Smart Policies for Workplace Technologies
Email, Blogs, Cell Phones & More
Smart Policies for Workplace Technologies
Email, Blogs, Cell Phones & More
Lisa Guerin, J.D.
January 2015, 4th Edition
Make Your Workplace Safe for Technology
Worried that your company’s employees might post trade secrets on Facebook, send harassing email, or text while driving on company business? Advances in workplace technology bring big benefits, but they can also bring legal exposure.
To protect your company, you need to develop clear, specific policies—or update the ones you already have. Smart Policies for Workplace Technologies provides everything you need to adopt effective rules for employee use of:
- social media, such as Twitter and Facebook
- instant messaging
- mobile devices, including cell phones and tablets
- company and personal blogs
- and more
Smart Policies for Workplace Technologies keeps your business safe, online and off. Packed with sample policies, practical advice, and real-world examples, the fourth edition covers the latest trends, from Facebook firing to employees’ use of their own smartphones for work (“BYOD”).
"The potential legal traps facing employers are well articulated in Smart Policies for Workplace Technologies" - Journal of High Technology Law, Suffolk University Law School
- Computer and Software Use Policy
- Email Policy
- Internet Policy
- Instant Messaging Policy
- Blogs and Personal Posting Policy
- Cell Phone Policy
- Portable Computing Device Policy
- Camera Phone Policy
- Electronic Communications and Equipment Policy Acknowledgment Form
- Company-Sponsored Social Media Policy
1. Drafting Effective Technology Policies
- Why You Need Technology Policies
- Creating Your Policies
2. Computers and Software
- Remote Access to the Company’s Computer System
- Putting It All Together: Sample Computer and Software Use Policy
- Personal Use of Email System
- Content Rules
- Viruses and Other Security Threats
- Retention and Deletion
- Putting It All Together: Sample Email Policy
4. Internet Use
- Personal Use of the Internet
- Prohibited Uses of the Internet
- Personal Web-Based Email
- Putting It All Together: Sample Internet Policy
5. Instant Messaging
- To IM or Not to IM?
- Personal Use of IM
- Privacy and IM Monitoring
- Viruses and Security Threats
- Retention and Deletion
- Putting It All Together: A Sample Instant Messaging Policy
6. Social Media, Blogs, and Beyond: Personal Posting on the Internet
- Restrictions on Personal Posting
- Adopting a Commonsense Policy
- Putting It All Together: A Sample Blog and Personal Post Policy
7. Company-Sponsored Social Media
- Why Post?
- Who May Post
- Guidelines for Posting
- Authorship and Disclaimers
- Handling Comments
- Putting It All Together: A Sample Company-Sponsored Social Media Policy
8. Cell Phones
- Company-Owned Phones
- Personal Cell Phones at Work
- Wage and Hour Concerns
- Putting It All Together: Sample Cell Phone Policy
9. Portable Computing Devices: Smart Phones, Laptops, Tablets, and Beyond
- Company-Provided or Personal Devices?
- Rules for Company-Issued Devices
- Rules for Personal Devices and BYOD
- Putting It All Together: Sample Portable Computing Device Policy
10. Cameras and Recording Devices
- Alternative 1: Banning Cameras and Recording Devices
- Alternative 2: Use Restrictions
- Putting It All Together: Sample Camera and Recording Device Policy
A. Using the Interactive Froms
- Editing RTFs
- List of Forms
Drafting Effective Technology Policies
Why You Need Technology Policies.......................................... 7
Protect Trade Secrets............................................................ 7
Promote Your Company Effectively....................................... 8
Preserve Customer and Employee Privacy........................... 8
Lay the Groundwork for Discipline and Termination............ 10
Tell Employees That Their Communications Aren’t Private. 11
Avoid Problems Caused by Employee Mistakes................. 11
Conserve Company Resources........................................... 11
Limit Liability for Employee Misconduct............................... 11
Manage Electronic Documents............................................ 14
Creating Your Policies............................................................. 14
Determine Your Current Practices....................................... 15
Draft Policies........................................................................ 18
Review and Revise Policies................................................. 19
Distribute Policies and Acknowledgment Forms.................. 19
Enforce Policies................................................................... 21
Review Policies and Update If Necessary........................... 22
In the not-so-distant past, every telephone had a cord tethering the caller to a nearby wall. The only way a business could transmit a document was to place it an envelope and pay someone to carry it to the recipient. To research important data, we had to find the right books, sometimes by traveling to a library, then take them off the shelf, open them, and hope that the table of contents would point us to the relevant pages.
