May, 1999

MELISSA, THAT RECENT COMPUTER VIRUS, helped remind everyone that the Internet can be both treasure chest and Pandora’s box – full of all kinds of surprises.

While various laws prohibit electronic malfeasance, ranging from unauthorized computer access (or "hacking") to the distribution of child pornography, the Internet is a largely unregulated medium. Using your company’s Web server and E-mail system, employees can engage in all sorts of activities – some legal and some not, some meritorious and some downright embarrassing.

Over the course of a week, for example, it is entirely conceivable that all or some the following kinds of electronic transactions may be occurring at your facility:

• Terry E-mails his boss’s boss about a product safety problem he thinks may be looming on the horizon, not realizing that his E-mail can later be subpoenaed by the government.
• Sam receives what he believes to be a hilarious racist joke, which he forwards to a "buddy list" of acquaintances inside and outside the company.
• Phyllis takes what she believes to be a particularly obtuse memo from Personnel and E-mails it to Scott Adams, creator of Dilbert.
• Alice decides to auction off her daughter’s collection of Beanie Babies, using her corporate E-mail address.
• Todd, concerned about a competitor’s recent string of product introductions, decides to see if he can break into restricted portions of the competitor’s Web site.
• And Bill fires off an E-mail letter to a trade publication, accusing the editor of being a shill for the industry, especially on stories concerning pollution control.

These are not manufactured examples. Only last month, Raytheon Corp. went to court to learn the identities of employees who were using a public chat room to complain about the CEO, the company’s stock price and merger-and-acquisition plans. The employees, who used such aliases as "Rayman" and "Raytheon Veteran," never dreamed that American Online could be compelled by subpoena to reveal their true identities.

Let Your Employees Know the Rules

There’s an old saying that locks don’t stop determined thieves – but they do help honest people stay that way.

While companies publish all sorts of handbooks governing employee conduct, few of these today cover employee conduct on the Internet. If your company has no "locks" on electronic behavior, the honest employee may appreciate knowing what’s permitted and what’s not.

What, however, constitutes an effective Internet policy?

Certainly, the Internet has become an important business tool, speeding up all sorts of communications and exponentially increasing the availability and flow of information. Taking away an employee’s computer or restricting its hours of use is more than likely counter-productive. Alternatively, one could decree that computers are to be used strictly for business purposes – but the amount of surveillance required to enforce such a policy also would be counter-productive.

A better approach may be to provide Internet access for business purposes while condoning occasional personal use. That is what most companies do with long-distance telephone calling, whether they realize it or not. In the long run, it is cheaper and more productive to permit the occasional personal call than to force the employee to leave the office and find a pay phone.

You have the right to monitor communications at your place of business, including E-mail and other computer transmissions. If you plan to monitor these communications (most likely on a spot-check basis), inform employees of your intent and warn them that abuse of privileges may lead to their rescission. Explain that it’s one thing to check the weather forecast on AOL and quite another to spend three hours in a chat room grousing about the boss.

Getting Specific About What’s Forbidden

While the incidental-use doctrine is helpful in establishing an enlightened approach to employee time online, it does not go far enough in clarifying what your company regards as serious breaches of acceptable conduct.

Accordingly, here is a list of specific acts you may want to prohibit when company computers are used:

• Disseminating trade secrets or confidential records and correspondence to unauthorized persons, inside or outside the company.
• Making disparaging statements about the employees, customers, products, performance and plans of either your company or its competitors.
• Making libelous or slanderous statements about any individuals or groups.
• Making comments that violate employment discrimination or sexual harassment laws.
• Selling personal goods or services.
• Receiving or disseminating illegal materials.
• Receiving or disseminating pornographic materials, whether illegal or not.
• Duplicating copyrighted literature and software.
• Threatening anyone.
• Gaining, or trying to gain, illegal/unauthorized access to computer networks, databases and Web sites ("hacking").
• Committing any other illegal act.

Just as your existing employee handbook establishes grounds for discipline or dismissal when non-electronic offenses occur, inform your workforce that the kinds of electronic violations above are equally serious and equally subject to discipline or dismissal.

"AOL" Doesn’t Stand for Anonymity Online

The final step in developing an effective Internet policy is to educate employees about the false sense of anonymity they may feel online. Virtually every online communication creates an electronic trail, or footprint, that can trace the message or transaction back to the sender’s computer. This may be visible – as in the case of an E-mail header, or invisible – as in the case of a chat-room transmission. In either case, it is nonetheless "there." (It took less than a week for experts to trace the Melissa virus back to its alleged creator.)

Similarly, much of what is created in a computer remains in the computer, long after it may have been deleted from accessible files. These days, the discovery process in complex corporate litigation – such as an antitrust case – may include a search of hidden computer records. Lo and behold, an incriminating E-mail that was deleted years ago comes miraculously back to life.

In short, anonymity on or off the Net does not exist – and that is a sobering thought for most computer users.

Moreover, employees everywhere want to know the rules of the game. Once they are informed that Internet usage is subject to the same principles of conduct and common sense governing the rest of their business activities, the vast majority will use their computers with similar care. While no policy will eliminate all non-business usage of company computers, it will greatly reduce the risk to your company of ill-advised – if not illegal – computer transmissions.

If you work in a large, multi-unit organization, others – including the corporate Human Resources and MIS Departments – might appreciate copies of this issue. These can be ordered from your Sanford Rose Associates search consultant.

©1999 SRA International, Inc. All rights reserved, including electronic reproduction or alteration. This SRA Update is published for the clients of Sanford Rose Associates.