Now that the Internet1 has become a part of the work environment, many employers have enacted a company policy governing access to the Internet by their employees. Our review of some of these policies leads us to conclude that many companies have enacted them because they think they should, without careful consideration of the goals to be achieved, the method of implementation of the policy, and the relationship of the Internet policy to other company policies and to the existing legal landscape. This article identifies some of the human resources, strategic, practical and legal issues that our clients have considered in their decisions to enact and enforce an employment policy relating to the Internet.
I. THE GOAL TO BE ACHIEVED
The first question to be answered is what, in particular, is the client's motivation behind the creation of an Internet policy? Policies can, of course, address more than one client concern, but knowing what prompted a request for this particular policy is useful in considering whether a policy is necessary, whether the concern is currently addressed by another company policy, and the consequences for noncompliance.
II. SOLVING A CURRENT PROBLEM
If the client is seeking to address a current problem, It is critical to analyze the nature and extent of the problem. Will the problem be solved by a policy? For example, if the problem is that the employees are wasting valuable time on the Internet, the answer might be that the employees need training from cybrarians who are familiar with the organization (such as it is) of the Web, the benefits of various types of search engines and strategies, and the best means to store and retrieve information that is downloaded.
Is there a problem with peculiar to one person, not reflective of the corporation as a whole? That problem might be better addressed with a meeting between the employee and his or her supervisor, and not the enactment of a new, comprehensive corporate policy.
III. AVOIDING FUTURE PROBLEMS
Most of us have heard stories about employees at other companies who have downloaded pornography, spammed, wasted hours wandering the Web, disclosed confidential information, and posted messages using the company e-mail address. Your client wants to head off those problems before they happen. The Internet policy for that client will need to list the proverbial parade of horribles --a list of the prohibited acts --and will need to be updated as the evening news reveals new ways to embarrass or commit illegal acts using a computer, a telephone line, and a browser.
Some acts, once considered merely annoying and problematic, are now crimes under state and federal law. In light of the unique problems posed by computing resources generally, and the Internet in particular, legislatures are continually considering bills relating to the Internet. It is important to track these activities so that any policies enacted by a client will take into consideration the possible legal liabilities lurking around the next legislative corner.
IV. WHERE THE INTERNET IS A MIRROR FOR OTHER INTERNAL PROBLEMS
Sometimes a problem is perceived to be Internet related, but in fact has its sources elsewhere in the company and is simply made visible because of the use of the Internet. If an employee has disclosed confidential information by sending a file over the Internet without first encrypting it, the first place to look for resolution is the company's policies regarding use and disclosures of confidential information. As a major U.S. company recently learned, disclosure through Internet use pales in comparison to employee espionage, sloppy corporate housekeeping, inadequate employee exit procedures, and insufficient physical security measures.
Another example is an employee downloading shareware or freeware from the Internet for use as a part of a software development project. We often think first of the issue of bugs and viruses embodied in code obtained from the Internet, but the incorporation of code not original to a company's employees also raises issues of ownership of the final product. Will the company be able to represent and warrant (to users, distributors, strategic partners, investors, and possible acquirers) that the content of its products are all original to the company, and the company owns all of the intellectual property rights, if a portion of the code came from an unknown source? The issue here does not really relate to the Internet, but to policies of software development. The same issue arises when an employee receives a diskette, CD ROM, technical paper, or other source of code, algorithms, flow charts, or technical information used in connection with product development. In this example, the Internet is simply a conduit for the receipt of such technical information, not the focus of the policy.
V. ANSWERING EMPLOYEE QUESTIONS
Is there confusion within the company as to what is permitted and prohibited? What s the source of the confusion? Are different company managers articulating different standards or expectations? The Internet is new, unique, interesting, and in a state of evolution. Different company departments and employees within those departments have different needs, expectations, and philosophies, and may well develop different, informal Internet policies in the absence of a formal company policy. This may or may not be a good approach.
VI. POLICIES NEED NOT BE COMPREHENSIVE
Depending upon a company's motivation for enacting an Internet policy, it may wish to start small, or at least start specific. It may not be necessary to prepare a comprehensive policy that addresses all the issues arising from the existence of the Internet. For example, Internet access means an increase in certain corporate costs (software acquisition, training, computing power, telecommunications cost, ISP fees, storage and retrieval of downloaded files), and a policy may give the department heads and fiscal managers an opportunity to create a better understanding of the costs to a company of using the Internet. Of course, a policy may address the issue of costs without ever addressing other, more nonquantifiable issues, such as who gets to spend what amount of time on what kinds of projects. Thus, you can consider creating a policy to address specific issues and remain silent on other issues, at least until a later time.
VII. PROMOTING NEW, POSITIVE BEHAVIOR
Internet policies can be a vehicle for improving company communications with third parties, standardizing the use of computing resources, improving record keeping, coordinating overall security measures, increasing productivity and creativity, and encouraging the use of information technology. A policy focusing on the promotion of certain behaviors will have a very different tone than a policy seeking to discourage behavior, and may be able to have the same effect in altering employee behavior without moral issues created in connection with notifying employees of "yet another management policy, yet another change to be disciplined."