For anyone under 30 years old, these must some seem like some outdated and inefficient limitations for operating a business. Nowadays, smart phones, email, the Internet, cloud computing, and other innovations have brought huge gains in business efficiency and productivity, allowing instant communication and access to information that would have seemed unimaginable only a short time ago.
And, of course, the technology wave hasn’t crested yet. Every time we turn around, there’s a new device—or an innovative way to use something we’ve already got—that could revolutionize the way we work. One day, not too long from now, we’ll look back on iPhones, Twitter, and spam with the same nostalgia we reserve for the inkwell, carbon paper, and the IBM Selectric.
But no matter how technology evolves, one thing remains constant: New technology always brings new risks for employers. Technology can always be misused, either intentionally or accidentally. And, because employers are often legally responsible for the acts of their employees, technological developments have exponentially increased the possibility of legal exposure.
In recent years, we’ve been inundated with tales of employer woes: private customer information accidentally made public; racist or sexist jokes transmitted through a company’s email system; employees causing car accidents while doing business on their phones; blogs that reveal company trade secrets; employees or officers “outed” as the authors of glowing online reviews of company products; and employees airing workplace gripes on social networking sites. Although technology has promised to increase efficiency and rid us of documentation, it sometimes seems to have had the opposite effect. For example, companies now spend thousands of dollars combing through their electronic files to produce evidence for auditors, courts, and government agencies.
How does an employer modulate this digital din? Some try to control technology with other technology, such as software that blocks certain Internet sites, programs that scan email for illegal content, or company-wide adoption of digital passwords to prevent access to company secrets. But fighting technology with technology is a never-ending game of cat and mouse, as the makers of anti-spam software have learned. There’s always a way to skirt these technological solutions, which means companies have to develop a response to the workaround, and the escalation continues.
Ten Ways Around Your Company’s Technological Controls
Many companies, especially those with a savvy IT department, rely on blocking software, filters, and other technology to prevent employees from wasting resources or compromising security by, for example, surfing porn sites, sending large files, or storing work-related documents online. If the employees are also tech-savvy, however, they can get around these controls—and they often want to, because it’s easier and more convenient. Often, these employees aren’t troublemakers; they’re just trying to work from home, get the programs or files they need, or save more email messages than your company’s system allows.
This is one reason why your company must not only physically block employees from misusing company technology, but also adopt a policy prohibiting it and explaining why it’s important. Employees who know the risks of getting around the company’s controls are more likely to think twice before taking that shortcut. And if you’re thinking your company’s employees probably don’t know the first thing about circumventing the company’s controls, you better hope they don’t read The Wall Street Journal, which published a list of ten controls and how to get around them. It explains how to:
Send large files: Use an online service to transmit large files free.
Use software the company doesn’t allow employees to download: Access a Web-based version of the software or load it on a portable device.
Visit blocked websites: Use a proxy site to see the blocked website rather than visiting it directly, either through a search or by asking Google to do an English-to-English translation of the site (which calls it up on the searcher’s screen).
Erase tracks from a company-issued laptop: Use the browser to delete the history of websites visited.
Search for work documents from home: Store copies of files from one computer online, to be searched from another computer.
Store work documents online: Use an online storage service or send files from work to a personal email account.
Evade company monitoring of Web-based email: Encrypt messages or use a secure email session.
Access work email remotely: Automatically forward all work-related email to a personal account.
Access personal email from a company-issued BlackBerry: Add a personal email account to your profile at your BlackBerry’s service provider website.
Avoid getting caught surfing the Web: Hit Alt-Tab to minimize one window and maximize another.
Vauhini Vara, “Ten Things Your IT Department Won’t Tell You,” The Wall Street Journal, July 30, 2007.
A better approach is to adopt a set of commonsense rules that explain how employees should use the technologies the company makes available to them. Of course, policies alone won’t stop all employee misconduct: There will always be employees who act badly, no matter what your company’s handbook says. But policies, combined with training, leadership by example, and consistent enforcement, will help your company make sure that employees are using its electronic resources as the company intends.
