Intro

In the not-so-distant past, every telephone had a cord tethering the caller to a nearby wall. The only way a business could transmit a document was to place it an envelope and pay someone to carry it to the recipient. To research important data, we had to find the right books, sometimes by traveling to a library, then take them off the shelf, open them, and hope that the table of contents would point us to the relevant pages.

For anyone under 20 years old, these must some seem like some outdated and inefficient limitations for operating a business. Nowadays, smartphones, email, the Internet, and other innovations have brought huge gains in business efficiency and productivity, allowing instant communication and access to information that would have seemed unimaginable only a short time ago.

And, of course, the technology wave hasn’t crested yet. Every time we turn around, there’s a new device—or an innovative way to use something we’ve already got—that could revolutionize the way we work. One day, not too long from now, we’ll look back on iPhones, MySpace, and spam with the same nostalgia we reserve for the inkwell, carbon paper, and the IBM Selectric.

But no matter how technology evolves, one thing remains constant: New technology always brings new risks for employers. Technology can always be misused, either intentionally or accidentally. And, because employers are often legally responsible for the acts of their employees, technological developments have exponentially increased the possibility of legal exposure.

In recent years, we’ve been inundated with tales of employer woes: private customer information accidentally made public; racist or sexist jokes transmitted through a company’s email system; employees causing car accidents while doing business on their cell phones; blogs that reveal company trade secrets; and widespread viewing of pornography at work. Although technology has promised to increase efficiency and rid us of documentation, it sometimes seems to have had the opposite effect—for example, companies now spend thousands of dollars combing through their electronic files to produce evidence for auditors, courts, and government agencies.

How does an employer modulate this digital din? Some try to control technology with other technology—for example, software that blocks certain Internet sites, programs that scan email for illegal content, or company-wide adoption of digital passwords to prevent access to company secrets. But fighting technology with technology is a never-ending game of cat and mouse, as the makers of antispam software have learned. There’s always a way to skirt these technological solutions, which means companies have to develop a response to the workaround, and the escalation continues.

A better approach is to adopt a set of commonsense rules that explain how employees should use the technologies the company makes available to them. Of course, policies alone won’t stop all employee misconduct—there will always be employees who act badly, no matter what your company’s handbook says. But policies, combined with training, leadership by example, and consistent enforcement, will help your company make sure that employees are using its electronic resources as the company intends.

And, if an employee doesn’t follow the rules, policies provide a strong measure of legal protection if your company has to discipline or fire the employee, or prove that it did everything it could to prevent the incident (in the unfortunate event someone was harmed by an employee’s misuse of technology).

This book provides policies you can adapt for your workplace on email use, employee blogs, using cell phones for work, downloading software, Internet access, and much more. It also provides the information you need to decide whether to use a particular policy and how to customize it to fit your workplace. The CD-ROM included with this book has all of the policies you’ll need to make your workplace safe for technology.

Why You Need Technology Policies

Your company probably has some written policies gathered in an employee handbook or policy manual, covering things like time off, benefits, employee conduct, and termination procedures. Unfortunately, however, many companies have neglected to keep up with the times by creating policies dealing with technology. Sometimes, the company’s decision makers don’t understand how technological innovations work or don’t know how employees are actually using company resources. Sometimes, policy makers assume that existing policies are adequate to cover new technologies. Perhaps most often, however, the people responsible for writing policies just have too many other things to do, and put off updating their handbook to a later date.

CAUTION: Practice makes policy. A policy can exist without being written down or even communicated orally to employees. For example, if everyone in a company, from senior management on down, uses the company’s email system for personal messages, that’s company policy, even if the company has no official written guidelines saying that it’s okay to use email in this way. The company would have a tough time defending a decision to fire an employee for sending personal messages if everyone else did so with impunity. It’s a much better idea to consciously decide what your company’s policies should be than to create policies by default.

