new things

John Ruhnka, University of Colorado, Denver & Windham E. Loopesko, University of Colorado, Denver

4. OBJECTIVES OF CORPORATE INTERNET USE POLICIES

While preserving the confidentiality of internal operations, proprietary information and confidential client data, and avoiding legal liability from inadvertent, unauthorized or harmful acts of employees are primary goals for corporate email and internet use policies, they are not the only goals.

Corporations must also factor in other objectives not always consistent with limiting legal liability.

4.1 Reducing Lost Productivity

The concern among many businessmen from about 2000 was that allowing internet access in the workplace could result in a great increase in employee non-work activities. Available content on the internet has expanded far beyond TV fare since 2000 to include Facebook, streaming video and music sites, fantasy sports teams, on-line shopping, eBay, financial web sites and bank account access, news feeds, blogs and Twitter. Clearly, excessive employee non-work internet use during working hours can impose significant costs on a company; one source cites productivity loss as the top reason for instituting an “acceptable use policy” (AUP) for company email and internet (Smith, 2013).

Also, employee perceptions that “everyone” is engaging in non-work-related email and internet use can rapidly spread. However, employees increasingly reject the idea of strictly defined “work” and “non-work” hours, believing they can be more productive engaging in company business at any time and from any place–on devices that they choose.

4.2 Protecting Tangible and Intangible Assets

Increasingly sophisticated hackers are constantly developing tools to penetrate corporate networks–almost always to the potential detriment of the company and its clients. They may be working for criminal enterprises, or for competitors or foreign governments, but their goal is the same–to gather as much valuable information for as long as possible. Citibank and Sony are only two of the largest and best-known victims of such attacks. Email remains the most popular way to introduce malware into corporate networks (Cisco, 2013).

4.3 Controlling Internet Costs

Many non-business internet uses (e.g., streaming video, movies and music downloads, and internet music and television feeds) are “bandwidth hogs”. While these applications may not directly cost the corporation, their cumulative use can easily consume a substantial portion of a corporation’s available bandwidth, which can require major expenses to expand the corporation’s network capabilities.

4.4 Attracting Talented Employees

If human capital is a company’s most valuable asset, avoiding unnecessary barriers to attracting the best future employees may require considerable adaptations in a corporation’s internet use and access policies. CISCO argues that preventing or limiting employee access to social media can put companies at a competitive disadvantage, and that by accepting social media, companies provide their employees with the tools–and the culture–to be more productive, innovative and competitive.

5. WHAT SHOULD AN EFFECTIVE EMAIL AND INTERNET POLICY CONTAIN?

It is one thing to create an AUP for workplace email and internet but another– in a world where increasing numbers of employees consider access to the internet a right and claim they are willing to ignore or circumvent an employer’s internet use policies if they find them overly constraining–to enforce it.

5.1 Elements of an Acceptable Use Policy

No one is suggesting that not having an AUP is an option today. Every sizable business needs to have a formal risk management policy for email and internet use. Widespread agreement exists that the following elements need to be included:

5.1.1 Contractual Agreement

The AUP should be a written agreement with each employee and agent of the corporation having email and internet access; all employees should sign the AUP and acknowledge an understanding of its requirements as a prerequisite to gaining password access to the corporate network.

5.1.2 Corporate Ownership of Information

The AUP should clearly state that any information produced, collected or stored on the company’s email servers, internal networks and internet system is company property–even if the information was obtained from third-party web sites.

5.1.3 Monitoring

The AUP should indicate that the corporation reserves the right to monitor anyand all employee access to and usage of its internal networks and internet system, including the volume of traffic and tracking web sites visited (although monitoring of specific content will not occur except in cases of a suspicion of improper behavior).

5.1.4 Retention

The AUP should indicate that all workplace emails and network transmissions are the property of the company, that they will be stored and retained indefinitely, and that the company has the right to demand access to any employee’s PCs, laptops, iPads or other electronic devices used for company business in the event of litigation or internal, regulatory or law enforcement investigations in which data generated or stored on such devices may be potentially relevant.

