.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at: www.DeWittGrossman.com.

If you have any comments, please send them to MGrossman@DeWittGrossman.com.

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.