And, if an employee doesn’t follow the rules, policies provide a strong measure of legal protection if your company has to discipline or fire the employee, or prove that it did everything it could to prevent the incident (in the unfortunate event someone was harmed by an employee’s misuse of technology).
This book provides policies you can adapt for your workplace on email use, employee blogs, posting to company-sponsored social media pages, using cell phones for work, downloading software, Internet access, and much more. It also provides the information you need to decide whether to use a particular policy and how to customize it to fit your workplace.
Chips and Scanners: What’s Next for Workplace Tech
Most of the electronic tools covered in this book will be familiar to you. Even if you don’t own a tablet or use instant messaging, you’re probably familiar with these commonplace innovations. On the horizon, however, are some truly sci-fi technology applications, some of which have already been adopted in the workplace.
A lot of these innovations are intended to be used on employees, not necessarily by them. Devices once used to track packages are now being used to track people. And, developments in biometrics are being pressed into service as employee identification devices. Here are some examples:
Global positioning devices. GPS devices are used not only to keep tabs on pets, children, and valuable merchandise, but also to monitor the fleets—and employees—at FedEx and United Parcel Service (UPS).
Radio Frequency Identification (RFID). RFID isn’t just used to identify and track people and products via a tag or transponder; it’s also being used to maintain business security and track employees’ movements within a facility. (The RFIDs are commonly planted in employee ID badges.) At least one company has asked employees to have an RFID chip implanted in their arms to access the company’s data center. These developments have led at least four states—California, North Dakota, Oklahoma, and Wisconsin—to pass laws prohibiting involuntary microchipping. For information on state RFID laws, go to the website of the National Conference of State Legislatures, www.ncsl.org, click “Research,” and select the “Telecommunications/IT” issue area.
Biometrics. Verifying a person’s identity through their unique physical characteristics is nothing new; police departments have been using fingerprints for this purpose for decades. But some companies are now pressing this technology into use to identify employees. At McDonald’s, for example, employees clock in by scanning their hands rather than punching in a time card. Some companies use facial recognition and retina scanning systems to authenticate the identity of employees entering secured areas of a facility.
Wearable technology. The growing trend of tech we can wear on our bodies includes everything from fitness trackers, smart watches, and sleep monitors to computerized headsets, like Google Glass. So far, consumers have been the primary market for these items. But employers—particularly those with a “just in time” production, delivery, or inventory model—are also beginning to put these trackers to use resource planning. Employee headsets can be synched to the company’s network for checking stock, tracking inventory, delivery confirmation, transaction history, and much more.
Use of these technologies on employees has met with a lot of resistance, and it’s no wonder why: There’s a disturbing level of intrusion involved in having a chip implanted in your body or having your every move tracked. Once this information is gathered, there’s also the problem of keeping it safe. Identity theft is one thing, but what about the possibility of having your facial features “hacked” and misused, or having the government subpoena records of your movements, captured through a GPS or RFID system? The legal battles over these technologies are just getting started, so stay tuned.
Why You Need Technology Policies
Your company probably has some written policies gathered in an employee handbook or policy manual, covering things like time off, benefits, employee conduct, and termination procedures. Unfortunately, however, many companies have neglected to keep up with the times by creating policies dealing with technology. Sometimes, the company’s decision makers don’t understand how technological innovations work or don’t know how employees are actually using company resources. Sometimes, policy makers assume that existing policies are adequate to cover new technologies. Perhaps most often, however, the people responsible for writing policies just have too many other things to do, and put off updating their handbook to a later date.
Practice makes policy. A policy can exist without being written down or even communicated orally to employees. For example, if everyone in a company, from senior management on down, uses the company’s email system for personal messages, that’s company policy, even if the company has no official written guidelines saying that it’s okay to use email in this way. The company would have a tough time defending a decision to fire an employee for sending personal messages if everyone else did so with impunity. It’s much better to consciously decide what your company’s policies should be than to create policies by default.
If your company has procrastinated on drafting or updating its technology policies, you’re missing an opportunity to protect the company’s assets and leaving yourselves open to legal trouble in the future. Here are some ways that well-drafted technology policies can help your company.
