MONITORING EMPLOYEES' USE OF COMPANY COMPUTERS
AND THE INTERNET
Why Companies Should Be Concerned
Business-related use of the Internet has grown by leaps and bounds in the last few years. At the same time, more and more employees must use computers in their work at least part, if not all, of the time. All in all, this increasing use of technology has helped fuel an unprecedented expansion of the state and national economies. However, along with the benefits, there are several risks for employers. This article will examine some of the basic issues and offer some solutions to business owners who are mindful of the risks involved. First, let's look at some of the risks of the electronic revolution.
Electronic Mail Top of Page
Electronic mail, or e-mail, has become the communication medium of choice for many employees and businesses. No one doubts its time-saving qualities, but employers must consider the dangers as well:
Employers can be liable for employees' misuse of company e-mail
Sexual, racial, and other forms of harassment can be done by e-mail
Threats of violence via e-mail
Theft or unauthorized disclosure of company information via e-mail
E-mail spreads viruses very well
Internet Top of Page
The Internet is like a super-network connecting countless other computer networks around the world. Literally millions of computers are connected to this vast resource. Every imaginable type of information is available on the Internet if one knows where and how to search for it. As with any kind of resource, it has its good and bad sides. Not surprisingly, employers have had some problems with employees' use of the Internet:
Unauthorized access into for-pay sites
Sexual harassment charges from display of pornographic or obscene materials found on some sites
Trademark and copyright infringement problems from improper use or dissemination of materials owned by an outside party
Too much time wasted surfing the World Wide Web
Viruses in downloads of software and other materials from Web sites
Company Computers Top of Page
Even with company computers that are not connected to the Internet, employers are finding problems with employees abusing the privilege of having computers to use at work:
Software piracy - employees making unauthorized copies of company-provided software
Unauthorized access into company databases
Use of unauthorized software from home on company computers
Sabotage of company files and records
Excessive time spent on computer games
Employees using company computers to produce materials for their own personal businesses or private use
Many employers wonder what they can do to protect themselves against these kinds of risks and to ensure that company computers and networks are used for their intended purposes. Fortunately, Texas and federal law are both very flexible for companies in that regard. With the right kind of policy, employers have the right to monitor employees' use of e-mail, the Internet, and company computers at work. Doing so successfully requires both a good policy and knowledge of how computers and the Internet work.
Policy Issues Top of Page
Monitoring employees' use of company computers, e-mail, and the Internet involve the same basic issues as come into play with general searches at work, telephone monitoring, and video surveillance. Those basic issues revolve around letting employees know that as far as work is concerned, they have no expectation of privacy in their use of company premises, facilities, or resources, and they are subject to monitoring at all times. Naturally, reason and common sense supply some understandable limitations, such as no video cameras in employee restrooms, and no forced searches of someone's clothing or body, but beyond that, almost anything is possible in the areas of searches and monitoring. Let's turn to some specifics.
Every employer needs to have a detailed policy regarding use of company computers and resources accessed with computers, such as e-mail, Internet, and the company intranet, if one exists. Each employee must sign the policy – it can be made a condition of continued employment. The policy should cover certain things:
Define computers, e-mail, Internet, and so on as broadly as possible, with specifics given, but not limited to such specifics
Define the prohibited actions as broadly as possible, with specifics given, but not limited to such actions
Remind employees that not only job loss, but also civil liability and criminal prosecution may result from certain actions (illegal pornography, participation in spamming operations or other scams, involvement in computer hacking (see 18 U.S.C. § 1030, among other laws))
Company needs to reserve the right to monitor all computer usage at all times for compliance with the policy
Right to inspect an employee's computer, HD, floppy disks, and other media at any time
Right to withdraw access to computers, Internet, e-mail if needed
Consider prohibiting camera phones (also called cell phone cameras); such phones have been implicated in gross invasions of other employees' privacy and in theft of company secrets
Make sure employees know they have no reasonable expectation of privacy in their use of the company's electronic resources, since it is all company property and to be used only for job-related purposes
How to Monitor Compliance Top of Page
Here is where you as an employer must know at least a few things about computers and the Internet. Naturally, you will leave many of the technical details to certain trusted computer experts on your staff, or you can contract with one of any number of private computer services companies out there. However, you should be armed with some technical knowledge so that you can make better use of the experts' time and be able to tell whether your efforts are successful.
Have your information technology department or computer person set up software monitoring capabilities. Some software can only detect which computer was used on a network, not who used it. An alternative would be to set up a "proxy server" – users have to log in with their own user names and passwords. With regard to the Internet, specific sites can be blocked by Web site addresses and keywords. Some software can analyze the hard drive of each computer on a network, thus establishing who might have unauthorized software or files on their computer.
Where to look for unauthorized computer and Internet activity? On PCs, look in C:\Windows\ for the following folders:
Cookies - contains "cookies" left on the employee's computer during visits to Web sites - cookies are little files that let Web sites know whether someone has visited the site before
History - this records the name and Web address of every site visited by the employee
Temporary Internet Files - this folder contains a copy of every Web page, graphic image, button, and script file found in or on each Web page visited by the employee
Start Menu: "Documents" – this shows what is in the user's "Recent" folder (recently-opened or recently-used files)
On Macintosh computers, look in the folder for the ISP (Internet Service Provider), then in the folder for the Web browser, then in either "Cache f" or the above names, depending upon what browser the employee uses. The "Apple" menu on Macs also has a "Recent" folder that shows what files the employee has worked on most recently.
With the files found in the above folders, it is possible to reconstruct an employee's entire Web surfing session.
