In today’s electronic age, more and more business is being conducted via the computer and the Internet. Employees often rely on information technologies, like computer, email, Internet, Intranet, and voicemail, to complete their tasks. The proliferation of such electronic and technological devices has led to a number of new concerns for employers, such as employee misuse of company resources, employer liability for employee misconduct over email or the Internet, and misappropriation of company property and trade secrets. There is no question that employers have the right to protect their business equipment and to ensure that their systems are used for appropriate purposes. However, they must do so in a way that does not infringe unduly on the privacy rights of employees. A well-crafted information systems policy is an essential tool in protecting company assets and shielding an employer from liability.
Every employer that has one or more employees who rely significantly on information technologies in the performance of his/her duties should adopt an information systems policy. Such policies may be called “[company name] Information Systems” or “Acceptable Practices for Computers, Internet, Electronic Mail, Voicemail and Phones.” At a minimum, an effective policy must:
A thorough information systems policy can be extensive, although not all provisions may be necessary for all employers. Employers may wish to embody the policy in a document separate and apart from the employee handbook because of its length. Employers electing this option should still include a brief reference to the policy in the handbook, to remind employees of the policy’s applicability.
As technologies continue to change and evolve, employers may find it necessary to revise their information systems policy periodically. The policy should specify its effective date so it will be clear in the future which iteration of the policy controlled at any given time.
This can be accomplished by inserting “Effective [month] [year]” below the title.
To prevent the dissemination of company records, data, trade secrets, and other proprietary information over the Internet or through email, employers should specifically designate all such information as confidential.
It is often helpful for employers to include an introduction or policy statement at the outset of the policy. This provision also can be used to preserve the employer’s discretion to modify or revise the policy at any time.
Employees are generally unsuccessful in bringing lawsuits for invasion of privacy based on an employer’s monitoring of their email or voicemail. This is particularly true where the employer has a written policy that puts employees on notice that its systems are for business purposes only and will be subject to monitoring. The central question is whether the employee can claim a “reasonable expectation of privacy” in the material that was monitored. No expectation of privacy will exist regarding computers or voicemail if the employees were sufficiently apprised of the employer’s right to monitor those areas.
It is advisable that employers define for employees what constitutes appropriate and inappropriate use of its information systems. Many unfortunate incidents involving the Internet or email are not the result of intentional misconduct on the part of employees, but rather are due to a lapse in judgment or a failure to consider the potential consequences of an action.
Employers may wish to prohibit any personal use of its information systems by employees. As a practical matter, however, employees almost always use the computer and phone systems for some type of personal activity while at work. Rather than try (futilely) to prevent such personal use, employers are better served by defining the parameters for their employees’ use of information systems for personal reasons.
For those employers with widespread use of electronic mail in their businesses, a policy such as the sample policy may be highly advisable from a legal standpoint. More and more courts have begun to find that email messages stored in internal computer systems are business records subject to disclosure during criminal investigations or civil proceedings. Some courts also have allowed email messages to be introduced at trial as evidence of discriminatory intent in discrimination lawsuits. What may one day be viewed as a purely innocuous joke sent by email, may another day be presented as a plaintiff’s smoking‑gun evidence at trial. Thus, employers should make appropriate efforts to control the content of email messages.
Despite employee claims of privacy, courts have recognized an employer’s right to access email messages – even those sent in confidence – within the employer’s own computer system. Employers therefore should put employees on notice that their email messages may be monitored and make reasonable efforts to ensure that use of electronic mail is not abused, including prompt and thorough investigation of employee complaints of policy violations.
Employers should pay attention to emoji use in the workplace for more reasons than employees’ potential reliance on them in a harassment or hostile work environment claim. Human resource professionals observe anecdotally that emojis and other digital communications in the workplace can impact relationships, lead to morale issues and prompt internal complaints, even if those complaints never reach a courthouse.