Protect Trade Secrets
Employees stealing trade secrets once had to stand over a copy machine, smuggle out boxes of documents, or bring in cameras. Today, however, the valuable intangible information upon which many companies are built—their trade secrets—can easily be purloined in digital format.
Technology policies can help protect against loss of company trade secrets, whether it occurs intentionally—as when an employee steals data to sell to a competitor or start a similar business—or unintentionally—as when an employee sends confidential infor-mation through Web-based email, which is hacked by an outsider, or stores sensitive files on a smart phone that is later stolen. Even if your company faces an aggressive trade secret thief who doesn’t care about the rules, strong policy language will help your company show that it took steps to protect its confidential information, which will work in your company’s favor when it tries to stop others from using its stolen secrets.
Promote Your Company Effectively
These days, consumers look for information about products and services online. Your company’s official Internet presence—on its own website, in company blogs, and on the company’s social media pages—plays a significant role in creating and maintaining your company’s reputation. And, its “unofficial” presence—in personal blogs and posts, online reviews, or YouTube videos, for example—may be just as important, for better or for worse. Policies that draw clear lines on what employees should and shouldn’t say online, whether in company-authorized content or in personal posts, can help you make sure that your company is being represented positively and appropriately in cyberspace.
Preserve Customer and Employee Privacy
All companies keep some confidential information about their employees, whether Social Security numbers, next of kin, or medical records. Many companies also have confidential customer information, such as addresses, telephone numbers, and credit card accounts. Companies have a legal obligation (and obvious incentive) to maintain the privacy of this information, which up-to-date technology policies will help you do. Many states also require companies to notify consumers if their information is leaked, stolen, or otherwise compromised.
Lessons From the Real World
Violating company policy isn’t necessarily a crime.
David Nosal quit his job at Korn/Ferry, an executive search firm. He got some of his former coworkers to access Korn/Ferry’s database, using their own log-in credentials, and download lists of sources, names, and contact information. He used this information to start his own competing business.
Nosal was charged by the federal government on 20 criminal counts, including conspiracy, mail fraud, theft of trade secrets, and violation of the Computer Fraud and Abuse Act (CFAA). Among other things, the CFAA makes it a crime to “exceed authorized access” by accessing “a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The federal government argued that Nosal had conspired, with his former coworkers, to violate the CFAA. Korn/Ferry’s computer policies prohibit employees from disclosing confidential company information. Therefore, even though the coworkers were authorized to access and use the information in the database, they exceeded that authorized access when they handed trade secrets over to a competitor.
The federal Court of Appeals for the Ninth Circuit disagreed with this argument, however. Making company policy the determining factor in whether an employee’s conduct is illegal would potentially criminalize everything from sending personal email from work to checking the weather. Outside the employment context, the Court pointed out that violating the terms of service of any online business, from Facebook to Amazon to eHarmony, could potentially result in criminal charges. Although Nosal could still be subject to civil liability for stealing trade secrets, violating his contract, and more, he could not be prosecuted under the CFAA.
United States v. Nosal, 676 F.3d 854 (9th Cir. 2011).
Nearly 900 Million Breached Records … and Counting
A stolen laptop here, a hacked website there, and the security breaches start to add up. According to the Privacy Rights Clearinghouse, more than 870 million records were compromised between January 2005 and September 2014, and the number is increasing by the thousands daily. The Clearinghouse keeps an extensive database of security breaches involving consumer information (you can view it at www.privacyrights.org; select “Identity Theft & Data Breaches” from the home page).
Lay the Groundwork for Discipline and Termination
Policies provide the basis for employee discipline and termination by explaining what conduct is prohibited. Although most companies have the right to fire employees at will (that is, for any reason that’s not illegal), it’s always wise, for legal and practical reasons, to fire only for good cause. By putting employees on notice, technology policies make it more difficult for employees to later argue that they were treated unfairly or that they didn’t know their conduct was prohibited.
Policies must be enforced consistently. Having policies on paper is a good first step, but it isn’t enough to protect your company from wrongful termination lawsuits. To use a policy as a lawsuit defense strategy, your company must be able to show that everyone who violated the policy faced the same consequences. Otherwise, an employee can use your company’s selective enforcement as proof of discrimination, retaliation, or other unfair treatment.