5.1.5 Sanctions

Sanctions for violation of the email and internet use policy must be described and should include progressive steps, from initial verbal warnings up through dismissal and referral for criminal prosecution for repeated and/or serious offenses.

5.2 The Traditional View of Acceptable Use Policies

Differences of opinion exist over how to describe permitted and prohibited email and internet related activities. The traditional view (often advanced by vendors of solutions for creating and monitoring AUP policies) is that internet use policies should contain long and detailed lists of prohibited behaviors. For those following this “laundry list” approach, a list of prohibited email and internet activities often includes:

· Violating copyright laws or licensing agreements through unauthorized reproduction or distribution of copyrighted or protected materials.

· Using company computers to gain unauthorized access to external computer systems.

· Connecting unauthorized equipment to the company’s network.

· Making unauthorized attempts to circumvent data protection devices.

· Associating unapproved domain names with a company-owned IP address.

· Performing an act that interferes with the normal operation of any company hardware or software.

· Installing or running on any computer a program intended to damage or place excessive load on a computer system (e.g., viruses, Trojan horses or worms).

· Engaging in activities that waste or overload company computing resources.

· Using company resources for any non-work related commercial activity.

· Using email, social media or company-owned or sponsored hardware or services to harass or threaten others, or sending materials that might be deemed defamatory, derogatory, prejudicial, sexually offensive or unwanted.

· Initiating, propagating or perpetuating electronic chain letters.

· Sending inappropriate mass mailings, including “spamming”, “flooding” or “bombing”

· Forging a user or machine identity electronically.

· Transmitting or reproducing materials that are slanderous or defamatory, that violate existing laws or regulations, or are otherwise inappropriate in a workplace environment.

· Transmitting images, text or internet links that could be considered lewd, obscene or sexually explicit.

5.3 An Alternative Risk-based View of Acceptable Use Policies

We suggest, however, that alternate risk management approaches may make more sense in many instances–focusing on controlling only those potential risks relevant to a corporation’s or organization’s specific activities. For example, a company engaged in design and manufacture of laptop computers necessarily works with critical proprietary information (e.g., R&D project designs, patent applications, trade secrets, manufacturing know how). Some of this information is owned and some is licensed from third parties–but all needs to be continuously protected to avoid potentially large economic damage and legal liability if improperly communicated, disclosed or accessed. The same need for protection of confidential client information would apply to law, accounting or consulting firms dealing with intellectual property, financial data, litigation, strategic acquisitions or other client information that requires protection against disclosure or inadvertent access. The same level of intellectual property safeguards would not be necessary for a pizza chain that provides online ordering and delivery scheduling. But the pizza business still needs to safeguard customer credit or debit card information, and both the computer manufacturer and the pizza business are equally exposed to potential workplace sexual harassment claims by employees resulting from use of company email or internet access.

Businesses embracing a “risk-focused” approach usually will retain the right to monitor employee compliance with specified or prohibited behaviors but may limit surveillance to activities at higher risk of employee misuse and spend more time making sure that employees understand the consequences of a failure to comply. Such more focused AUPs are more likely to be understood and followed–and to gain “buy-in” from a workforce that increasingly considers information security and liability avoidance as the IT department’s problem–and not theirs (Cisco, 2013).

While social media is gaining in importance in corporate activities, email remains the primary means of communication–and hence the primary focuses for corporate efforts to limit employee-caused legal liabilities or outside threats. To that end, many companies are using software such as Compuscan that inserts disclaimers of liability for prohibited email use into all corporate email communications. However, such disclaimers are an imperfect shield at best–no court case has yet allowed a company to escape liability for damaging emails through use of a blanket disclaimer contained in the email. Disclaimers are more effective if they are targeted at specific areas of the business where liability is more likely–for an electrical contractor’s customer and vendor communications–“no bids or estimates are binding unless and until approved in writing by the VP for Finance”–and not simply attached to every email that company employees send.