Part of what makes emojis so prone to misunderstandings and hurt feelings is that, in the digital world, everyday symbols take on new meaning. A peach is not just fruit, an eggplant is not only a vegetable, an octopus may be a request for a virtual hug, and a devil emoji may signify a desire to engage in sexual activity. These double entendres, coupled with the fact that a single workplace often includes employees from vastly different backgrounds, including different cultures and generations, can lead to ambiguous messages, misunderstandings and conflict. Emojis and other digital tools are not simply a Gen-Z or millennial problem but pervasive in instant messaging platforms that have become commonplace during the COVID-19 pandemic.
Employers can periodically review their employee handbooks to ensure the policies contained in them adequately account for the day and age in which they are doing business. For example, policies concerning professionalism and communication can address not just traditional forms of communication but also more recent developments, including the use of emojis. Because COVID-19 has greatly impacted the way individuals think of “work,” and more employees work remotely than ever before, it is important that employers provide training that makes clear that the same rules that apply within the confines of the traditional office apply equally to employees working remotely. As part of a company’s training with respect to emojis, it should point out the special dangers of ambiguity and misinterpretation that emojis carry and the need for carefully avoiding communications that could be interpreted as insulting or racially or sexually harassing.
Regular training and e-mail blasts reminding employees of key company policies are also helpful tools. Employers might also consider partnering with their third-party vendors to restrict the types of emojis that may be used in chat platforms, offering a customized array of choices that excludes some of the most controversial ones.
With nearly all employees having access to the Internet and the fact that it is now a primary mode of communication for many, it is important for employers to address the use of this media in and outside of the workplace. It is important for employers to define how social media should be used if the employer is referenced, such as on Facebook, Twitter, or LinkedIn. The proposed policy can be tailored to the specific needs and conditions of the employer and should be reviewed with all employees when it is implemented.
Voicemail is often an overlooked aspect of an employer’s information systems. However, voicemail is also an important device for communicating with customers, clients, suppliers, and other business associates.
Cellphone use in the workplace has become a growing concern for many employers. In an effort to minimize problems created by the use of cellphones, employers may want to have a written policy addressing the use of both personal and company-issued cellphones – during work hours and afterwards.
Employers should make it clear that all information contained in their information systems are property of the company, including materials the employees may download or upload for personal use. This clarification will prevent disputes over the ownership of data, files and programs upon an employee’s separation from employment.
An information security provision is designed to protect a company’s physical assets from harm (such as from viruses), as well as to protect against the theft of its data or information.
It is a common misconception that, once a file has been deleted, it is no longer accessible on the computer. In truth, files can be retrieved by experts even months after they were “deleted.” Employees should be alerted to the longevity of their messages.
If employees will be accessing the computer or voicemail systems from home or while traveling, the computer use policy should present guidelines for remote access.
The Illinois Biometric Privacy Act requires that businesses must receive written consent from employees, prospective employees or other individuals before collecting biometric information such as, fingerprints, retina scan and facial geometry scans (which could include photographic identification). In addition, businesses are required to disclose their policies for usage and retention. Companies that collect such information should be well versed in this law as two recent rulings have found that an individual does not have to prove that he or she suffered any adverse actions based upon a company's handling of biometric information, but merely needs to show that the company did not follow the requirements of the law. Specifically, the law requires:
Under the federal Electronic Communications Privacy Act (ECPA), employers may be liable to employees for intercepting their email correspondence unless they have obtained the employee’s consent to monitoring. Thus, and as mentioned in previous sections, it is of paramount importance that each employee who will be using the employer’s information systems consent in writing to the employer’s right to monitor his/her activity. It is equally important that employees acknowledge, in writing, their agreement to abide by the other provisions of the employer’s information systems policy. For instance, the federal Computer Fraud and Abuse Act (CFAA) creates a private right of action for an employer who suffers damage due to an employee’s illegal use of its computers for commercial advantage. The key question under the CFAA is whether the employee exceeded his or her authority in accessing the protected information, which can be determined by reference to the policy’s provisions. To ensure there is no dispute regarding the employees’ understanding of the policy, the employees should separately initial and acknowledge each provision of the policy.