Tell Employees That Their Communications Aren’t Private
Because your company may one day have to read or monitor employee email messages and Internet browsing histories, you should put employees on notice. It’s only fair to tell employees ahead of time that their messages may be read. Notifying employees about monitoring will also deter them from sending inappropriate messages in the first place. What’s more, employees’ legal right to privacy is determined, in part, by how much privacy they reasonably expect to have. If your company tells employees their communications aren’t private, it will be hard for them to argue later that they nonetheless expected confidentiality.
Avoid Problems Caused by Employee Mistakes
Many of the problems created by workplace technology are the result of inadvertent errors—for example, clicking on an attachment that unleashes a virus or posting confidential information when answering a customer question online—not intentional missteps. By setting ground rules for employees and explaining why those rules are important, technology policies can help your company avoid many of these problems in the first place.
Conserve Company Resources
Misuse of technology—whether in the form of streaming video, visiting illicit websites, or sending excessive personal email—costs time and money. Your company can preserve its bandwidth and server capacity, and maintain higher employee productivity, by adopting policies that limit how employees may use its technological resources.
Limit Liability for Employee Misconduct
In some situations, your company can use its policies to show that it tried to prevent harm to others. For example, if your company has a written policy prohibiting employees from making business-related calls while driving, that policy can be used as evidence that the company shouldn’t be legally responsible for injuries an employee caused while doing just that.
Lessons From the Real World
Company can read email, even if the employee has a confidential password.
When Nissan hired Bonita Bourke to help employees with problems related to their computer system, the company probably had no idea just how much Ms. Bourke planned to use that computer.
The first sign of trouble was during a training session. In trying to demonstrate how dealership management could use email effectively, one of Ms. Bourke’s coworkers pulled up a message at random to use as a teaching tool. Unfortunately for Ms. Bourke, it was a personal, sexual message that she had sent to another employee.
After the incident was reported to management, the company reviewed the entire workgroup’s email messages. It found a number of personal messages, including messages with sexual overtones, sent by Ms. Bourke, who was fired.
Ms. Bourke sued Nissan for violating her privacy rights, among other things. The court ruled against her, however. Ms. Bourke had signed a form indicating her understanding that company policy restricted use of company computers to business purposes only. She also knew that email messages were occasionally read by someone other than the intended recipient. The court therefore found that, even though Ms. Bourke had a confidential password to use her computer, she could not reasonably expect her email messages to be private.
This case, from the early days of email, laid out the reasoning that virtually all other courts have adopted: Employee use of company email is not private.
Bourke v. Nissan Motor Corp., No B068705 (California Court of Appeal, 2nd District, 1993).
Employers’ Duty to Retain and Hand Over Electronic Evidence
In 2006, federal rules took effect that define the obligations of lawsuit opponents to save and provide electronically stored evidence. The Federal Rules of Civil Procedure (FRCP), which apply to all noncriminal federal lawsuits, were updated to reflect that modern business documents are more likely to be stored on a server, disk, or backup tape—or in the cloud—than in a filing cabinet.
The FRCP now explicitly includes electronically stored information in the categories of documents and evidence that must be exchanged in discovery: the process of requesting and receiving information from the other side and from witnesses in a lawsuit. The rules have always obligated parties to discuss the case and exchange key evidence and witness lists early on (this is called the “meet and confer” requirement). Now, electronically stored information must be discussed and produced at this meeting, which is supposed to take place only a few months after a lawsuit is filed.
The rules impose a heavy obligation on companies to properly organize their electronic information so it can be accessed and reviewed quickly for a lawsuit. However, there’s some good news here for companies that routinely purge emails and electronic information: There’s no penalty if a party can’t provide electronic data because it was lost as a result of the routine, good faith operation of an information system. But this “safe harbor” provision applies only until litigation is in the offing. Companies facing a lawsuit must immediately stop their purging, shredding, and deleting, and impose a “litigation hold.” A company that destroys potentially relevant evidence after a lawsuit is imminent can face huge fines and penalties.
Manage Electronic Documents
Most of the innovations covered in this book allow employees to create, modify, and transmit documents electronically. They also create their own electronic records, in the form of logs, user records, browsing history, address books, and so on. Employers have a duty to preserve and hand over electronic documents like these in a lawsuit, just as if they were pieces of paper. Without policies telling employees how to manage their electronic documents, your company won’t be able to meet these obligations. Lawsuits aside, if employees don’t know which electronic documents to keep and where to put them, your company might not be able to access important records like contracts and customer orders.