6. STEPS IN IMPLEMENTING EFFECTIVE INTERNET USE POLICIES AND PROTECTING THE COMPANY FROM LEGAL LIABILITY

The changing state of the law on corporate liability for electronic communications and evolving employee attitudes and expectations make across-the-board recommendations for corporate internet and email use policies difficult–other than the recommendation every corporation or organization should have an AUP tailored to its specific workplace activities and risk exposures (indeed, the failure to have an AUP might be almost conclusive evidence of corporate negligence in litigation involving inappropriate employee emails or network activities). However, some general recommendations are possible:

· Analyze and understand the specific types of communications your company is actually sending and receiving and specific legal liabilities that are involved.

· Consult employees periodically as to how they are using the internet and email systems; do not simply rely on use statistics.

· Develop and mandate employee education programs (for both new hires and existing employees) about the potential for specific corporate liability for inappropriate communications.

· Implement monitoring software to follow all activities that the company decides to prohibit in its internet use policy (although it should be used only on a random basis or when cause for suspicion exists).

7. CONCLUSION

The continuing exposure to legal liability for corporate email and electronic communications and the importance of such communications in litigation and governmental investigations are unlikely to slow so long as corporate email and internet usage continue to gain importance in internal and external business activities. But increasingly companies are moving to “risk-focused” instead of “laundry list” approaches to controlling internet and email use. To use this riskfocused approach, corporate risk management policies and employee educational activities for employee internet and email use need to be periodically revisited and revised, and corporations need to continuously seek employee “buy-in” and cooperation, to meet the most important legal exposures associated with specific corporate and employee activities.

REFERENCES

CFO Journal. (2013, August 21). The Wall Street Journal, August 13 2013. Retrieved from http://blogs.wsj.com/cfo/2013/08/13/the-morning-ledger-cfos-seek-securityfrom- cybercrime/

Cisco Systems. (2013). Cisco 2011 annual security report. Retrieved from http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2011.pdf (pp. 6-8)

Compuscan. (2013).Email disclaimer. Retrieved from https://www.compuscan.co.za/ about-us/132-email-disclaimer

Sony insurer doesn’t want to pay for data breaches.(2013). ITPro. Retrieved from http://www.itpro.co.uk/635140/sony-insurer-doesn-t-want-to-pay-fordata-breaches

Watch porn at work–a guide for employers and managers. (2013). Mailguard. Retrieved from http://www.mailguard.com.au/blog/porn-at-work/

National Legal Research Group, Inc. (2013). Internet acceptable use policies for law firms and other employers. Retrieved from http://www.nlrg.com/internet-acceptable-use-policies-for-law-firms-and-otheremployers/

PBT Consulting. (2013). Research: Employees spend entirely too much time accessing the internet while at work. Retrieved from http://tommytoy.typepad.com/tommy-toy-pbt-consultin/2010/09/researchemployees-spending-entirely-too-much-time-surfing-the-web-while-atwork.html

Pingdom. (2013). Internet 2011 in numbers. Retrieved from http://royal.pingdom.com/2012/01/17/internet-2011-in-numbers/on May 21, 2013.

Ponemon Institute Research Report. (2013). Cost of data breach study: Global analysis.Retrieved from https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf

Radicati, S., & Hoang, Q. (2013). Email statistics report, 2011-2015. Retrieved from http://www.radicati.com/wp/wp-content/uploads/2011/05/Email-Statistics-Report-2011-2015-Executive-Summary.pdf

Smith, A. (2013). Citi–Millions stolen in May hack attack. CNN. Retrieved from http://money.cnn.com/2011/06/27/technology/citi_credit_card/index.htm

Yarow, J. (2013). 107,000,000,000,000. Business Insider. Retrieved from http://articles.businessinsider.com/2011-01-14/tech/30078145_1_hours-ofvideo-uploaded-big-number-facebook

Zubulake v. UBS Warburg [case study]. (2003).