Smart Policies for Workplace Technologies
Email, Blogs, Cell Phones & More
Lisa Guerin, J.D.
January 2013, 3rd Edition
Every new device that promises to make our lives easier brings with it the risk of misuse -- whether accidental or intentional. That's why it's so important that any business that employs both people and computers create a safe and sensible policy for the appropriate use of technologies in the workplace.
Smart Policies for Workplace Technologies provides the tools employers need to assess your current policies' effectiveness, along with information on how to draft or revise, then distribute and enforce your new customized policies.
Protect your business with a policy that addresses:
- protection of trade secrets
- customer, employer and employee privacy
- management of electronic documents and tools
- limiting liability for employee misconduct
- conserving company resources
Co-published with the Society of Human Resource Management (SHRM), Smart Policies for Workplace Technologies keeps your business safe, online and off. This edition includes a new chapter on the use of social networking sites, such as Facebook and Twitter. It's been fully updated to include the latest statistics, legal rules, and information about workplace technology, including developments at the federal level.
- Computer and Software Use Policy
- Email Policy
- Internet Policy
- Instant Messaging Policy
- Blogs and Personal Posting Policy
- Cell Phone Policy
- Portable Computing Device Policy
- Camera Phone Policy
- Electronic Communications and Equipment Policy Acknowledgment Form
- Company-Sponsored Social Media Policy
Lisa Guerin, an editor and author specializing in employment law, is author or co-author of several Nolo books, including The Manager's Legal Handbook, Dealing with Problem Employees, The Essential Guide to Federal Employment Laws, Workplace Investigations, Create Your Own Employee Handbook, and Nolo's Guide to California Law. Guerin has practiced employment law in government, public interest, and private practice where she represented clients at all levels of state and federal courts and in agency proceedings. She is a graduate of Boalt Hall School of Law at the University of California at Berkeley. Guerin's blog on lessons learned by employers and HR professionals on everything from hiring and firing to performance and discipline can be found at Nolo's Employment Law Blog.
Lisa's Other Pages
1. Drafting Effective Technology Policies
- Why You Need Technology Policies
- Creating Your Policies
2. Computers and Software
- Remote Access to the Company’s Computer System
- Putting It All Together: Sample Computer and Software Use Policy
- Personal Use of Email System
- Content Rules
- Viruses and Other Security Threats
- Retention and Deletion
- Putting It All Together: Sample Email Policy
4. Internet Use
- Personal Use of the Internet
- Prohibited Uses of the Internet
- Personal Web-Based Email
- Putting It All Together: Sample Internet Policy
5. Instant Messaging
- To IM or Not to IM?
- Personal Use of IM
- Privacy and IM Monitoring
- Viruses and Security Threats
- Retention and Deletion
- Putting It All Together: A Sample Instant Messaging Policy
6. Blogs and Beyond: Personal Posting on the Internet
- Restrictions on Personal Posting
- Adopting a Commonsense Policy
- Putting It All Together: A Sample Blog and Personal Post Policy
7. Company-Sponsored Social Media
- Why Post?
- Who May Post
- Guidelines for Posting
- Authorship and Disclaimers
- Handling Comments
- Putting It All Together: A Sample Company-Sponsored Social Media Policy
8. Cell Phones
- Company-Owned Phones
- Personal Cell Phones at Work
- Wage and Hour Concerns
- Putting It All Together: Sample Cell Phone Policy
9. Portable Computing Devices: PDAs, Laptops, and Beyond
- Use Rules
- Driving Safety
- Wage and Hour Concerns
- Putting It All Together: Sample Portable Computing Device Policy
10. Cameras and Camera Phones
- Alternative 1: Banning Cameras
- Alternative 2: Use Restrictions
- Putting It All Together: Sample Camera Phone Policy
A. How to Use the CD-ROM
- Installing the Files Onto Your Computer
- Using the Word Processing Files to Create Documents
B. Acknowledgment Form
Drafting Effective Technology Policies
Why You Need Technology Policies......................................... 7
Protect Trade Secrets........................................................... 7
Promote Your Company—Effectively and Legally............... 8
Preserve Customer and Employee Privacy......................... 8
Lay the Groundwork for Discipline and Termination........... 10
Tell Employees That Their Communications Aren’t Private 11
Avoid Problems Caused by Employee Mistakes................ 11
Conserve Company Resources.......................................... 11
Limit Liability for Employee Misconduct.............................. 11
Manage Electronic Documents........................................... 14
Creating Your Policies............................................................. 14
Determine Your Current Practices...................................... 15
Draft Policies....................................................................... 18
Review and Revise Policies................................................ 19
Distribute Policies and Acknowledgment Forms................. 19
Enforce Policies................................................................... 21
Review Policies and Update If Necessary.......................... 22
In the not-so-distant past, every telephone had a cord tethering the caller to a nearby wall. The only way a business could transmit a document was to place it an envelope and pay someone to carry it to the recipient. To research important data, we had to find the right books, sometimes by traveling to a library, then take them off the shelf, open them, and hope that the table of contents would point us to the relevant pages.