If your company has procrastinated on drafting or updating its technology policies, you’re missing an opportunity to protect the company’s assets and leaving yourselves open to legal trouble in the future. Here are some ways that well-drafted technology policies can help your company.

Protect Trade Secrets

Employees stealing trade secrets once had to stand over a copy machine, smuggle out boxes of documents, or bring in cameras. Today, however, the valuable intangible information upon which many companies are built—their trade secrets—can easily be purloined in digital format.

Technology policies can help protect against loss of company trade secrets, whether it occurs intentionally—as when an employee steals data to sell to a competitor or start a similar business—or unintentionally—as when an employee sends confidential information through Web-based email, which is hacked by an outsider. Even if your company faces an aggressive trade secret thief who doesn’t care about the rules, strong policy language will help your company show that it took steps to protect its confidential information, which will work in your company’s favor when it tries to stop others from using its stolen secrets.

Preserve Customer and Employee Privacy

All companies keep some confidential information about their employees, whether Social Security numbers, next of kin, or medical records. Many companies also have confidential customer information, such as addresses, telephone numbers, and credit card accounts. Companies have a legal obligation (and obvious incentive) to maintain the privacy of this information, which up-todate technology policies will help you do. Many states also require companies to notify consumers if their information is leaked, stolen, or otherwise compromised.

Lay the Groundwork for Discipline and Termination

Policies provide the basis for employee discipline and termination by explaining what conduct is prohibited. Although most companies have the right to fire employees at will (that is, for any reason that’s not illegal), it’s always wise, for legal and practical reasons, to fire only for good cause. By putting employees on notice, technology policies make it more difficult for employees to later argue that they were treated unfairly or that they didn’t know their conduct was prohibited.

CAUTION: Policies must be enforced consistently. Having policies on paper is a good first step, but it isn’t enough to protect your company from wrongful termination lawsuits. To use a policy as a lawsuit defense strategy, your company must be able to show that everyone who violated the policy faced the same consequences. Otherwise, an employee can use your company’s selective enforcement as proof of discrimination, retaliation, or other unfair treatment.

Tell Employees That Their Communications Aren’t Private

Because your company may one day have to read or monitor employee email and Internet browsing history, you should put employees on notice. It’s only fair to tell employees ahead of time that their messages may be read. Notifying employees about monitoring will also deter them from sending inappropriate messages in the first place—your ultimate goal. What’s more, employees’ legal right to privacy is determined, in part, by how much privacy they reasonably expect to have. If your company tells employees their communications aren’t private, it will be hard for them to argue later that they nonetheless expected confidentiality.

Avoid Problems Caused by Employee Mistakes

Many of the problems created by workplace technology are the result of inadvertent errors—for example, clicking on an attachment that unleashes a virus—not intentional missteps. By setting ground rules for employees and explaining why those rules are important, technology policies can help your company avoid many of these problems in the first place.

Conserve Company Resources

Misuse of technology—whether in the form of streaming audio, visiting illicit websites, or sending excessive personal email—costs time and money. Your company can preserve its bandwidth and server capacity, and maintain higher employee productivity, by adopting policies that limit how employees may use its technological resources.

Limit Liability for Employee Misconduct

In some situations, your company can use its policies to show that it tried to prevent harm to others. For example, if your company has a written policy prohibiting employees from making business-related calls while driving, that policy can be used as evidence that the company shouldn’t be legally responsible for injuries an employee caused while doing just that.

Manage Electronic Documents

Most of the innovations covered in this book allow employees to create, modify, and transmit documents electronically. They also create their own electronic records, in the form of logs, user records, browsing history, address books, and so on. Employers have a duty to preserve and hand over electronic documents like these in a lawsuit, just as if they were pieces of paper. Without policies telling employees how to manage their electronic documents, your company won’t be able to meet these obligations. Lawsuits aside, if employees don’t know which electronic documents to keep and where to put them, your company might not be able to access important records like contracts and customer orders.

