Jessica Hartman prided herself on almost always being the first one to arrive at the 23rd floor office of Working People Communications, a publishing company. At 6:17 a.m., her mind raced through the morning deadlines and her hand reached for the electronic key, and then she stopped. Several crisscrossing ribbons of yellow tape sealed the office entrance. A banner read: “Sealed by Order of the FBI.” The Internet Age had just reached Hartman in a way she had not expected.
Two days before, a window-washer had been outside the 23rd floor when he noticed something on a computer monitor in one of the offices. Pictures of what appeared to be child pornography were on the screen. Offended and troubled, the window-washer phoned the FBI. Suspecting an Internet pornography ring, the FBI obtained a warrant and seized the hard drives of every computer on the 23rd floor. Agents sealed the offices as a crime scene only an hour before Jessica’s arrival.
The next 24 hours were intense with FBI interviews and the collection and cataloguing of electronic evidence. The agents found nothing suspicious until they decoded a list of Internet sites visited by Chris Munzer, a circulation department employee. Several pornographic sites were listed, including one where the models appeared to be minors. Munzer had been logging on to these sites from his office computer for six to eight hours a week. He had downloaded several sexually explicit images and then deleted the files. One of the FBI computer crime specialists restored the deleted files from Munzer’s hard drive. Munzer, like most employees, was unaware that deleted files are not truly deleted but merely have their file designations removed.
The FBI finished its investigation, and the local U.S. attorney general’s office concluded there was insufficient evidence for criminal prosecution. Munzer had been suspended during the FBI investigation. When the company conducted its own internal investigation, Munzer volunteered that he was receiving professional help for Internet addictive disorder, a recognized illness estimated to afflict 10 percent of Web users. Munzer also claimed that personal use of the Internet was common in the office and that he never missed a deadline. Unfortunately, Working People did not yet have an Internet usage policy. Nonetheless, the conduct was a clear misuse of employer time and equipment, and the sexual nature of the websites was explicitly prohibited by the company’s antiharassment policy. Under these circumstances, the possible application of the Americans with Disabilities Act (relating to his possible mental illness) did not save Munzer’s job.
The above story is from a real case. Technology provides new challenges for laws written before the Internet entered the workplace. Based on our practice at Littler Mendelson, we estimate that more than half of all employment and labor law cases involve some aspect of workplace technology.
The formation of a comprehensive “cyberpolicy” for your workplace is no longer just a good idea, it’s a legal necessity. Employees need to know ahead of time what constitutes acceptable Internet use. What type of sites are appropriate to visit? When? What material is permissible to download? For example, can an employee use the company’s computer and Internet connection to visit Amazon.com during a break? Employees who spend, on average, 24 percent of their Internet time on nonbusiness-related tasks (according to an August 1998 Work Group Computing report) need answers.
While the HR and legal departments are of course heavily involved in the creation of such a policy, CIOs are often given the assignment of building a draft policy. More and more, CEOs and CFOs want to finalize the policy statement because the Internet has become increasingly central to the employers’ mission. But CIOs will be on the front lines of its implementation.
To help develop a useful policy, conduct a usage audit of your Internet systems. How many of your employees have access to the Internet? How much time do they spend on it? What are the privacy expectations of your workforce? A successful policy must take this usage and history into account when setting standards in order to reinforce some behaviors while discouraging others. When collecting information for this purpose, corporate counsel should evaluate whether any of the audit questions create the risk of collecting evidence that could be harmful to the company in future litigation.
Training and Expertise
The success of a state-of-the-art cyberpolicy is determined by how well employees understand and implement it. Nonetheless, few employers have trained workers on Internet use and policies. Clearly this should occur, and the employer should document that employees have received the policy and related training. The most important benefit of this process is that employees will use the Internet as intended. A secondary benefit is the ability to discipline violators.
In addition to this training for everyone, plan an “Internet litigation avoidance” session for the key professionals who will shape the organization’s policy and have to enforce it. This session can be as short as two hours. Participants should include HR representatives, corporate counsel, the head of security, an IS representative, a manager with some fiscal authority and a line management representative.
Also, designate an articulate expert within the organization who understands the Internet and employment law considerations. Typically this is an HR professional, but it could also be someone on the IS staff (if he can clearly explain technology to groups that do not have a technical background).
Regardless of employee training, Internet policies are useless if not enforced. Software that can search e-mail for sexual content can give your policy teeth by helping management with this enforcement. Generally, new legal standards will demand evidence of some form of prudent preventive effort by management to counter a charge that Internet misuse has created a hostile work environment.
Often, different managers enforce workplace policy requirements in different ways. This is especially true for a new policy where managers have little experience. Inconsistencies will open the employer to claims of being discriminatory or unfair. Establishing uniform standards in advance helps reduce inconsistencies. Government enforcement agencies have established websites that provide technical information and policy guidelines. Private HR and legal sites are multiplying.
When implemented, a cyberpolicy becomes a traffic signal allowing for a more efficient use of the Internet in a world of long-established employment and labor law standards. Such policies do more than protect the organizations that have them; they make for better workplaces.