Creating Your Policies
This book will help you draft and update technology policies that will be effective in your company. What this book can’t do, however, is tell you which policies are right for your company: That will depend on the industry, your corporate culture, the sophistication of your employees, your company’s comfort level with risk, and plenty of other intangibles that will vary from company to company.
A large part of your job will be to decide how intrusive or trusting your company wants to be with its employees. This issue comes up again and again in the technology field because employee use of each of these devices and functions can be monitored. Here are some questions you may have to consider:
Will your company read every employee email message or will it simply reserve its right to monitor email if it needs to?
Will your company block access to certain Internet sites, monitor employee Internet traffic, or just tell employees not to visit certain types of sites?
Will your company allow—or ask—employees to use personal phones and other electronic devices for work or prohibit them from doing so?
Each chapter in this book covers a different type of electronic resource or function, such as email, smart phones, or social media, providing an overview of the most important issues to consider, sample policy language, and information that will help your company decide whether—and how much—to regulate employee use of that equipment.
Although some policies should be adopted in every company (prohibiting employees from texting while driving, for example), others are not so universal. That’s why your first step in crafting technology policies is not to open this book to the appropriate chapter, but instead to figure out what your company is already doing and what it wants to do.
Determine Your Current Practices
To get started, find out how technology is being used and regulated in your company now. First, consult your company’s employee handbook or other written policies. Does your company have policies in place dealing with email, blogs, cell phones, and the other tech addressed in this book? Are these policies up to date and adequate to address everything your company and its employees currently use? Does your company require employees to sign acknowledgment forms demonstrating that they have received, read, and understood these policies?
Once you’ve collected and reviewed your company’s written policies, it’s time to get out of your office and talk to people to find out what types of technology are actually in use, and in what ways. Here are some ideas to help you get started:
Talk to your IT department (if your company has one). Find out what technologies your company supports and what it prohibits. Does IT have the capacity to read employee email and instant messages or to track employee Internet use? Is someone actually reading employee communications? Does the company block access to certain websites? Does the company provide cell phones, smart phones, or laptops to employees? Does it allow—or require—employees to use their own electronic devices for work? If so, are there any limits on the makes or models, or on an employee’s ability to access the company’s network? Is IT aware of any problems in employee use or misuse of equipment?
Interview company managers. What technological resources do they use in their departments? Do they issue equipment to employees? Do they encourage employees to purchase their own equipment to use for work? Are they concerned about employee use of technology? Have they had to discipline or fire any employees for misusing electronic resources? What types of equipment do they need for their departments to function most efficiently and productively?
Meet with the online team. Talk to the employees who oversee your company’s online presence and find out what your company is doing on the Internet. Is it active in social media channels? Does it have business blogs? If so, how does it handle reader comments? Are you podcasting or producing online video? Does the company keep track of what others are saying about it online? The answers to these questions will help you figure out whether and how you need to address employee contributions—whether official or unofficial—to the company’s online presence.
Consult with the lawyers. Talk to your company’s attorney to find out whether there are any special concerns—or past problems—you’ll need to address. Has the company had to discipline or fire employees for electronic misconduct? Are there special concerns in your industry that you should consider? Do your state’s laws or applicable court decisions address privacy and technology?
Get feedback from employees. Find out what employees are really doing. Although you could talk directly to employees, you’ll probably get more accurate results with an anonymous survey or questionnaire. Your goal is to find out how employees are really using the available technology. In a face-to-face interview, few employees will admit to things like sending personal email, visiting websites that aren’t related to work, or getting around the company’s electronic controls.
Electronic Monitoring at Work
The American Management Association (AMA) has been surveying employers about their monitoring of employee activity since 2001. The most recent survey, for 2007, reveals that many employers monitor employee email and Internet activity. Here’s what they’re looking at:
Email. 43% of the companies surveyed monitor employee email. Almost ¾ of those use technology to automatically review messages, and 40% have an actual human being read email. Perhaps as a result of this monitoring, 28% of the companies who responded to the survey had fired someone for misuse of email, mostly in the form of inappropriate or offensive language or violation of company rules.