Creating Your Policies

This book will help you draft and update technology policies that will be effective in your company. What this book can’t do, however, is tell you which policies are right for your company: That will depend on the industry, your corporate culture, the sophistication of your employees, your company’s comfort level with risk, and plenty of other intangibles that will vary from company to company.

A large part of your job will be to decide how intrusive or trusting your company wants to be with its employees. This issue comes up again and again in the technology field because employee use of each of these devices and functions can be monitored. Here are some questions you may have to consider:

• Will your company read every employee email or will it simply reserve its right to monitor messages if it needs to?
• Will your company block access to certain Internet sites, monitor employee Internet traffic, or just tell employees not to visit certain types of sites?
• Will your company ban all camera phones at work or ask employees not to use them in certain areas?

Each chapter in this book covers a different type of electronic resource or function, such as email, camera phones, or blogs, providing an overview of the most important issues to consider, sample policy language, and information that will help your company decide whether—and how much—to regulate employee use of that equipment.

Although some policies should be adopted in every company (prohibiting employees from using cell phones while driving, for example), others are not so universal. That’s why your first step in crafting technology policies is not to open this book to the appropriate chapter, but instead to figure out what your company is already doing and what it wants to do.

Determine Your Current Practices

To get started, find out how technology is being used and regulated in your company now. First, consult your company’s employee handbook or other written policies. Does your company have policies in place dealing with email, blogs, cell phones, and the other equipment addressed in this book? Are these policies up to date and adequate to address all of the technology your company and its employees currently use? Does your company require employees to sign acknowledgements of these policies?

Once you’ve collected and reviewed your company’s written policies, it’s time to get out of your office and talk to people to find out what’s actually happening—what types of technology are actually in use, and in what ways. Here are some ideas to help you get started:

• Talk to your IT department (if your company has one). Find out what technologies your company supports and what it prohibits. Does IT have the capacity to read employee email and instant messages or to track employee Internet use? Is someone actually reading employee communications? Does the company block access to certain websites? Does the company provide cell phones, smartphones, or laptops to employees? Does it allow—or require—employees to use their own electronic devices for work? If so, are there any limits on the makes or models, or on an employee’s ability to access the company’s network? Is IT aware of any problems in employee use or misuse of equipment?
• Interview company managers. What technological resources do they use in their departments? Do they issue equipment to employees? Do they encourage employees to purchase their own equipment to use for work? Are they concerned about employee use of technology? Have they had to discipline or fire any employees for misusing electronic resources? What types of equipment do they need for their departments to function most efficiently and productively?
• Consult with the lawyers. Talk to your company’s attorney to find out whether there are any special concerns—or past problems—you’ll need to address. Has the company had to discipline or fire employees for electronic misconduct? Are there special concerns in your industry that you should consider? Do your state’s laws or applicable court decisions address privacy and technology?
• Get feedback from employees. Find out what employees are really doing. Although you could talk directly to employees, you’ll probably get more accurate results with an anonymous survey or questionnaire. Your goal is to find out how employees are really using the available technology, and in a face-to-face interview few employees will admit to things like sending personal email, visiting websites that aren’t related to work, or getting around the company’s electronic controls.

Draft Policies

Don’t be surprised or concerned if your interviews revealed confusion about your company’s current policies and expectations, or differences in the way technology is used or managed in different departments. Your job now is to use that information to come up with policies that will work for the whole company and be enforced consistently in the future.

For each type of technology your company uses, go to the appropriate chapter in this book and review the policy language provided. Some chapters include alternatives to choose from, depending on how your company wants to handle a particular issue; some also include optional language you can include if, for example, you use monitoring software or provide employees with hands-free telephone equipment. Each chapter starts with a checklist of policy provisions, so you can make sure you’ve considered every important issue. Most readers should be able to put together effective policies using the language provided in the book and on the CD-ROM , with very few changes.

