The increased efficiencies and capabilities afforded by technology to today’s employer have been accompanied by a host of issues arising from the potential for improper use of that technology by employees. Indeed, many employees now have access to an unprecedented amount of confidential employer information and a relatively unregulated digital domain on their computers. They can access Internet or electronic mail content that may be inappropriate for the work environment and that may easily distract them from their jobs. Communications by email, text messages or instant messaging have replaced memos, letters, telephone conversations and even in-person conversations for many communications. Further, the ease and seeming anonymity of electronic mail can lead to harassment claims. Blogs may disclose internal company business or confidential matters and social media presents a broadly accessed outlet through which many employees may air their opinions about workplace matters. With such issues in mind, this chapter addresses some of the most serious and pressing aspects of electronic information and communication in employment.
Internet use/electronic communications policies
With all the communication devices available to employees today, employers should consider implementing an appropriate electronic communications policy. Topics that are important parts of most employers’ electronic communications policies include:
- A statement that the company’s communication systems are to be used for business-related purposes. You may include a provision that incidental and limited non-business use of communications systems is acceptable, so long as this privilege is not abused.
- Note: Be cautious about total prohibitions against non-work-related communications. Such communications can be difficult for employers to monitor and apply uniformly. If employees are allowed to make non-work-related communications on systems in violation of a total prohibition against such communications, union-related emails or postings cannot be prohibited on the same systems.
- Update your policy to specifically address new technological trends. The policy should clearly inform employees that all employee communications, including email and text messages, which are made using corporate resources, like pagers or cell phones, are not private and will be monitored by the employer. Therefore, employees have no reasonable expectation of privacy for those communications. Also instruct your managers and information technology personnel not to contradict the written policy by representing to employees that certain communications are not and will not be reviewed. At a minimum, employers should revise their electronic use policy to include a simple statement that the formal policy cannot be modified absent a revised written policy.
- Include a strong statement warning against the use of email or any other form of communication for purposes of sending, accessing or storing any material of a discriminatory, obscene or harassing nature. The policy can include a prohibition against chain letters or emails with illegal purposes.
- Address the type of information that is acceptable and appropriate for uploading and downloading onto a company computer and/or network so as to prevent virus infiltration. The policy should address use of passwords and all associated restrictions.
- Address employees’ use of company email. The policy could address what steps an employee should take if an email is inadvertently sent to a third party. Discuss the type of tone and content that is appropriate for business emails.
- Inform employees that the company has a right to inspect, review and monitor use of its computers and communication systems. Include a statement that information contained in computers, email or voice mail that is incidental or of a personal nature is not treated differently from other information. Therefore, employees should not expect that the company’s computer network or telephone system is private.
Protecting confidential information
The increase in Internet use and electronic commerce has brought new challenges to employers who seek to protect trade secret and confidential information. The increasing frequency with which confidential information is created and maintained on employer computer networks has forced employers to create new ways to better protect proprietary information. As discussed in Chapter 08: Restrictive covenants, trade secrets and intellectual property, in order for information to receive protection, the information must meet all of the following criteria:
- be a secret
- have actual or potential independent economic value because it is a secret
- the owner of the trade secret must use reasonable efforts to keep the information secret.
In order to maintain the secrecy of trade secrets and confidential information, employers should consider including the following measures in their policies and practices:
- Define and identify confidential information for employees. Employers should avoid overbroad or generic definitions and should make clear to employees what information it considers to be confidential in terms that are specific to its business operations. Where possible, employees should use electronic labels and pop-up windows to identify documents, folders and drives containing confidential information.
- Clarify who has authorization to access, use or disclose confidential information. Access to trade secret and confidential information should be limited to those who have a need for the information. Avoid policies and practices that give access to all employees.
- Use nondisclosure agreements to establish and emphasize obligations of employees with access to confidential information. Employees with access to confidential information should be instructed to keep the information a secret and should sign confidentiality agreements clearly explaining their responsibilities to maintain the secrecy of specific information. If employees are permitted to disclose confidential information, identify to whom and under what circumstances such disclosures may be made, including whether a nondisclosure agreement or a limited-use agreement should first be signed by the party to whom the employee will be disclosing the information.
- Limit distribution of usernames and passwords for those with access. Limit access to confidential information online by limiting distribution of usernames and passwords to ensure that only those employees with a need to know have access to such information. Employers should also establish a password protocol to help ensure that passwords are of sufficient complexity that they are not likely to be guessed or discovered.
- Protect the copying of confidential information. Employers should forbid or limit the downloading or copying of confidential information to hard drives and portable memory devices and prohibit or limit the practice of emailing confidential information to an employee’s personal or home email account. If downloading of data to portable drives is permitted, Employers should use encrypted data files to protect against use of such portable drives on noncompany devices.
- Identify the manner in which trade secrets and confidential information should be saved and deleted. Employers authorized to create, design or preserve trade secrets and confidential information should be provided secure formats and locations in which such information is to be saved. A network or Internet security policy should also prohibit deletion of trade secrets and confidential information without proper authorization.
- Remind employees of their obligations. In exit interviews and post-employment correspondence, remind departing employees of their continued obligation to keep company trade secrets and proprietary information confidential.
Combatting disparagement in communications on the Internet
There is always the potential that current and former employees may post unfavorable and disparaging information about an employer on websites, social media sites, chatrooms, blogs or other Internet sites. Sometimes the information posted may be confidential and proprietary company information that should not be disclosed outside the workplace.
Taking legal action to protect the company
The identity of the person who discloses such information, however, may be difficult to determine because Internet users often use an alias or pseudonym when posting comments on Internet sites. Employers who believe that the information or comments posted on an Internet site have violated their legal rights by disparaging them or revealing proprietary business information can, if they act swiftly, determine who has posted the improper comments or information in order to pursue claims against those persons. In order to learn their identity, it may be possible for the employer to file a lawsuit against an unknown person identified in the lawsuit as “John Doe.” Once the lawsuit is filed, the employer may seek information from the Internet host through a subpoena aimed at identifying the electronic address of the person who posted the offending comments. It may also be possible for the employer to issue a subpoena to the offender’s Internet service provider to learn the identity of the person who posted the data in question.
It is important for employers to act quickly to attempt to trace the origin of an offensive posting or improper email because many of the website hosts and Internet service providers retain the identifying information for a very short period of time, sometimes as short as 30 or 60 days. If the subpoena is not served within that time frame, the information may be lost. Once the employer knows the identity of the person who has posted the improper comments, the employer can determine whether the employee violated an obligation to the employer to protect confidential data, breached a duty of loyalty or made false and disparaging statements about the employer.