Corporate computers and information and communications systems (collectively, “electronic resources”) remain the workhorse for most businesses, even as alternatives, such as third-party text messaging services, external social media, and cloud computing, flourish. Employees rely on corporate electronic resources for e-mail, calendaring, business contacts, Internet access, document creation and storage, and a multitude of other business applications. Consequently, for employers, it is critical to establish and maintain their right to inspect all information stored on, and to monitor all communications transmitted by, corporate electronic resources. The corporate acceptable use policy is the linchpin of that effort.
Preparing an acceptable use policy is far more challenging today than it was just a few years ago. Simply invoking the mantra, "employees have no expectation of privacy," as some employees have done in the past, will not suffice. Recent technology developments, new laws and regulations, and novel judicial precedent have exposed employers to litigation for inspecting information stored on, and monitoring communications transmitted by, their own electronic resources.
The ten tips below are intended to aid employers who either want to implement an acceptable use policy for the first time, or who need to update their policy. These ten tips are not a comprehensive list of every point that should be addressed in an acceptable use policy. Rather, they are designed to help employers avoid some common pitfalls.
- Define The Policy’s Scope. An acceptable use policy should inform employees at the outset of the systems, devices, information, and communications that fall within the policy’s scope. Given the proliferation of corporate computing and communications platforms, an employer may need to conduct a careful inventory to confirm that the policy’s scope has been comprehensively defined. Systems that might be overlooked include, for example, corporate text messaging, voice-mail, internal social media platforms, and corporate cloud computing accounts.
- Analyze The Policy’s Application To Personal Devices. As employees increasingly turn to personal mobile devices to conduct their employers’ business, employers need to carefully consider whether they can effectively incorporate those devices into an acceptable use policy, or whether they should address them in a separate policy. Personal devices raise two distinct challenges for employers. First, because employees own the devices, employers cannot access them without the employee’s consent and, relatedly, employees generally do have a reasonable expectation of privacy in their personal device vis-à-vis the employer. Second, information stored on, and communications transmitted by, a personal device generally do not “touch” corporate electronic resources unless the employer and employee make configuration adjustments to permit interconnection. Employers can condition such configuration adjustments on the employee’s consent to inspection and monitoring of the personal device as described in the acceptable use policy. Even then, a separate policy may still be necessary to address personal devices. For example, a bring-your-own-device (BYOD) policy typically addresses issues that do not fit in a corporate acceptable use policy, such as reimbursement of expenses associated with the personal device, servicing of the personal device by third parties, and the employer’s installation of security controls on the personal device.
- Establish The Business Purpose For Providing Corporate Electronic Resources. An acceptable use policy should inform employees that the employer is providing the electronic resources only to advance the employer’s business interests. When employees use corporate electronic resources, they must conduct themselves in an ethical and lawful manner and in accordance with all relevant company policies. The acceptable use policy should also notify employees that they are responsible for their use of electronic resources and will be held accountable for all use of their corporate account. Finally, employees should be reminded to compose communications transmitted by corporate electronic resources with the same formality and professionalism that they apply to any other form of business communication.
- Define The Permissible Parameters For Non-Business Use. Because prohibitions against non-business use of corporate electronic resources will virtually always be honored in the breach, employers generally are better off establishing specific rules for non-business use of those resources. These rules can include the following: (a) nonbusiness use must be limited and cannot interfere with anyone’s productivity; (b) non-business use is not private and is subject to monitoring; (c) non-business use must comply with all relevant company policies; and (d) any non-business information will be deleted from corporate electronic resources at any time in the employer’s discretion. Employers also should consider addressing whether employees may access personal social media using corporate electronic resources and, if permitted, refer them to the corporate social media policy for more detail.
- Preserve The Company’s Right To Inspect And Monitor. Under U.S law, employers generally are presumed to have the right to inspect all information stored on, and to monitor all communications transmitted by, their own corporate resources. The acceptable use policy should unequivocally express the employer’s intention to exercise those rights by stating that (1) all information stored on, and communications transmitted by, corporate electronic resources are the employer’s property; (2) employees should not expect any information or communication to be private vis-à-vis the employer; (3) the employer will, in its discretion, inspect any information stored on, and monitor any communication transmitted by, corporate electronic resources; and (4) neither the employer’s failure to exercise its rights with respect to any information or communication nor any statement by any employee (except a written statement by a designated senior executive) modifies these rights in any way.
