"Safeguarding IT and Communications Systems: Or How to Stop Worrying and Love Being Big Bro," InsideCounsel

June 20, 2016

“What was on that Tweet?”

“He posted what on Instagram?”

Social media policies and employees’ online posts are top-of-mind for employers today. But while your managers are busy spying on employees on leave to see if they are truly hurt, who’s minding your systems? What policies and mechanisms do you have in place to protect your company’s valuable electronic and communications systems and the confidential and proprietary information in them?

This article is a tool for management and in-house counsel to guide a conversation with their IT team about effective and practical policies a company can adopt to protect its systems and data. 

Having policies in place and enforcing them achieves two key things: (1) employees are on put notice of what is and is not acceptable; and (2) a standard in litigation for how your systems are used and monitored is established. 

Think Different

The pens and paper in your office are there for company use. Sure, on occasion an employee may print a school form for his child at work and fax it from the office. If, however, an employee took a few pens and a ream of paper home every month for his child’s homework use, you would likely consider that theft of company resources.

For some reason, however, many employers do not consider employees’ excessive use of electronic resources to be improper even though the costs and risks associated with abuse of electronics are significantly greater than the $10 a ream of paper costs. 

Some of those costs and risks include: paying employees for time that they are not really working, maintenance for frequently used equipment, the replacement of such equipment, repairs due to viruses that entered through personal emails or downloads of unauthorized programs, subjecting your company to third-party subpoenas for your employees’ emails and electronic files (particularly in employees’ highly contested divorce matters), damage to company equipment off-site, and potential civil and criminal liability associated with the improper acquisition, use or deletion of third-party property, copyrights, trademarks or other intellectual property.

In other words, strong IT and communications systems policies are as important as the lock on your front door.

Oh Big Brother!

To be effective, IT policies need to be very specific about the consequences of abuse and misuse of company electronic resources. Even if an IT and systems policy warns employees that, for example, downloading an unauthorized program “may result in discipline, up to and including termination,” that may not be a sufficient deterrent. Employees may be tempted to test the limits (“what are the odds I will be caught?”). But if the employee understands, through a strongly worded, no-expectation-of-privacy policy, that their systems, devices and communications are subject to recurrent or even random searches, they will be more careful with what they download or write in an email (tweet, instant message, text, social media post, etc.). 

Your policies should therefore clearly set forth that your IT resources and communications systems are the property of the company and that employees may not have any expectation of privacy whatsoever in any message, file, telephone conversation, online purchase, web browsing activity or social media post posted from, transmitted to, received or printed from, or stored on the company's electronic information and communications systems. 

The policy should also specifically reserve the company’s right to monitor, intercept and review, without any notice, every employees’ activities using the company's IT resources and communications systems. Another aspect that should be clear in such a policy is that all covered data, devices and communications are subject to discovery in any litigation involving the company or the employee herself.

Moreover, the policy should explain the scope of the systems and communications that it covers. Some employees may understand that the company can monitor their computers, for example, but may believe that their work cellphones or texts are “personal.” Make sure the policy clearly defines what systems, devices and communications are subject to the policy, including email accounts (encourage employees to have private Web mail accounts for personal communications), internet, intranet, telephone calls and texts (office and mobile), voicemails, printers, scanners, copiers, faxes, computers, tablets, storage devices like USB drives, closed-circuit TV’s and other security systems. In addition, the policy should state whether it covers electronic measures that can track offline behavior, such as key fobs and electronic entry ways that record arrival and departure times (to see if someone is really getting to the office as early as they claim) or GPS on company vehicles or devices.

While it is important to protect your systems, it is also important not to issue unrealistic policies that are impractical and that you will not enforce. From the litigation standpoint, it is very hard to justify to a judge that an employee was properly terminated for violating a policy in the handbook, when you have other policies there that you don’t uniformly enforce. Recognize that employees will use your systems for personal matters, acknowledge that in the policy, and ask that such use be reasonably limited. 

Sounds geek to me

To be truly effective, however, the policies should cover both employee behavior and the physical access to and use of your systems. Talk to your IT team to determine what type, if any, of “endpoint security” you have. Endpoint security is in essence the overall scheme that a company uses to protect its systems. It may include things like sophisticated malware protection on a server that works jointly with software on each user's machine or a web-hosted system that combines software on a PC with remote monitoring. 

Some of the things that can be monitored or tracked with these systems include profane/racist words, visits to online shopping sites, porn, program downloads, time spent on games, and the download/sharing of massive amounts of data (which could relate to the improper taking of proprietary information). The company can physically have someone randomly monitor employees or flagged content, or have the system issue a month-end report to track your employees’ on-line or system activities. Because the purpose of this monitoring involves employee relations and discipline, bring an HR partner to the table to make sure that the security protocols focus on priorities and concerns from the HR perspective, that they do not raise discrimination or retaliation concerns, and that they will result in data with which HR can work. 

In addition to monitoring, other endpoint security considerations are the control of access to systems. Ideally, a company has the ability to completely control employee access to systems (for example, making it impossible to connect a USB drive or to download files from the internet) and to suspend or terminate access in cases of misuse or upon termination, especially remotely. 

Further, the IT team should have complete control of the creation, format and scheduled changes of passwords, via protocols running through the network that prompt for changes and require (and prohibit) certain combinations of characters. No employee should be allowed to use a user name, pass code, password or method of encryption that has not been issued to that employee or created in accordance with the company’s stated protocols.  

Who’s the man in the machine?

IT resources and communications systems policy should identify the department or individual that employees can contact with respect to violations or suspect violations of the policy. Generally, this should be someone in the human resources department. Such suspected violations can often be investigated using the same mechanisms in place for other workplace complaints. Further, the discipline related to any violation needs to be managed in accordance with the company’s disciplinary policies and precedent.

The IT resources and communications systems policy is also a good place to identify who is responsible for IT issues, concerns, and needs, and who does (and does not) have “administrator rights” to make changes on individual devices. To the extent practical, all technical issues should flow through one person or system to identify recurring issues and prioritize the company’s needs.   

Resist cut-and-paste temptations

Don’t make IT and systems policies unwieldy by repeating, sometimes just partially, your other workplace policies. Instead, simply state that all other company policies apply in full to the use of your systems, including your social media policy, anti-discrimination and anti-harassment policy, ethics policy, confidential information policy, etc. Those policies are important and substantial and you do not want employees to rely on a watered down version of them–you need them to reference that other policy fully.

And then there’s the NLRB

Make sure to include the all-important, Section 7 NLRA disclaimer on how nothing in the policy is intended to preclude or dissuade employees from engaging in activities protected by state or federal law, including the National Labor Relations Act…. You think understanding endpoint security was tough? Wait until you ask your HR department about Section 7 rights; it’s all binary code to us.

Reprinted with permission from the June 20, 2016, edition of the InsideCounsel© 2016 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877.257.3382 or reprints@alm.com.

‹ Publications