Internet use. Of the companies surveyed, ⅔ monitor employee Internet connections, and the same number block certain sites. 30% of the companies had fired someone for Internet misuse, with the vast majority of terminations resulting from viewing, downloading, or uploading inappropriate or offensive material.
Computer use. 45% of the companies track content, keystrokes, and time spent at the keyboard, and almost the same number review computer files.
Outside sites. 12% of responding companies monitor blogs to find out what’s being said about them, and 10% monitor social networking sites.
Don’t be surprised or concerned if your interviews revealed confusion about your company’s current policies and expectations, or differences in the way technology is used or managed in different departments. Your job now is to use that information to come up with policies that will work for the whole company and be enforced consistently in the future.
For each type of technology your company uses, go to the appropriate chapter in this book and review the policy language provided. Some chapters include alternatives to choose from, depending on how your company wants to handle a particular issue; some also include optional language you can include if, for example, you use monitoring software or provide employees with hands-free telephone equipment. Each chapter starts with a checklist of policy provisions, so you can make sure you’ve considered every important issue. Most readers should be able to put together effective policies using the language provided in the book and on the online companion page, with very few changes.
If, however, your company requires a different approach or wants to address additional concerns, you may need to draft or modify policy language. Here are a few rules to keep in mind:
Keep it simple. Use short sentences and paragraphs, and easily understood vocabulary. Be as clear and concise as possible.
Know your audience. Write in the language and style that reflects the culture of your company, and the education and sophistication of its employees.
Explain the policy. When writing a technology policy, it’s especially important to explain the purpose behind it. Employees who don’t understand why it’s important not to, for example, open an unscanned email attachment, send confidential information through Web-based email, or post “anonymous” reviews of your company’s products, might assume the company is just being paternalistic in imposing these requirements. Employees who know why a policy is necessary are more likely to follow it (and less likely to use workarounds).
Get Policy Languages, Updates, and More on Nolo.com
This book is filled with sample policy language you can use to create your own technology policies. You can access it in digital form—along with an acknowledgement form—at this book’s online companion page. (See the appendix for a link to the dedicated page for this book.) You’ll find other useful information on that page, too, such as updates and blog posts.
Review and Revise Policies
Once you’ve come up with draft policies, get some feedback. Ask the IT department and your company’s managers to read them; they are the ones who are going to have to actually enforce the policies and field employee questions. They can let you know whether they think it will be difficult to implement a particular policy.
After you’ve considered this feedback and revised your policies, it’s time to get a final review from a lawyer to be sure your technology policies are legally sound and up to date. Technology—and the legal rules governing it—changes at the speed of light. A lawyer can help you make sure your policies are current and effective. A final legal review like this shouldn’t take much time (or cost much money).
Distribute Policies and Acknowledgment Forms
Now, it’s time to pass out the policies. You should follow that with a meeting where you explain the policies and answer any questions employees might have. Tell employees that the company expects them to read the policies and abide by them, and ask employees to sign an acknowledgment form to that effect. (An acknowledgment form is available on this book’s online companion page; see the appendix for information on accessing it.)
Lessons From the Real World
Adopting technology policies doesn’t make your company liable for employee abuse.
It all started when David Sigler yelled at Thomas Kobinsky for letting his child relieve himself in the Siglers’ yard. Kobinsky struck back by using his work computer to place public ads for a business Sigler didn’t have, order products and subscriptions for the Siglers, and search the Internet for information about them. He also called their workplace on his company cell phone.
The Siglers sued Kobinsky and his employer, CUNA Mutual Insurance Society (CUNA), apparently the deeper pocket. The Siglers argued that, because CUNA had a policy forbidding personal use of computer resources, and because it had previously disciplined a number of employees for Internet offenses, it had a legal duty to monitor employees and review their Internet activities.
A Wisconsin court of appeals rejected the Siglers’ claims. The court found that it wasn’t reasonably foreseeable that giving employees Internet access would result in Kobinsky’s bizarre revenge campaign. The court also found that allowing the lawsuit to proceed would expand liability to such an extent that all employers would be turned into insurers of their employees’ online conduct. Having policies and requiring employees to certify that they had read and would comply with those policies was enough to meet the employer’s general duty of care to the public.