- Provide Specific Notice Of Any Real-Time Monitoring. Employers should carefully select monitoring technology and fully understand its capabilities before implementing it. Employers generally have the right under federal and state anti-wiretap laws to review any information in storage on their own electronic resources. However, when the monitoring technology effectuates an “interception” of an electronic communication, such as e-mail, i.e., acquires the content of the communication in transit, anti-wiretap laws may apply. By way of illustration, one appellate court has held that activating an e-mail auto-forwarding feature, without the intended recipient’s consent, to forward a duplicate copy of e-mail to someone other than the intended recipient results in an interception in violation of federal anti-wiretap law. Such monitoring would be lawful in most states with the prior informed consent of at least one party to the communication, and in a minority of states, with the prior consent of all parties to the communication. Because the wiretap laws are highly technical criminal statutes and often permit recovery of civil damages, employers should consider implementing only monitoring technology that does not intercept electronic communications in real time, or if there is a business need for real-time monitoring, consulting legal counsel before implementing the technology. Legal counsel can work with the employer to develop language for inclusion in the acceptable use policy and in the disclaimer commonly placed at the end of sent e-mail and also to prepare other notices that can be used to obtain consent of employees and other individuals subject to real-time monitoring.
- Analyze The Application Of Non-U.S. Privacy Laws. Technology has made it easier for small and mid-sized businesses to employ personnel outside the U.S. These non-U.S. employees may have very different expectations and more legal rights regarding their use of corporate electronic resources. In France, for example, employees have the right to use their employers’ electronic resources for private and personal communications in certain circumstances regardless of what the employer states in its acceptable use policy.5 Consequently, U.S. employers who use monitoring technology outside the U.S. may need to modify certain provisions of their U.S.-centric acceptable use policy before implementing it in a foreign country.
- Prohibited Conduct. The acceptable use policy should include a non-exclusive list of prohibited conduct. The types of conduct commonly included on this list include the following: (a) unauthorized access to, and disclosure of, confidential business information; (b) discrimination or harassment based on any legally protected characteristic; (c) viewing sexually explicit material; (d) unauthorized downloading of software or copyrighted material; (e) sending or receiving malicious code; (f) falsifying identity by using another employee’s e-mail account; (g) using peer-to-peer filesharing software; (h) sending bulk or chain e-mail; and (i) game playing and gambling.
- Restrictions On Solicitations. The National Labor Relations Board (NLRB) currently is considering a case that could have a substantial impact on employers’ ability to prevent employees from using corporate electronic resources to engage in union organizing and other protected labor activity. Under current law, employers cannot specifically prohibit use of their electronic resources for union organizing or other protected labor activities, but they can establish broad restrictions on solicitation that have the incidental effect of restricting union-related activities.7 For example, employers can prohibit employees from using corporate electronic resources to solicit for, or engage in other activities on behalf of, any outside business venture, political campaign, religious group, or membership organization. Employers who choose to take an approach like this one are required to enforce the policy in a way that does not discriminate against union and other protected labor activity.
- Refer To The Acceptable Use Policy In A Log-In Banner. The acceptable use policy is designed to notify employees and other users of corporate electronic resources of the “rules of the road” when using corporate electronic resources. Employers can use a log-in banner to increase awareness of the policy. A log-in banner is a message that appears each time a user logs into the corporate network that briefly summarizes the key elements of the acceptable use policy and provides a link to that policy for additional information.
Employers should strongly consider implementing an acceptable use policy or updating one that currently is in effect. The policy’s principal objective should be to inform employees up front about the employer’s expectations for their use of corporate electronic resources and about the employer’s ability through the use of monitoring technology and otherwise to enforce those expectations. In addition, a carefully drafted and thorough acceptable use policy can serve as a defense when an employer’s conduct with respect to its own electronic resources is challenged. Employers should keep in mind that rapid changes in user and monitoring technology and an evolving legal framework mean that the acceptable use policy should be revisited at least annually to confirm that it is accurate, comprehensive and adequately addresses recent developments.