An acceptable use policy is a
|“||[a] document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.||”|
|“||set of rules applied by many transit networks which restrict the ways in which the network may be used. Acceptable use policies are used by concerns and companies with a large user base and multiple computers, delimiting what is and is not permitted for use of the computers. Most providers of services on the Internet include an acceptable use policy as one of the key provisions of their terms and conditions.||”|
While many corporate employees need access to and use of the company’s computer system and/or the Internet to do their job, their use of these systems could create potential legal problems for their employer. A comprehensive corporate acceptable use policy concerning the use of online services and e-mail is an important first step in protecting the company from potential liability. However, a written policy is of limited value unless it is accompanied by an educational program to instill the corporate values relating to confidentiality, mutual respect and appropriate conduct on its employees. Finally, the company needs a specific policy on monitoring online activities of employees and strong procedures to deal with any violations of the corporate policy.
While the tone of a written Internet usage policy should reflect the corporate culture of the organization, the policy statement should contain at least the following:
- Limit personal use of corporate accounts.
- Limit discussions of the employer and its business.
- Limit the disclosure or transmission of confidential materials.
- Affirm the employer's right to monitor e-mail/online usage.
- Prohibit access to or the display of illegal or objectionable materials.
- Prohibit any communications online that would be illegal if communicated orally or in written form.
- Prohibit downloading of copyrighted materials (particularly computer software).
- Encourage reporting of improper conduct.
A well-written corporate policy on Internet and e-mail usage needs to be supplemented by an educational program to explain to employees the risks as well as the rewards of using online services. Many companies already have educational programs to train managers and others in such areas as sexual harassment, discrimination and the like. These programs should be reviewed to determine whether they address online issues, and if not, modified accordingly.
For an organization to defend itself against a claim, it is important to show that the organization made a reasonable effort to police its employee's conduct. Certainly if the company does no monitoring and makes no effort to enforce its written Internet use policy, it will have no defense to a claim that an employee violated a third party's rights.
To assist companies in preventing employees from accessing improper content, numerous software vendors offer filtering software, which prevents access to certain, identified websites and user groups. This software was originally developed to help parents prevent their children from accessing pornography online, but has been revised and expanded for the corporate environment. There is also software available that can monitor e-mail messages for the use of certain objectionable words or potential dangerous e-mail attachments. These programs can supplement a good monitoring program, but should not be seen as a replacement for it.
All of the policies in the world will not protect the company if the company fails to enforce those policies. As with any other employee policy, the company must take immediate steps to deal with any violations of the Internet usage policy established.
While many organizations carefully monitor what documents and other materials employees seek to remove from the workplace, far fewer monitor what information is sent from or received by the company electronically. However, a growing body of case law indicates that there are a number of areas in which an organizations may face potentially enormous liability for the online activities of its employees -- confidentiality and trade secrets, defamation, sexual harassment, hostile work environment, and racial discrimination.
While a company cannot pull the plug on its connection to the Internet, nor can it monitor all communications taking place online, it can take reasonable steps to lower the risk that the company will be held liable for the improper (and sometimes illegal) conduct of its employees. These steps include the development of a comprehensive written corporate policy on proper Internet usage and an educational program to train employees in what conduct is permissible and what conduct is impermissible.
- FFIEC, IT Examination Handbook Infobase, Glossary (full-text).
- Good Practice Guidance for the Providers of Social Networking Guidance and Other User Interactive Services, at 50.