By Chris Edwards
Companies need to provide clear guidelines on ICT usage to avoid financial and reputational damage and ensure ICT systems operate efficiently
The ubiquitous nature of information communications technology in the modern work environment has proved to be both a blessing and a curse for companies. The advantages provided by the internet, emails and instant messaging are tempered with the risks that such functionality can bring when used improperly by employees.
Numerous examples exist of companies paying the price for misuse of ICT by their employees. In the United States it has been reported that by 2007, 27 per cent of Fortune 500 companies had dealt with claims stemming from employee misuse and abuse of corporate e-mail and internet systems. For example, Chevron Corp. settled with four employees for $2.2million after offensive messages had been sent to them by co-workers using its internal email system.
In order to avoid financial and reputational damage and ensure ICT systems operate efficiently, companies need to provide their employees with clearly worded and comprehensive policies which mark the boundaries of acceptable usage of company-owned ICT.
In this article, we highlight some of the key issues and offer some practical guidance for companies who are seeking to either create an ICT usage policy or perhaps ensure an existing policy meets best practice.
Scope of Use
A policy should seek to specifically define the type of behaviour, in relation to ICT, which is strictly prohibited. At a minimum, this should include:
use for illegal purposes threatening, intimidating or harassing other employees storage and distribution of unlicensed copyright material introduction of viruses/trojan horses creating and/or distributing offensive content unauthorised access to ICT unauthorised distribution of confidential information via ICT systems.
A policy should also provide as much guidance as possible on the scope of what may be acceptable. Areas often covered include:
the use of storage devices with company ICT downloading of content from the internet express rules relating to certain websites (e.g personal blogs/social networking/p2p sites)
In addition, the company needs to ensure a policy co-exists with relevant employment and business rules/regulations.
Many employers have realised that personal internet and email usage is now an accepted part of the modern working environment. Therefore, companies often seek to define specifically what they deem to be acceptable personal usage, e.g. "The Employee may make reasonable personal use of the Company's ICT provided it does not interfere with the Employee's duties (e.g personal usage up to 30 minutes at lunchtimes it unlikely to be deemed excessive or interfering with duties)." In any such clause, it needs to be made clear that personal use of ICT remains at the sole discretion of the company. The principal being that such use is a privilege rather than a right.
A policy should be clear that the company does not give any guarantee of "privacy" and that the employee should not have any expectation of privacy regarding his/her use of company owned ICT, including in relation to their personal use. Employees often wrongly assume that personal use of a company's ICT systems is private. Further, employees need to be aware that any content created during the course of their employment belongs to the company (subject to applicable local laws). For example, many policies state that, "all electronic information created, stored, sent or received by the Employee using the Company's ICT is the property of the Company."
A company will need to review its own culture and internal systems before deciding on whether to monitor its employees usage of ICT. It is critically important that companies seek local legal advice on the issue of monitoring in their respective jurisdiction. In the UK for example, a company is only allowed to monitor its employees' usage of ICT where there are legitimate reasons and the means used are proportionate to the objectives of the monitoring.
It is prudent for all companies to obtain an employee's express consent before any monitoring occurs. A policy should clearly state that the company reserves its right to conduct routine monitoring and have the ability to intercept, read, review, delete and/or access all messages and computer files on an employee's ICT system (so far as in accordance with local law).
A policy should be drafted to ensure it covers the full range of potential users (including employees, part-time workers, subcontractors and customers) who may come into contact with and use company ICT. A policy should also seek to be "technology neutral" in order to capture the different technologies which comprise ICT and its evolving nature so as to avoid the need for continual revision upon the introduction of new company ICT.
A policy should be ‘visible' to employees at all times. Policies are often distributed with employment contracts requiring an employee's signature, available through a prominent weblink on a company's intranet site or through the provision to employees of staff handbooks. Different language versions of the policy should also be provided where applicable. Companies may also consider providing training courses to ensure employees cannot, at a later date, deny knowledge of the policy. These actions will ensure that employees are continually made aware of the scope of permitted usage of a company's ICT.
To be effective, enforcement of a policy is key. The policy should set out an enforcement mechanism (triggered by a breach of the "scope of use") that could lead to loss or limit on use of ICT before actual dismissal. The policy should be tied in to the company's general disciplinary procedures. In addition, a policy should state that a breach of the policy could result in civil or criminal penalties depending on the jurisdiction in question.
Proper enforcement of a procedure set out in a policy will serve to put employees on notice as to the seriousness of misusing company owned ICT systems. On a regular basis, a company should conduct regular reviews of a policy to ensure it remains relevant and is being adhered to.
Compliance with Law
Although common best practice principles exist, the scope of policies are largely dictated by the applicable law in the jurisdiction in which the policy will be used. Before implementing a policy, a company should obtain specialist ICT and employment law advice to ensure a proposed policy is compliant with local law and practice. Failure to do so may result in the policy (or a part thereof) being unenforceable or even illegal.
We have outlined above some of the main elements of a policy covering employee usage of a company's ICT. In summary, a policy needs to reflect the practical reality that employees use ICT in a personal context and ensure that prohibited usage and associated penalties are accurately defined and understood.
The author, Chris Edwards, is a Legal Consultant with DLA Piper (Dubai)For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.