For anyone under 20 years old, these must some seem like some outdated and inefficient limitations for operating a business. Nowadays, smartphones, email, the Internet, cloud computing, and other innovations have brought huge gains in business efficiency and productivity, allowing instant communication and access to information that would have seemed unimaginable only a short time ago.
And, of course, the technology wave hasn’t crested yet. Every time we turn around, there’s a new device—or an innovative way to use something we’ve already got—that could revolutionize the way we work. One day, not too long from now, we’ll look back on iPhones, Twitter, and spam with the same nostalgia we reserve for the inkwell, carbon paper, and the IBM Selectric.
But no matter how technology evolves, one thing remains constant: New technology always brings new risks for employers. Technology can always be misused, either intentionally or accidentally. And, because employers are often legally responsible for the acts of their employees, technological developments have exponentially increased the possibility of legal exposure.
In recent years, we’ve been inundated with tales of employer woes: private customer information accidentally made public; racist or sexist jokes transmitted through a company’s email system; employees causing car accidents while doing business on their cell phones; blogs that reveal company trade secrets; employees or officers “outed” as the authors of glowing online reviews of company products; and employees airing workplace gripes on social networking sites. Although technology has promised to increase efficiency and rid us of documentation, it sometimes seems to have had the opposite effect—for example, companies now spend thousands of dollars combing through their electronic files to produce evidence for auditors, courts, and government agencies.
How does an employer modulate this digital din? Some try to control technology with other technology—for example, software that blocks certain Internet sites, programs that scan email for illegal content, or company-wide adoption of digital passwords to prevent access to company secrets. But fighting technology with technology is a never-ending game of cat and mouse, as the makers of anti-spam software have learned. There’s always a way to skirt these technological solutions, which means companies have to develop a response to the workaround, and the escalation continues.
Ten Ways Around Your Company’s Technological Controls
Many companies, especially those with a savvy IT department, rely on blocking software, filters, and other technology to prevent employees from wasting resources or compromising security by, for example, surfing porn sites, sending large files, or storing work-related documents online. If the employees are also tech-savvy, however, they can get around these controls—and they often want to, because it’s easier and more convenient. Often, these employees aren’t troublemakers; they’re just trying to work from home, get the programs or files they need, or save more email messages than your company’s system allows.
This is one reason why your company must not only physically block employees from misusing company technology, but also adopt a policy prohibiting it and explaining why it’s important. Employees who know the risks of getting around the company’s controls are more likely to think twice before taking that shortcut. And if you’re thinking your company’s employees probably don’t know the first thing about circumventing the company’s controls, you better hope they don’t read The Wall Street Journal, which published a list of ten controls and how to get around them. It explains how to:
Send large files: Use an online service to transmit large files free.
Use software the company doesn’t allow employees to download: Access a Web-based version of the software or load it on a portable device.
Visit blocked websites: Use a proxy site to see the blocked website rather than visiting it directly, either through a search or by asking Google to do an English-to-English translation of the site (which calls it up on the searcher’s screen).
Erase tracks from a company-issued laptop: Use the browser to delete the history of websites visited.
Search for work documents from home: Store copies of files from one computer online, to be searched from another computer.
Store work documents online: Use an online storage service or send files from work to a personal email account.
Evade company monitoring of Web-based email: Encrypt messages or use a secure email session.
Access work email remotely: Automatically forward all work-related email to a personal account.
Access personal email from a company-issued BlackBerry: Add a personal email account to your profile at your BlackBerry’s service provider website.
