|
This trend has given rise to a number of new employee-related problems. One is the time wasted by employees surfing the net during working hours. The conclusions of various recent studies on this subject are alarming:
- One report estimated that the average employee spends approximately 220 hours a year on the internet surfing for non-business related purposes (1)
- The same survey claims that almost 72 percent percent of the pornographic sites on the internet are visited during work hours (2)
- In another study, 10 percent indicated that their work suffered as a result of time spent online, while another 13 percent blamed the internet for their inability to stay focused (3)
Another problem is the downtime associated with employees sending and receiving personal emails, One recent report indicated that employees are costing their companies over 1m [pound sterling] a year in lost productivity by spending an average of 30 minutes a day using email for personal, non-work related reasons (4).
And this, in turn, can lead to inappropriate usage of company property. An Elron Software study found that more than 50 percent of employees had received pornographic, sexist or racist emails at work (5). Examples of internet and email abuse are now commonplace in the news. For example:
- In February 2001, a female computer consultant in the UK prevailed in her claims of sexual discrimination and unfair dismissal against her boss and her employer, IT consultants, relying heavily on evidence that her boss regularly forwarded her and others pornographic photos using the company email network.
- In December 2000 and January 2001, sexually explicit emails involving Bart Simpson led to the reputed firing of ten employees and the suspension of at least 75 more at Royal and Sun & Alliance in Liverpool.
- In December 2000, the now infamous email exchange between a Norton Rose lawyer and his girlfriend became a lesson in the remarkable speed with which a racy and sexually suggestive email can be distributed throughout the world - and the notoriety and employee discipline that can follow.
DEALING WITH THE ISSUE
As email and internet use continue to grow in the workplace, so too will the accompanying problems. Many businesses are therefore trying to discover effective ways of managing what are valuable, but often troublesome, electronic resources. The proactive approach is to:
- implement a comprehensive policy which covers both email and internet usage
- train employees to raise awareness of the policy
- consistently enforce breaches of the policy
- conduct periodic audits of usage practices to establish whether current procedures are in line with the stated policy.
SETTING UP A POLICY
As with any company policy, an email/internet usage policy needs to be:
- concise
- easy to understand
- consistent with other business policies
The email and Internet use policy must interact with, for example, the existing document (paper) retention policy, the sexual harassment policy, and so on. For this reason, representatives of various groups or divisions within the business should participate in the initial drafting stages.
Adopting an email and internet policy can be done either by using an express consent clause in employment contracts or by means of including an email policy in the staff handbook (compliance with which should be required under the existing employment contract). Whichever route is taken, a number of issues need to be addressed, including:
- overcoming the expectation of privacy
- introducing a clear code of conduct
- managing deletion and retention
- monitoring
- training and enforcement
EXPECTATION ON PRIVACY
A common misperception among employees is that use of the company's email system and internet access for personal purposes is private. One of the most fundamental objectives of any usage policy should be to overcome this misconception. The policy should therefore unequivocally state that:
- employees should not expect privacy with regard to anything they put on the company computer network
- the computer network is owned by the company
- a password is not an indicator of personal privacy, for example by including a statement in the policy document such as: "Passwords are for the benefit of the ABC Co and are the proprietary and confidential information of ABC Co."
CODE OF CONFLICT
Following careful evaluation of the company culture, the code of conduct regarding all use of the internet and email should specifically delineate what type of conduct is expressly prohibited. For example, the policy regarding email usage may include prohibitions against:
- threatening, intimidating or harassing other employees
- using obscene, profane or abusive language
- creating, displaying or transmitting material that is fraudulent or otherwise unlawful or inappropriate
- creating, displaying or transmitting offensive or derogatory images (including screensavers), messages or cartoons regarding sex, race, religion, colour, national origin, marital status, age, physical disability, mental disability, medical condition or sexual orientation or which in any way violate the company policy prohibiting employment discrimination and/or harassment in employment
- creating, displaying or transmitting 'junk mail' such as cartoons, gossip, chain letters or 'joke of the day' messages
- soliciting others for commercial ventures or for religious, charitable or political causes including 'for sale' and 'for rent' messages or any other personal notices
- sending confidential materials outside of the company or to unauthorised personnel.
The company also needs to decide if its policy towards personal use of the internet and email will either:
- be a zero tolerance policy; or
- provide for some limited personal use with prohibitions against certain types of materials or activities (in which case, incorporating some of the prohibitions above with respect to personal use would also be appropriate).