If, however, your company requires a different approach or wants to address additional concerns, you may need to draft or modify policy language. Here are a few rules to keep in mind:

• Keep it simple. Use short sentences and paragraphs, and easily understood vocabulary. Be as clear and concise as possible.
• Know your audience. Write in the language and style that reflects the culture of your company, and the education and sophistication of its employees.
• Explain the policy. When writing a technology policy, it’s especially important to explain the purpose behind it. Employees who don’t understand why it’s important not to, for example, open an unscanned email attachment or send confidential information through Web-based email, might assume the company is just being paternalistic in imposing these requirements. Employees who know why a policy is necessary are more likely to follow it (and less likely to use workarounds).

Review and Revise Policies

Once you’ve come up with draft policies, get some feedback. Ask the IT department and your company’s managers to read them; they are the ones who are going to have to actually enforce the policies and field employee questions. They can let you know whether they think it will be difficult to implement a particular policy.

After you’ve considered this feedback and revised your policies, it’s time to get a final review from a lawyer to be sure your technology policies are legally sound and up to date. A final legal review like this shouldn’t take much time (or cost much money).

Distribute Policies and Acknowledgment Forms

Now, it’s time to pass out the policies. You should follow that with a meeting where you explain the policies and answer any questions employees might have. Tell employees that the company expects them to read the policies and abide by them, and ask employees to sign an acknowledgment form to that effect (you’ll find an acknowledgment form in Appendix B and on the CD -ROM at the back of this book).

CAUTION: Acknowledgment forms may be legally required. Acknowledgment forms may look like overkill or a simple exercise in paperwork, but they are a vitally important part of your technology strategy. Currently, at least one state requires employers to get written consent from employees before monitoring their email and Internet use, and other states consider similar legislation every year. Even if they aren’t legally required where your company does business, acknowledgment forms ensure that employees understand the rules for electronic communications, which will result in fewer violations of those rules and more protection for your company if it ever has to defend a decision to read employee communications.

It’s a good idea to meet with employees to discuss any changes or additions to those policies. Use of technology is an area of major interest to employees, and one in which you may meet resistance. At a meeting, you can explain why the company needs these policies and what employees will have to do to comply.

Enforce Policies

Your policies are only as good as the paper they’re printed on unless your company puts them into action. Ignoring policy violations is a quick way to undo all of your work. Not only does it signal to employees that they don’t have to follow the rules, but it also creates extra legal exposure. Adopting a policy shows that your company understands the risks of misusing a particular technology. If it ignores policy violations, your company is essentially saying, “We understand that this could create problems, but we’ve decided not to do anything about it.”

For example, suppose company policy says employees will be issued hands-free equipment and must use it when driving and talking on a cell phone for business. The company hands out cell phones, but decides to put off purchasing headsets until the next fiscal year. An employee hits a pedestrian while taking a sales call. Here’s what the pedestrian’s lawyer might ask the human resources manager: “You wrote these policies, correct? And you said employees have to use hands-free technology because your company recognizes that’s safer than allowing them to use handheld phones while driving, right? But your company never purchased hands-free devices, did it? And now, my client has been permanently injured because your company didn’t want to spend $500, isn’t that right?”

Review Policies Annually and Update If Necessary

If you’re in charge of keeping your company’s employee handbook up to date, you probably don’t read it from cover to cover when a review is required; you review only policies that may need to be changed because of a court ruling, new statute, or change in company practice. The truth is that most company policies aren’t going to change from year to year.

In the technology arena, however, things change quickly and you may find these policies need periodic review. When you adopt a new policy or change the company’s existing policy, meet with employees to explain what’s new. As you did when you initially rolled out your tech policies, you should give employees time to read the policy, tell them why it was adopted, and answer any questions they might have. You should also prepare a new acknowledgment form.

Keep in mind, too, that this is just the beginning. Every year, there are new technology-related concerns on the horizon and your company’s policies should address these issues as soon as they hit your radar screen.