Avoid getting caught surfing the Web: Hit Alt-Tab to minimize one window and maximize another.
Vauhini Vara, “Ten Things Your IT Department Won’t Tell You,” The Wall Street Journal, July 30, 2007.
A better approach is to adopt a set of commonsense rules that explain how employees should use the technologies the company makes available to them. Of course, policies alone won’t stop all employee misconduct—there will always be employees who act badly, no matter what your company’s handbook says. But policies, combined with training, leadership by example, and consistent enforcement, will help your company make sure that employees are using its electronic resources as the company intends.
And, if an employee doesn’t follow the rules, policies provide a strong measure of legal protection if your company has to discipline or fire the employee, or prove that it did everything it could to prevent the incident (in the unfortunate event someone was harmed by an employee’s misuse of technology).
This book provides policies you can adapt for your workplace on email use, employee blogs, posting to company-sponsored social media pages, using cell phones for work, downloading software, Internet access, and much more. It also provides the information you need to decide whether to use a particular policy and how to customize it to fit your workplace.
Chips and Scanners: What’s Next for Workplace Tech
Most of the electronic tools covered in this book will be familiar to you. Even if you don’t own a tablet or use instant messaging, you’re probably familiar with these commonplace innovations. On the horizon, however, are some truly sci-fi technology applications, some of which have already been adopted in the workplace.
A lot of these innovations are intended to be used on employees, not necessarily by them. Devices once used to track packages are now being used to track people. And, developments in biometrics are being pressed into service as employee identification devices. Here are some examples:
Global positioning devices. GPS devices are used not only to keep tabs on pets, children, and valuable merchandise, but also to monitor the fleets—and employees—at FedEx and United Parcel Service (UPS).
Radio Frequency Identification (RFID). RFID isn’t just used to identify and track people and products via a tag or transponder; it’s also being used to maintain business security and track
employees’ movements within a facility. (The RFIDs are commonly planted in employee ID badges.) At least one company has asked employees to have an RFID chip implanted in their arms to access the company’s data center. These developments have led at least four states—California, North Dakota, Oklahoma, and Wisconsin—to pass laws prohibiting involuntary microchipping. (Nightclub owners have also discovered a use for RFIDs—to identify VIP customers and allow them to run a tab at the bar.) For information on state RFID laws, go to the website of the National Conference of State Legislatures, www.ncsl.org, and select the “Telecommunications/IT” issue area.
Biometrics. Verifying a person’s identity through their unique physical characteristics is nothing new; police departments have been using fingerprints for this purpose for decades. But some companies are now pressing this technology into use to identify employees. At McDonalds, for example, employees clock in by scanning their hands rather than punching in a time card. Some companies use facial recognition and retina scanning systems to authenticate the identity of employees entering secured areas of a facility. The federal government is even considering biometric technology to identify workers as part of the eVerify program.
Use of these technologies on employees has met with a lot of resistance, and it’s no wonder why: There’s a disturbing level of intrusion involved in having a chip implanted in your body or having your every move tracked. Once this information is gathered, there’s also the problem of keeping it safe. Identity theft is one thing, but what about the possibility of having your facial features “hacked” and misused, or having the government subpoena records of your movements, captured through a GPS or RFID system? The legal battles over these technologies are just getting started, so stay tuned.
Why You Need Technology Policies
Your company probably has some written policies gathered in an employee handbook or policy manual, covering things like time off, benefits, employee conduct, and termination procedures. Unfortunately, however, many companies have neglected to keep up with the times by creating policies dealing with technology. Sometimes, the company’s decision makers don’t understand how technological innovations work or don’t know how employees are actually using company resources. Sometimes, policy makers assume that existing policies are adequate to cover new technologies. Perhaps most often, however, the people responsible for writing policies just have too many other things to do, and put off updating their handbook to a later date.
Practice makes policy. A policy can exist without being written down or even communicated orally to employees. For example, if everyone in a company, from senior management on down, uses the company’s email system for personal messages, that’s company policy, even if the company has no official written guidelines saying that it’s okay to use email in this way. The company would have a tough time defending a decision to fire an employee for sending personal messages if everyone else did so with impunity. It’s much better to consciously decide what your company’s policies should be than to create policies by default.