Sigler v. Kobinsky and CUNA Mutual Insurance Society, 762 N.W. 2d 706 (2008).
Acknowledgment forms may be legally required. Acknowledgment forms may look like overkill or a simple exercise in paperwork, but they are a vitally important part of your technology strategy. Currently, at least one state requires employers to get written consent from employees before monitoring their email and Internet use, and other states consider similar legislation every year. Even if they aren’t legally required where your company does business, acknowledgment forms ensure that employees understand the rules for electronic communications, which will result in fewer violations of those rules and more protection for your company if it ever has to defend a decision to read employee communications.
It’s a good idea to meet with employees to discuss any changes or additions to those policies. Use of technology is an area of major interest to employees, and one in which you may meet resistance. At a meeting, you can explain why the company needs these policies and what employees will have to do to comply.
Your policies are only as good as the paper they’re printed on unless your company puts them into action. Ignoring policy violations is a quick way to undo all of your work. Not only does it signal to employees that they don’t have to follow the rules, but it also creates extra legal exposure. Adopting a policy shows that your company understands the risks of misusing a particular technology. If it ignores policy violations, your company is essentially saying, “We understand that this could create problems, but we’ve decided not to do anything about it.”
For example, suppose company policy says employees will be issued hands-free equipment and must use it when driving and talking on a cell phone for business. The company hands out cell phones, but decides to put off purchasing headsets until the next fiscal year. An employee hits a pedestrian while taking a sales call. Here’s what the pedestrian’s lawyer might ask the human resources manager: “You wrote these policies, correct? And you said employees have to use hands-free technology because your company recognizes that’s safer than allowing them to use handheld phones while driving, right? But your company never purchased hands-free devices, did it? And now, my client has been permanently injured because your company didn’t want to spend $500, isn’t that right?”
Review Policies and Update If Necessary
If you’re in charge of keeping your company’s employee handbook up to date, you probably don’t read it from cover to cover when a review is required; you review only policies that may need to be changed because of a court ruling, new statute, or change in company practice. The truth is that most company policies aren’t going to change from year to year.
In the technology arena, however, things change quickly and you may find these policies need review once or twice a year. When you adopt a new policy or change the company’s existing policy, meet with employees to explain what’s new. As you did when you initially rolled out your tech policies, you should give employees time to read the policy, tell them why it was adopted, and answer any questions they might have. You should also prepare a new acknowledgment form.
Keep in mind, too, that this is just the beginning. Every year, there are new technology-related concerns on the horizon and your company’s policies should address these issues as soon as they hit your radar screen.
Considering New Technology?
After reading this book, you’ll have a good idea of the kinds of issues you need to consider and address in your tech policies. You can use that expertise to help inform the company’s decisions about new technology. Rather than just introducing a new gadget and waiting for the fallout, your company can plan ahead to avoid future problems. Here are some questions to brainstorm when your company is looking into new electronic resources:
Why do we need this technology? Knowing how you want employees to use a particular device will help you make more informed decisions about purchasing, functionality, and appropriate limits for employees.
Will we supply it for employees? If so, you’ll have to think about how you will decide who gets one and whether you will limit personal use. If not, will you reimburse employees who purchase their own device? How will you limit security risks of employees linking to your network from, or keeping business information on, a personal device?
Who will use this technology? If only the most senior management will be using a particular device, for example, your company may decide to forgo monitoring or extensive rules about personal use.
What risks are associated with this technology? Are there new data security issues to consider? Safety concerns? A high risk of theft (as is true with many smaller devices) or abuse?
What records does the device create? Because most technology creates a record, you’ll need to consider whether your company should keep those records and in what form.
Do we want to monitor employee use of the technology? If so, you’ll need to make sure you have the resources and capability to handle it.
This Book Comes With a Website
Nolo’s award-winning website has a page dedicated just to this book, where you can:
DOWNLOAD FORMS - All forms in this book are accessible online. After purchase, you can find a link to the URL in Appendix A.
KEEP UP TO DATE - When there are important changes to the information in this book, we will post updates
And that’s not all. Nolo.com contains thousands of articles on everyday legal and business issues, plus a plain-English law dictionary, all written by Nolo experts and available for free. You’ll also find more useful books, software, online services, and downloadable forms.