VIII. SOME POLICIES CAN HELP AVOID LEGAL PROBLEMS
Sometimes a policy can serve as a shield in the event of litigation. Policies addressing the issue of sexual harassment are a good example. Currently, Internet policies do not have the same legal force as sexual harassment policies. However, even if not completely bulletproof, a policy can serve as a statement of corporate intent, philosophy, and expectations. It can also serve as a basis for employee disciplinary proceedings, including termination. It can be used to demonstrate to third parties (regulatory agencies, plaintiffs' attorneys, judges, juries, and prospective joint venturers) that the company takes a strong view on certain issues.
IX. PERSONS AFFECTED BY THE POLICY
We often think of company policies as affecting nonmanagement employees. Internet policies, because they involve issues of computing resources, time management, distinctions among employees, the law (e.g., copyright, trademark, libel), will affect a wider constituency, including the board of directors, company officers and supervisory personnel, human resources, the Information Technology Department, affiliates, and lawyers. Will your client's policy apply equally to employees regardless of status? What differing circumstances might justify different treatment between and within classifications of job responsibilities?
Additionally, will the policy be binding upon independent contractors, and if so, how will the Internet policy, and amendments to that policy, be made a part of the contract with the contractors? Will the policy be binding upon interns? Volunteers? Trustees?
X. FORMATION OF THE INTERNET POLICY COMMITTEE
Who will establish the policy? Will it come down on high from 'management", or "The Lawyers"? If a committee is to be formed, the composition will likely need to be both political and practical. You will want to select participants based upon their knowledge of the Internet, of computing resources and the practical issues in monitoring and enforcing the technological aspects of the policy; persons knowledgeable about the internal administration of policies; persons with solid relationships with the workforce; and, of course, a lawyer. We have seen many policies created by management only to find out from the technical staff that there is no way to monitor such behavior, and thus detection and enforcement will rely on methods outside of the technology itself.
XI. POLICY, PROCEDURES, AND ENFORCEMENT
An Internet policy can deal with technology (computers, software, telecommunications devices), law (pornography, copyright, trademark, privacy), internal administration (who monitors to verify compliance or investigate a complaint), and human resources (what will the company do with the information it learns about employee use of the Internet). It can also establish procedures for implementation, monitoring, enforcement, investigation, and discipline.
Is the client interested merely in establishing a policy, and leaving the issues of administration and enforcement to the default procedures currently used for the other policies? Is there something different about the Internet itself, and the use of the company's computing resources, that suggests it is appropriate to develop special procedures for the Internet policy?
XII. RELATIONSHIP TO OTHER COMPANY POLICIES, OR CURRENT LAW
We have seen Internet policies that prohibit the use of the Internet to harass another person, or to violate copyright, to invade someone's privacy, or to commit some illegal act. In fact, the Internet policy appears to be the last resort for the other policies the company forgot to enact, or the issues it wishes to clarify at this time. Really, now, do we need an Internet policy to advise staff not to violate the law? Isn't this conduct already prohibited in some other company policy (for example, the anti harassment policy). If it is not, perhaps a policy should be created which does not focus on the means by which an act is effectuated that is, the technology), but the prohibited conduct.
Our view of technology is that, between voice mail, e-mail, Internet access, remote computing access, virtual offices, pagers, etc., we will spend our legal lives trying to keep up with the creation of policies relating to technology moving faster than we are. It might be more useful to focus on the conduct of people.
XIII. THE INTERNET, E-MAIL, AND OTHER DOCUMENT-RELATED POLICIES
Most of the traffic on the Internet is e-mail, often with attachments. The electronic messages received are documents. Will the client's Internet policy address the issue of retention, distribution, and destruction of these documents? We know that deleting electronic documents is currently very difficult, and document destruction policies have legal implications, including spoliation of evidence. Will the document destruction procedures be different for electronic documents than for paper?
Will the company policies for access to Internet and electronic documents be different than the policies for accessing paper files? If someone can walk down the hall, open my file drawer, and review correspondence and drafts of documents, can they sit at my computer and review the contents of my hard drive? Do I need to give them my password? Am I entitled to encrypt documents or password protect them in such a way that only I can access them? Is a document that I create as a part of my job responsibilities ever "my" document? How does a company effectively monitor and enforce when information and evidence is locked away.
In sum, we think that the issue of an Internet policy involves many company issues, only some of which involve the Internet. We recommend a careful review of existing policies before enacting yet another, that the policy focus on a set of behaviors unique to the Internet and the realm of electronic resources, that the company involve an appropriate pool of talent before creating such a policy, and that the policy be revisited often to evaluate its effectiveness and to see how far out of date it is in light of the advancement of technology. Isn't this fun?
(This article previously appeared in the Michigan Business Law Journal, Volume XIX, Issue 2.)