If your company has procrastinated on drafting or updating its technology policies, you’re missing an opportunity to protect the company’s assets and leaving yourselves open to legal trouble in the future. Here are some ways that well-drafted technology policies can help your company.
Protect Trade Secrets
Employees stealing trade secrets once had to stand over a copy machine, smuggle out boxes of documents, or bring in cameras. Today, however, the valuable intangible information upon which many companies are built—their trade secrets—can easily be purloined in digital format.
Technology policies can help protect against loss of company trade secrets, whether it occurs intentionally—as when an employee steals data to sell to a competitor or start a similar business—or unintentionally—as when an employee sends confidential information through Web-based email, which is hacked by an outsider, or stores sensitive files on a smart phone that is later stolen. Even if your company faces an aggressive trade secret thief who doesn’t care about the rules, strong policy language will help your company show that it took steps to protect its confidential information, which will work in your company’s favor when it tries to stop others from using its stolen secrets.
Promote Your Company—Effectively and Legally
These days, consumers look for information about products and services online. Your company’s official Internet presence—on its own website, in company blogs, and on the company’s social media pages—plays a significant role in creating and maintaining your company’s reputation. And, its “unofficial” presence—in personal blogs and posts, online reviews, or YouTube videos, for example—may be just as important, for better or for worse. Policies that draw clear lines on what employees should and shouldn’t say online, whether in company-authorized content or in personal posts, can help you make sure that your company is being represented positively and appropriately in cyberspace.
Preserve Customer and Employee Privacy
All companies keep some confidential information about their employees, whether Social Security numbers, next of kin, or medical records. Many companies also have confidential customer information, such as addresses, telephone numbers, and credit card accounts. Companies have a legal obligation (and obvious incentive) to maintain the privacy of this information, which up-to-date technology policies will help you do. Many states also require companies to notify consumers if their information is leaked, stolen, or otherwise compromised.
More Than 500 Million Breached Records … and Counting
A stolen laptop here, a hacked website there, and the security breaches start to add up. According to the Privacy Rights Clearinghouse, more than 560 million records were compromised between January 2005 and September 2012, and the number is increasing by the thousands daily. The Clearinghouse keeps an extensive database of security breaches involving consumer information (you can view it at www.privacyrights.org; select “Data Breaches” from the home page).
Lay the Groundwork for Discipline and Termination
Policies provide the basis for employee discipline and termination by explaining what conduct is prohibited. Although most companies have the right to fire employees at will (that is, for any reason that’s not illegal), it’s always wise, for legal and practical reasons, to fire only for good cause. By putting employees on notice, technology policies make it more difficult for employees to later argue that they were treated unfairly or that they didn’t know their conduct was prohibited.
Policies must be enforced consistently. Having policies on paper is a good first step, but it isn’t enough to protect your company from wrongful termination lawsuits. To use a policy as a lawsuit defense strategy, your company must be able to show that everyone who violated the policy faced the same consequences. Otherwise, an employee can use your company’s selective enforcement as proof of discrimination, retaliation, or other unfair treatment.
Tell Employees That Their Communications Aren’t Private
Because your company may one day have to read or monitor employee email messages and Internet browsing histories, you should put employees on notice. It’s only fair to tell employees ahead of time that their messages may be read. Notifying employees about monitoring will also deter them from sending inappropriate messages in the first place—your ultimate goal. What’s more, employees’ legal right to privacy is determined, in part, by how much privacy they reasonably expect to have. If your company tells employees their communications aren’t private, it will be hard for them to argue later that they nonetheless expected confidentiality.
Avoid Problems Caused by Employee Mistakes
Many of the problems created by workplace technology are the result of inadvertent errors—for example, clicking on an attachment that unleashes a virus or posting confidential information when answering a customer question online—not intentional missteps. By setting ground rules for employees and explaining why those rules are important, technology policies can help your company avoid many of these problems in the first place.
Conserve Company Resources
Misuse of technology—whether in the form of streaming audio, visiting illicit websites, or sending excessive personal email—costs time and money. Your company can preserve its bandwidth and server capacity, and maintain higher employee productivity, by adopting policies that limit how employees may use its technological resources.
Limit Liability for Employee Misconduct
In some situations, your company can use its policies to show that it tried to prevent harm to others. For example, if your company has a written policy prohibiting employees from making business-related calls while driving, that policy can be used as evidence that the company shouldn’t be legally responsible for injuries an employee caused while doing just that.