It should also be made clear that even if an employee is accessing a private account (such as a Hotmail account) he or she is still using a company-owned, business computer and is doing so for personal reasons. An effective policy should put a user on notice that any private, non-business related activities are done at the user's own risk and with no expectation of privacy. Whatever the decision, zero tolerance or otherwise, the policy needs to be consistently applied.
DELETION AND RETENTION
Another common misperception surrounding workplace email use is that deleting an email is akin to throwing a piece of paper in the bin. As the booming forensic analyst industry will be quick to point out, this could not be further from the truth. In most email programs, a deleted message is merely placed in a delete file. Forensic analysts have been able to retrieve most, if not all deleted messages from a user's delete file.
While the intricacies of electronic records retention is beyond the scope of this article, there are some fundamental points to keep in mind:
- companies should integrate, where possible, any email retention policy into the existing document (paper) retention policy. However, this may not be possible, either if a company does not have a preexisting retention policy in place or in circumstances where, because of the sheer volume of emails, simply printing out hard copies of every email may be impracticable
- any email retention policy should also reflect any statutory obligations to maintain records for certain minimum periods. The retention policy needs to establish a clear chain of command to stop the destruction of email records in the event of relevant litigation. In addition, a retention policy needs to take into consideration the storage capacity of the particular network in use and should require regularly scheduled deletions of emails stored on the network, laptops, PDAs and any other company owned equipment.
MONITORING
It is a business decision whether to monitor employee email and internet usage. Creating an extensive task force whose job it is to monitor email and internet usage could be a lesson in micromanagement and wasted time. Conversely, through monitoring, a company may be able to stop or at least regulate offensive or inappropriate email messages from being circulated and catch a problem in a timely manner. In the UK, interception of communications is generally lawful where all parties have consented to such interception. In the absence of consent, monitoring is only permissible for certain prescribed circumstances and even in such circumstances businesses intending to make interceptions without consent are required to make all reasonable efforts to inform every person who may use their telecoms system that communications may be intercepted.
From a practical point of view, employers should be aware that even where consent is granted, the employers may not necessarily have a carte blanche to monitor all employee communications. As a general rule, employers who monitor consenting employees' email and internet usage should do so (i) for legitimate reasons and (ii) using means that are proportionate to the objectives. Companies should be upfront about their monitoring activities. Covert monitoring is unlikely to be permissible except as a last resort in prescribed circumstances.
If the company does elect to monitor, there are several ways to ensure that the employee's consent to such interception is obtained. In addition to incorporating the company's monitoring activities in the employee's employment contract and/or in the staff handbook (as outlined above), the company can have periodic reminders sent to all employees saying something like: "Anything that is created, sent, received or stored on ABC Co.'s computer network is the property of ABC Co. and, therefore, subject to investigation, review and search at any time without prior notice if ABC Co. in its discretion should determine such review is necessary."
TRAINING, AWARENESS AND ENFORCEMENT
For any policy to be effective, employees must know it has teeth. The policy should make it clear that breaches will lead to discipline up to and including termination. Misuse of the internet and email should also lead to loss of use.
Too many employees and executives are simply unaware that a seemingly harmless joke sent via email could lead to legal proceedings against the company or, in some cases, the individual, and at worst, dismissal or suspension of the individual. Therefore, once the policy is complete, training sessions are a highly recommended way of both:
- raising employees' awareness of the rules
- stressing the importance to management of strict policy enforcement.
As a means of reinforcing the acceptable use policy principles, it is very common, particularly after an incident of misuse, for the company to have periodic reminders of company policy sent to all employees.
AUDITS
Once an email internet use policy has been implemented it is critical to conduct periodic audits to ensure that the policy accurately reflects the current business practice and procedures. At least annually, a company should conduct a thorough review of its internet and email policy to confirm that the employer is following its own procedures, to address any problems with the policy and to make sure that employees have adequate notice of monitoring, especially if new monitoring software has been installed.
Morrison & Foerster (Mofo) is a law firm with 1,000 lawyers in 18 offices worldwide. Keith Krasny (kkrasny@mofo.com) is an associate in the London office and Matthew Meade (mmeade@mofo.com) is an associate in Mofo's New York office.
(1) Simon Carswell, Employers Wake Up to Email Abuse, The 2 Sunday Business Post Online
(2) Carswell, supra note 2
(3) Lisa Fickenscher, The Side Effects of Surfing on the Job, NYTimes.com
(4) Jane Bolton, FYI, The Times
(5) Torsten Ove, Even in Cyberspace, Your Boss Is Watching, Pittsburgh Post-Gazette
|
