What Employers Using Technology Should Include in their Employee Handbook and Acceptable Use Policies
Technology Creates Hidden Problems for Businesses With Employees.
It is nearly impossible to run a business without using technology and having access to email and the Internet. You may even employ cloud computing, software-as-a-service (SaaS), and social networks like Facebook and Twitter so you can be more productive and increase your business visibility. Be careful — implementing technology in your business can create challenges and potential liability!
I am often asked what things should be included in an employee manual or acceptable use policy. Employers should consider adding an acceptable use policy (AUP) to your employee handbook. (No company is too small to have an employee handbook — it sets out the “rules of the road” of the company’s expectations of its employees’ conduct, protecting company trade secrets and confidential information, and explaining human resource matters, vacation policies, prohibition on sexual harassment, and more).
- The acceptable use policy sets forth the expectations of what is the acceptable use of the company’s technology — from the computers and fax machines, to the use of the Internet and email. It also should address computer security, copyright infringement and defamation/slander.
- The AUP should be written in a way to protect the company form rogue employees as well as protecting the employees’ right to free speech and privacy. Many companies are concerned with their employees’ use of the internet (and go so far as to install monitoring and filtering software or appliances, which may not be appropriate for your company). At the end of the day, the AUP should protect the company’s best interests.
Consider the following that you may want to address in your AUP:
- Do you have a valid business reason to monitor your employee activities?
- Is there certain company information that needs to be protected or kept confidential?
- Can you identify which employees that have a “need to know” sensitive data?
- What measures does your company have in place to address disaster recovery, back-up and physical and network security (data encryption, password policies, etc.)?
With respect to respecting your employees’ privacy, generally, email and internet activity may be monitored for valid business purposes (note, each state may have their own privacy laws). So, subject to your state’s laws, it is recommended that your employees consent in writing to having their email and internet activities monitored (perhaps also including procedures for when you may disclose email data files to third parties (e.g., as required by law or pursuant to a court order)).
Employee Internet Access
Your employees probably need internet access to support their job functions, but their use for non-job-related activity can expose your company to liability.
- It is wise to prohibit employees from accessing porn or adult web sites in your AUP (or use filtering mechanisms). If an employee visits a porn site from the workplace, then your company might be found guilty of facilitating a “hostile work environment” under sexual harassment laws. A forensic expert could find the porn sites’ “cookies” on the hard drive that could be used as evidence in a sexual harassment or employment discrimination lawsuit. Internet use should be limited to company-related activities.
An E-Mail Is Not Like A Phone Conversation
People need to treat their e-mail messages more like a written letter than a phone conversation. You need to keep in mind that an email message can be permanently stored (and can haunt you later if retrieved for litigation) and can be easily disseminated with a press of the “forward” button. As seen all too often on the nightly news, e-mail and text messages have contained the most damning evidence in sexual harassment and employment discrimination lawsuits.
The email AUP needs to:
- prohibit email messages that contain any type of offensive, harassing, fraudulent, defamatory, or otherwise illegal language. Perhaps employees should get a personal email address outside of work (like gmail), and you should decide whether your company wants to permit the use of work computers for the employee’s occasional sending or receiving personal email during work hours.
- address company confidential information, trade secrets and communications of client information (you might prohibit any transmission of same unless using encryption technology). Also, your company may be governed under federal or state privacy laws like HIPAA or Graham-Leach-Bliley, which govern the use and disclosure of personally identifiable information.
- address downloading of email attachments (virus risks, copyright issues, etc.)
Lastly, you should consider including in the AUP possible disciplinary actions which may be brought against an employee in the event the AUP is violated (perhaps ranging from a warning, to loss of Internet, or even termination).
For additional information, click to watch the video, “When do I need an NDA” .