Employers’ Duty to Retain and Hand Over Electronic Evidence
In 2006, federal rules took effect that define the obligations of lawsuit opponents to save and provide electronically stored evidence. The Federal Rules of Civil Procedure (FRCP), which apply to all noncriminal federal lawsuits, were updated to reflect that modern business documents are more likely to be stored on a server, disk, or backup tape—or even in the cloud—than in a filing cabinet.
The FRCP now explicitly includes electronically stored information in the categories of documents and evidence that must be exchanged in discovery: the process of requesting and receiving information from the other side and from witnesses in a lawsuit. The rules have always obligated parties to discuss the case and exchange key evidence and witness lists early on (this is called the “meet and confer” requirement). Now, electronically stored information must be discussed and produced at this meeting, which is supposed to take place only a few months after a lawsuit is filed.
The rules impose a heavy obligation on companies to properly organize their electronic information so it can be accessed and reviewed quickly for a lawsuit. However, there’s some good news here for companies that routinely purge emails and electronic information: There’s no penalty if a party can’t provide electronic data because it was lost as a result of the routine, good faith operation of an information system. But this “safe harbor” provision applies only until litigation is in the offing. Companies facing a lawsuit must immediately stop their purging, shredding, and deleting, and impose a “litigation hold.” A company that destroys potentially relevant evidence after a lawsuit is imminent can face huge fines and penalties.
Manage Electronic Documents
Most of the innovations covered in this book allow employees to create, modify, and transmit documents electronically. They also create their own electronic records, in the form of logs, user records, browsing history, address books, and so on. Employers have a duty to preserve and hand over electronic documents like these in a lawsuit, just as if they were pieces of paper. Without policies telling employees how to manage their electronic documents, your company won’t be able to meet these obligations. Lawsuits aside, if employees don’t know which electronic documents to keep and where to put them, your company might not be able to access important records like contracts and customer orders.
Creating Your Policies
This book will help you draft and update technology policies that will be effective in your company. What this book can’t do, however, is tell you which policies are right for your company: That will depend on the industry, your corporate culture, the sophistication of your employees, your company’s comfort level with risk, and plenty of other intangibles that will vary from company to company.
A large part of your job will be to decide how intrusive or trusting your company wants to be with its employees. This issue comes up again and again in the technology field because employee use of each of these devices and functions can be monitored. Here are some questions you may have to consider:
Will your company read every employee email message or will it simply reserve its right to monitor email if it needs to?
Will your company block access to certain Internet sites, monitor employee Internet traffic, or just tell employees not to visit certain types of sites?
Will your company allow—or ask—employees to use personal phones and other electronic devices for work or prohibit them from doing so?
Will your company ban all camera phones at work or ask employees not to use them in certain areas?
Each chapter in this book covers a different type of electronic resource or function, such as email, camera phones, or social media, providing an overview of the most important issues to consider, sample policy language, and information that will help your company decide whether—and how much—to regulate employee use of that equipment.
Although some policies should be adopted in every company (prohibiting employees from using cell phones while driving, for example), others are not so universal. That’s why your first step in crafting technology policies is not to open this book to the appropriate chapter, but instead to figure out what your company is already doing and what it wants to do.
Determine Your Current Practices
To get started, find out how technology is being used and regulated in your company now. First, consult your company’s employee handbook or other written policies. Does your company have policies in place dealing with email, blogs, cell phones, and the other equipment addressed in this book? Are these policies up to date and adequate to address all of the technology your company and its employees currently use? Does your company require employees to sign acknowledgment forms demonstrating that they have received, read, and understood these policies?
Once you’ve collected and reviewed your company’s written policies, it’s time to get out of your office and talk to people to find out what’s actually happening—what types of technology are actually in use, and in what ways. Here are some ideas to help you get started:
Talk to your IT department (if your company has one). Find out what technologies your company supports and what it prohibits. Does IT have the capacity to read employee email and instant messages or to track employee Internet use? Is someone actually reading employee communications? Does the company block access to certain websites? Does the company provide cell phones, smartphones, or laptops to employees? Does it allow—or require—employees to use their own electronic devices for work? If so, are there any limits on the makes or models, or on an employee’s ability to access the company’s network? Is IT aware of any problems in employee use or misuse of equipment?