Other places on the computer may yield clues. On PCs, look in the "Recycle Bin" – some people forget to empty that folder when they delete files. Using whatever graphics application you find on the computer, click "File" and look at the recent files in use - you may be surprised at what images the employee has viewed. On Macs, look under "Recent Documents" or double-click the "Trash" icon to see deleted files.
There are some warning signs for computer abuse:
the employee spends a lot of time online, more than is reasonably needed for the job, yet is strangely non-productive
you hear a lot of hurried clicking as you approach, and the employee greets you with a red face
the Temporary Internet Files folder is filled to capacity
the employee's computer crashes more than anyone else's – viruses and excessive demands on RAM
an increase in spam e-mail from employees leaving their addresses all over the Internet ("spam" is unsolicited commercial e-mail).
Why Companies Should Be Concerned Top of Page
Abuse of company computers, networks, and the Internet can leave a company at real risk for an employee's wrongful actions. If an employment claim or lawsuit is filed, it is standard for plaintiff's lawyers and administrative agencies to ask to inspect computer records. Deleting computer files does not completely erase the files – there are many traces left on the user's computer, and forensic computer experts can easily find such traces and use them against a company. Tools exist to make data unretrievable, but one must be not only aware of the tools, but has to know how to use them.
An employee in a large semiconductor manufacturing firm was recently arrested on charges of child pornography after a coworker alerted company managers and the managers called law enforcement authorities. Upon detailed inspection, his office computer was found to have hundreds of illegal images stored on the hard drive. The company's quick action probably prevented what could have been legal problems for the employer itself. In a Central Texas county, a sheriff's department employee was fired after many sexually explicit images were found on his office computer. The department had no problem searching his computer, since it had a well-written policy regarding computer and Internet usage.
Focus on E-Mail Top of Page
A good e-mail policy will let employees know that the company's e-mail system is to be used for business purposes only and that any illegal, harassing, or other unwelcome use of e-mail can result in severe disciplinary action. Let employees know that monitoring will be done for whatever purposes. If unauthorized personal use is detected, note the incident and handle it as any other policy violation would be handled. Whatever you do, do not allow employees' personal e-mail to be circulated at random by curious or nosy employees. Such a practice could potentially lead to defamation and invasion of privacy lawsuits. Have your computer experts attach a disclaimer to all outgoing company e-mail that warns of the company's monitoring policy, lets possible unintended recipients know that confidential company information might be included, and disavows liability for individual misuse or non-official use of e-mail. Here is an example of such a disclaimer:
IMPORTANT MESSAGE
Internet communications are not secure, and therefore ABC Company does not accept legal responsibility for the contents of this message. However, ABC Company reserves the right to monitor the transmission of this message and to take corrective action against any misuse or abuse of its e-mail system or other components of its network.
The information contained in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying, distribution, or any action or act of forbearance taken in reliance on it, is prohibited and may be unlawful. Any views expressed in this e-mail are those of the individual sender, except where the sender specifically states them to be the views of ABC Company or of any of its affiliates or subsidiaries.
END OF DISCLAIMER
Court Action Top of Page
A significant court case in the area of e-mail is McLaren v. Microsoft Corp. (No. 05-97-00824-CV, 1999 Tex. App. LEXIS 4103, at *1 (Tex. App.- Dallas 1999, no pet.)), in which a state appeals court in Dallas ruled that an employee had no claim for invasion of privacy due to the employer's review and distribution of the employee's e-mail. The court noted that having a password does not create reasonable expectation of privacy for an employee, and that since the e-mail system belonged to the company and was there to help the employee do his job, the e-mail messages were not employee's personal property. In addition, the court observed that the employee should not have been surprised that the company would look at the e-mail messages, since he had already told the employer that some of his e-mails were relevant to a pending investigation.
Another court ruled in 2001 that an employer did not violate the federal law known as the Electronic Communications Privacy Act of 1986 (amended by the USA Patriot Act in 2001) when it retrieved an employee's e-mail sent on a company computer to a competitor company in order to encourage the competitor to go after the employer's customers (Fraser v. Nationwide Mutual Insurance Co., 135 F. Supp. 2d 623 (E.D. Pa. 2001)). The employee had sent the e-mail, the recipient at the competitor company had received it, and so the employer had not intercepted the e-mail while it was being sent, which is the only thing protected by the ECPA. On December 10, 2003, the Third Circuit Court of Appeals affirmed that part of the federal district court's judgment (Appeal No. 01-2921). An important note here: an employer can do anything with e-mail messages sent and received on company computers, even including intercepting them during the process of transmitting or receiving, as long as it has notified employees that they have no expectation of privacy in the use of the company e-mail system, that all use of the e-mail system may be monitored at any time with or without notice, and that any and all messages sent, relayed, or received with the company's e-mail system are the property of the company and may be subject to company review at any time. For an example of how such a policy might be worded, see the sample policy titled "Internet, E-Mail, and Computer Usage Policy" in the companion book "The A-Z of Personnel Policies."
Evidence of Misconduct Top of Page
If an employee is disciplined or discharged based upon computer or Internet problems, have your company computer experts collect both digital and printed copies of whatever e-mail messages or computer files contain evidence of the violations. The evidence can then be used to defend against various kinds of administrative claims and lawsuits, such as an unemployment claim or discrimination lawsuit.
Conclusion
For business owners, technology makes things both easier and harder. Every company has to ensure that its electronic resources are used properly and not abused by employees. The more you as employers know about computers and the Internet, the better off, and safer, your company will be.
Return to Businesses & Employers
Return to TWC Home