Work Surfers

The Internet, especially its e-mail and World Wide Web elements, has been a communications and information boon for workplaces for nearly a decade. But with it came new management issues and legal liability exposures for employers.

A key management issue is, of course, the impact on productivity wrought by employees spending hours surfing their favourite web sites or writing personal e-mails. More immediate — and potentially more expensive — problems for employers stem from employees using company internet or e-mail access in ways that break laws (be it deliberate or accidental). Employers could, for example:

be named as a co-defendant in defamation (libel or slander) lawsuits if an employee uses the company e-mail system to send a defamatory message about someone over what is considered a “public” communications network;

be accused of breaching human rights laws by inadvertently becoming a party to a harassment complaint or the creation of a “hostile” work environment. Such complaints may occur if one employee objects to another employee downloading, displaying or printing content from pornographic, racist or other offensive sites (the e-mailing of “dirty jokes” was seen by one U.S. court as contributing to the creation of a hostile work environment);

be accused of breach-of-copyright if he or she uses the internet to compile copyright-protected material and uses this in a brochure, presentation or other public document, without permission from the copyright owner;

be charged with breaching securities laws if an employee of a public company e-mails or posts on the company’s web site “insider” information (news about earnings, losses, new products, etc. that could materially affect the company’s share price) before this information has been disclosed to the market.

In addition, the increasing risk of computer viruses, which spread like wildfire through e-mails, has prompted many companies to take more action in setting limits around e-mail use.

Some organizations, especially in the U.S., have addressed potential legal or business risks by monitoring employees’ internet and e-mail use. (For example, a 1999 survey by the American Management Association found that nearly 40% of its member companies monitored employees’ e-mail.) There is a variety of sophisticated network software available that allows supervisors to see, at any time, what’s on their employees’ computer monitors, what’s stored on their hard disks and what web sites they’ve visited.

And there have been cases, both in the U.S. and Canada, where employees have been dismissed for sending critical or defamatory e-mails about their manager or employer to people inside or outside the company. They thought they were safe because they had deleted the messages. Of course, they had forgotten the messages continued to survive in their computer’s “Trash” or “Re-cycle” folder, on the company server or on the back-up tapes that many companies make of their computer systems daily.

In Canada, however, employers may not have complete freedom to monitor their employees’ e-mail. Section 184 of the Criminal Code prohibits the use of “any electro-magnetic, acoustic, mechanical or other device” to willfully “intercept a private communication.” (It is the same section that protects you from having your phone tapped without a judge’s authorization.)

Canada’s federal Privacy Commissioner, George Radwanski, has also come down against wide-scale monitoring of employees’ internet use. In a recent presentation delivered at a Toronto conference on workplace privacy, Radwanksi acknowledged the potential for employees to abuse their internet access at work, and for employers to become liable. However, he continued, “Just the potential for problems doesn’t justify wholesale monitoring.”

“Most of us would agree,” Radwanski said, “that an employer has no business randomly or routinely pawing through the desk drawers of employees and examining whatever happens to be there. What makes the contents of a computer any different?”

He went on to point out that, in most situations, as long as employers have exercised due diligence, their liability in harassment and other situations is minimal. And, to most legal experts, the first and most important step in this due diligence is developing and communicating an internet and e-mail use policy.

Setting an Internet policy

The first element of an internet-use policy should make clear that the “employee’s” computer and internet access belongs to the employer, that the employer may have need to access the data on it, and therefore the employee has “no reasonable expectation of privacy.” In most cases, by eliminating any expectation of privacy, this kind of message would provide the employer with legal protection from any Section 184 Criminal Code charges.

A policy should also include statements to the effect that:

access is for, or primarily for, work-related tasks only;

the employer may conduct occasional monitoring of employee’s internet use for performance measurement or other reasons;

downloading or transmitting offensive material or messages will result in discipline, including termination;

employees should never transmit sensitive company information (on earnings, strategic plans, new products, etc.) without authorization;

employees should not transmit, download or use any copyrighted material (e.g. games, images, software) without the copyright owner’s permission.

Some companies routinely update their policies to prohibit employees from opening any e-mail that resembles known virus-transmitting files (e.g. file extensions with the “.exe” extension, as was seen with the Lovebug and Melissa viruses) without the permission of the information technology department or a designated company official. This offers some legal protection from the risk of being sued for spreading the virus and causing major damage to another organization’s operations.

Communicating your internet and e-mail policy widely, regularly updating employees about new risks as they emerge, dealing with abuse or infractions on a case by case basis, and showing you’re serious by getting tough with repeat or egregious offenders will serve you as well as, or better than, constant monitoring of employees’ computer activity. You’ll maintain employee trust and morale while minimizing both the legal and business risks presented by new technologies.CCE

“The employees thought they were safe because they had deleted the messages. Of course, they had forgotten the messages continued to survive in their computer’s “Trash” or “Re-cycle” folder.”