Interview company managers. What technological resources do they use in their departments? Do they issue equipment to employees? Do they encourage employees to purchase their own equipment to use for work? Are they concerned about employee use of technology? Have they had to discipline or fire any employees for misusing electronic resources? What types of equipment do they need for their departments to function most efficiently and productively?
Meet with the online team. Talk to the employees who oversee your company’s online presence and find out what your company is doing on the Internet. Is it active in social media channels? Does it have business blogs—and if so, how does it handle reader comments? Are you podcasting or producing online video? Does the company keep track of what others are saying about it online? The answers to these questions will help you figure out whether and how you need to address employee contributions—whether official or unofficial—to the company’s online presence.
Consult with the lawyers. Talk to your company’s attorney to find out whether there are any special concerns—or past problems—you’ll need to address. Has the company had to discipline or fire employees for electronic misconduct? Are there special concerns in your industry that you should consider? Do your state’s laws or applicable court decisions address privacy and technology?
Get feedback from employees. Find out what employees are really doing. Although you could talk directly to employees, you’ll probably get more accurate results with an anonymous survey or questionnaire. Your goal is to find out how employees are really using the available technology, and in a face-to-face interview few employees will admit to things like sending personal email, visiting websites that aren’t related to work, or getting around the company’s electronic controls.
Electronic Monitoring at Work
The American Management Association (AMA) has been surveying employers about their monitoring of employee activity since 2001. The most recent survey, for 2007, reveals that many employers monitor employee email and Internet activity. Here’s what they’re looking at:
Email. 43% of the companies surveyed monitor employee email. Almost ¾ of those use technology to automatically review messages, and 40% have an actual human being read email. Perhaps as a result of this monitoring, 28% of the companies who responded to the survey had fired someone for misuse of email, mostly in the form of inappropriate or offensive language or violation of company rules.
Internet use. Of the companies surveyed, ⅔ monitor employee Internet connections, and the same number block certain sites. 30% of the companies had fired someone for Internet misuse, with the vast majority of terminations resulting from viewing, downloading, or uploading inappropriate or offensive material.
Computer use. 45% of the companies track content, keystrokes, and time spent at the keyboard, and almost the same number review computer files.
Outside sites. 12% of responding companies monitor blogs to find out what’s being said about them, and 10% monitor social networking sites.
Don’t be surprised or concerned if your interviews revealed confusion about your company’s current policies and expectations, or differences in the way technology is used or managed in different departments. Your job now is to use that information to come up with policies that will work for the whole company and be enforced consistently in the future.
For each type of technology your company uses, go to the appropriate chapter in this book and review the policy language provided. Some chapters include alternatives to choose from, depending on how your company wants to handle a particular issue; some also include optional language you can include if, for example, you use monitoring software or provide employees with hands-free telephone equipment. Each chapter starts with a checklist of policy provisions, so you can make sure you’ve considered every important issue. Most readers should be able to put together effective policies using the language provided in the book and on the CD-ROM, with very few changes.
If, however, your company requires a different approach or wants to address additional concerns, you may need to draft or modify policy language. Here are a few rules to keep in mind:
Keep it simple. Use short sentences and paragraphs, and easily understood vocabulary. Be as clear and concise as possible.
Know your audience. Write in the language and style that reflects the culture of your company, and the education and sophistication of its employees.
Explain the policy. When writing a technology policy, it’s especially important to explain the purpose behind it. Employees who don’t understand why it’s important not to, for example, open an unscanned email attachment, send confidential information through Web-based email, or post “anonymous” reviews of your company’s products, might assume the company is just being paternalistic in imposing these requirements. Employees who know why a policy is necessary are more likely to follow it (and less likely to use workarounds).
Get Policy Languages, Updates, and More on Nolo.com
This book is filled with sample policy language you can use to create your own technology policies. You can access it in digital form—along with an acknowledgement form—at this book’s companion page at www.nolo.com. (See the appendix for a link to the dedicated page for this book.) You’ll find other useful information on that page, too, such as updates and blog posts.
Review and Revise Policies
Once you’ve come up with draft policies, get some feedback. Ask the IT department and your company’s managers to read them; they are the ones who are going to have to actually enforce the policies and field employee questions. They can let you know whether they think it will be difficult to implement a particular policy.
