Best Practices for Electronic Use Policies
Defining Rights and Establishing Control to Protect Your Firm and Clients
In this article, the authors propose best practices used to establish acceptable use policies (AUP). These AUPs define rights and establish controls that protect the firm and client information.
Companies protecting their interests with respect to digital technology in the workplace (i.e., internet, e-mail, computers, and smartphones) must develop, implement, and uniformly enforce acceptable use policies (AUP).Â An AUP, also referred to as an electronic use policy, or fair use policy, is a set of rules applied by the owner, creator, and/or administrator of the digital technology that restricts the ways in which that technology may be used and sets guidelines as to how it should be used.
The policies should be clearly articulated in the companyâ€™s employee handbook (and/or on the companyâ€™s intranet) and should be provided to employees at the onset of their employment and periodically throughout their continued employment.Â Employees should also be required to sign a specific acknowledgment that they have been provided with the policies, have reviewed them, are familiar with them, and agree to adhere to them during their employment.Â This process may be performed annually or on a scheduled basis, ensuring that all employees are continually aware of the policies and not just at the onset of employment. Â If the policies change, employees should be provided the updated version and should be required to sign a specific acknowledgment that they have been provided with the policies, have reviewed them, are familiar with them, and agree to adhere to them.
Generally, an AUP should address the categories below.Â Specific examples of policies are provided in each category, which may assist in fashioning your organizationâ€™s AUP.Â These policies should be customized to directly address the intricacies of your specific organization.Â It is good practice to involve Information Technology personnel in development of this policy and is extremely important to have the policy reviewed by qualified legal counsel to ensure that the policy does not violate federal or state laws.
- Ownership:Â The policy should clearly articulate that any computers and personal electronic devices issued by the company or paid for by the company belong to the company and not the individual using them.Â The policy should also explain that the electronic use policy sets minimum standards and that the company may supplement or revise the policy as needed to comply with applicable state and federal laws and with changes to applicable technology.Â Examples of ownership issues to address include:
- Whether employees may use personal devices for business purposes without express written authority.
- No programs or software should be installed on company computers without approval, specifically including, but not limited to: data sharing and backup programs like Dropbox or Mozy, remote access programs like GoToMyPC or LogMeIn, or chat programs like Skype or Facebook Messenger.
- Purpose:Â The policy should explain that the companyâ€™s electronic communication systems (i.e., e-mail and internet access) facilitate the companyâ€™s business and are to be used primarily for work purposes. Â The policy should also explain that while incidental use of the companyâ€™s e-mail or internet for personal reasons is permitted, it must not interfere with the userâ€™s productivity at work, adversely affect the companyâ€™s computer system, put company systems and data at risk, or violate any company policy or applicable law.Â Specific examples of other statements to consider including in this section of the AUP include:
- No games should be installed on company computers.
- Company computers and other devices are for company business only; no other business or personal affairs may be performed on company computers, up to and including, â€śside businessesâ€ť or moonlighting.
- Privacy: The AUP should further explain that while occasional personal use of the companyâ€™s e-mail and internet system is permitted, the employee has no expectation of privacy with respect to their activity on such systems.Â Furthermore, the AUPâ€™s privacy statement should expressly state that the employee may be required to disclose his or her passwords associated with their computer, personal devices, and any e-mail accounts or websites accessed at work or through company issued devices. Â Additionally, the following items should also be addressed in the privacy section of the AUP:
- Keyloggers, monitoring software may be used.
- All data stored on systems is subject to review and/or removal.
- No personal information should be stored on company computers. Any information stored on the company computers, networks, servers, or other corporate devices is considered to be company property.
- Employee understands that passwords are private and not to be shared. If you believe that you have someone elseâ€™s password or that someone else has your password, you should immediately notify the party responsible for changing passwords in your organization.
- Passwords for computer, network, and any external sites used in connection with the company should not be written down and/or stored in proximity to the computer.
- If any device with company data is lost or stolen, it must be reported immediately.
- Confidentiality and Non-Removal: An effective AUP should also address the proprietary and confidential nature of information transmitted on the companyâ€™s network/systems and inform employees that they may not transmit, copy, or remove data, hardware, sensitive files, or software without authorization from the company.Â The AUP should specifically address the following:
- Users may not copy/transmit or otherwise capture proprietary information from the company including proprietary files, intellectual property, client databases/contact lists, financial information, trade secrets, etc.
- All company data should be treated as unique and proprietary; not to be disseminated to any other parties or taken for use anywhere else.
- All data created on company systems and/or on company time is property of the company.
- No company data should be put in any cloud environment without prior written approval.
- Prohibited Conduct: The policy must also clearly indicate which activities are strictly prohibited.Â For example:
- No checking/downloading of personal e-mail on company devices.
- No streaming music or video sites or other â€śsocialâ€ť networking sites without express written permission. Including YouTube, Facebook, chat programs, etc.
- The company prohibits employees from:
-Accessing, saving, or transmitting information with sexually explicit content.
-Illegally uploading or downloading copyright protected information.
-Using company systems to transmit fraudulent, threatening, defamatory, harassing, and/or discriminatory messages.
- The policy should expressly prohibit employees from using smart phones or personal devices while driving or performing any dangerous activities while on company time.
- Social Media: Electronic use policies should also address whether, and to what extent, employees may represent the company on social media.Â Such policies must be carefully drafted and must not interfere with employee rights with respect to the First Amendment and the National Labor Relations Act.Â For example:
- Only designated personnel are allowed to represent the company on social media, to include: mass e-mail programs such as Constant Contact, as well as social media applications such as Facebook and LinkedIn.
- No employee shall post company information, allude to future events or things that may be coming soon, or otherwise disseminate any information that is not already public knowledge without express written consent.
- Violations: An effective policy also indicates the penalty for violating the companyâ€™s rules with respect to technology.Â For example, by stating that violations of the policy will result in discipline, up to and including termination.Â Additionally, effective policies should provide:
- If, at any point, the employee believes that they may have violated any of the above policies, the employee must notify the proper personnel (the proper personnel should be defined clearly for your specific organization).
- If, at any point, the employee believes that someone else has violated any of the above policies, the employee must notify the proper personnel (the proper personnel should be defined clearly for your specific organization).
Karl Epps is a partner and the Director of Information Technology and Digital Forensics at Epps Forensics Consulting PLLC. Mr. Epps provides digital forensic services nationwide in cases where former employees and employers have a dispute; wrongful termination, intellectual property theft, and destruction of information are common issues. Mr. Epps also provides network security reviews (including reviewing policies such as these) and a wide range of computer support and technical consulting services.
Mr. Karl Epps, EnCE, CEH, CCFE, CHFI, CCPA, Epps Forensic Consulting PLLC, can be reached at: (602) 463-5544 or by e-mail to: email@example.com.
Juliet S. Burgess is an attorney specializing in employment law and commercial litigation. Her practice involves counseling clients on issues relating to technology, paid time off, non-competition, non-disclosure and non-solicitation agreements, employment discrimination, sexual harassment, hiring and termination, the Family Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), the Fair Labor Standards Act (FLSA), and state wage and hour claims. She graduated from the University of Arizona, cum laude (â€™00), the Washington College of Law at American University, cum laude (â€™04), and Southwest Super LawyersÂ© recognized her as a Rising Star (â€™12 and â€™13).
Ms. Juliet S. Burgess, Esq., Burgess Law, LLC, can be reached at: (480) 277-0284 or by e-mail to: firstname.lastname@example.org.