After you’ve considered this feedback and revised your policies, it’s time to get a final review from a lawyer to be sure your technology policies are legally sound and up to date. Technology—and the legal rules governing it—changes at the speed of light. A lawyer can help you make sure your policies are current and effective. A final legal review like this shouldn’t take much time (or cost much money).
Distribute Policies and Acknowledgment Forms
Now, it’s time to pass out the policies. You should follow that with a meeting where you explain the policies and answer any questions employees might have. Tell employees that the company expects them to read the policies and abide by them, and ask employees to sign an acknowledgment form to that effect. An acknowledgment form is available on this book’s companion page on www.nolo.com. See the appendix for the link).
Acknowledgment forms may be legally required. Acknowledgment forms may look like overkill or a simple exercise in paperwork, but they are a vitally important part of your technology strategy. Currently, at least one state requires employers to get written consent from employees before monitoring their email and Internet use, and other states consider similar legislation every year. Even if they aren’t legally required where your company does business, acknowledgment forms ensure that employees understand the rules for electronic communications, which will result in fewer violations of those rules and more protection for your company if it ever has to defend a decision to read employee communications.
It’s a good idea to meet with employees to discuss any changes or additions to those policies. Use of technology is an area of major interest to employees, and one in which you may meet resistance. At a meeting, you can explain why the company needs these policies and what employees will have to do to comply.
Your policies are only as good as the paper they’re printed on unless your company puts them into action. Ignoring policy violations is a quick way to undo all of your work. Not only does it signal to employees that they don’t have to follow the rules, but it also creates extra legal exposure. Adopting a policy shows that your company understands the risks of misusing a particular technology. If it ignores policy violations, your company is essentially saying, “We understand that this could create problems, but we’ve decided not to do anything about it.”
For example, suppose company policy says employees will be issued hands-free equipment and must use it when driving and talking on a cell phone for business. The company hands out cell phones, but decides to put off purchasing headsets until the next fiscal year. An employee hits a pedestrian while taking a sales call. Here’s what the pedestrian’s lawyer might ask the human resources manager: “You wrote these policies, correct? And you said employees have to use hands-free technology because your company recognizes that’s safer than allowing them to use handheld phones while driving, right? But your company never purchased hands-free devices, did it? And now, my client has been permanently injured because your company didn’t want to spend $500, isn’t that right?”
Review Policies and Update If Necessary
If you’re in charge of keeping your company’s employee handbook up to date, you probably don’t read it from cover to cover when a review is required; you review only policies that may need to be changed because of a court ruling, new statute, or change in company practice. The truth is that most company policies aren’t going to change from year to year.
In the technology arena, however, things change quickly and you may find these policies need review once or twice a year. When you adopt a new policy or change the company’s existing policy, meet with employees to explain what’s new. As you did when you initially rolled out your tech policies, you should give employees time to read the policy, tell them why it was adopted, and answer any questions they might have. You should also prepare a new acknowledgment form.
Keep in mind, too, that this is just the beginning. Every year, there are new technology-related concerns on the horizon and your company’s policies should address these issues as soon as they hit your radar screen.
Considering New Technology?
After reading this book, you’ll have a good idea of the kinds of issues you need to consider and address in your tech policies. You can use that expertise to help inform the company’s decisions about new technology. Rather than just introducing a new gadget and waiting for the fallout, your company can plan ahead to avoid future problems. Here are some questions to brainstorm when your company is looking into new electronic resources:
Why do we need this technology? Knowing how you want employees to use a particular device will help you make more informed decisions about purchasing, functionality, and appropriate limits for employees.
Will we supply it for employees? If so, you’ll have to think about how you will decide who gets one and whether you will limit personal use. If not, will you reimburse employees who purchase their own device? How will you limit security risks of employees linking to your network from, or keeping business information on, a personal device?
Who will use this technology? If only the most senior management will be using a particular device, for example, your company may decide to forgo monitoring or extensive rules about personal use.
What risks are associated with this technology? Are there new data security issues to consider? Safety concerns? A high risk of theft (as is true with many smaller devices) or abuse?
What records does the device create? Because most technology creates a record, you’ll need to consider whether your company should keep those records and in what form.
Do we want to monitor employee use of the technology? If so, you’ll need to make sure you have the resources and capability to handle it.