During the past decade, the typical workplace has witnessed technological advances that are nothing short of astonishing. The days of bulky, noisy typewriters are long gone, and most workplaces now are equipped with sophisticated computers and electronic hardware and software.
Employees are performing and storing their work electronically with access to a world of information at their fingertips. Similarly, employers have access to a wealth of monitoring and tracking technology to verify employees are performing their assigned responsibilities and using technology in an appropriate, lawful manner.
Although contributing to businesses' efficiency, productivity and overall capabilities, recent technological advances have been accompanied by a variety of complex legal issues and risks that present significant concerns for employers. You must, at a minimum, understand the basics of these issues and develop realistic and effective strategies and policies to address them or else expose yourself to liability.
Realize the risks
The business risks associated with technology use are obvious.
For example, any efficiency generated by employees' use of computers to prepare and store files or communicate business information can be compromised in a matter of seconds by power outages, viruses or external hackers, which can result in the loss or misappropriation of trade secrets or other proprietary, confidential or sensitive business information. This explains why companies continually invest significant resources to maintain, protect and support information systems.
Although essential, such technical safeguards represent only a small part of a modern, technologically evolving workplace, particularly where technology poses risks that extend well beyond strictly business-related concerns and the traditional office environment.
Such safeguards do not adequately address and may not prevent the potentially severe legal ramifications that can result from one or more of the following scenarios: the misappropriation or misuse of confidential or sensitive information; unanticipated disclosure of trade secrets or other protected or confidential data; employee use of a company's information systems and property (including e-mail, Internet, cell phones and other handheld devices) for harassment, discrimination or other illicit purposes; and bargaining obligations in unionized work forces stemming from the installation and use of technology and the policies that govern such usage.
Furthermore, you must balance your legitimate business needs to use monitoring or tracking technology (from surveillance cameras in work areas to sophisticated global positioning satellite [GPS] software installed in company vehicles, cell phones and other equipment) against employees' privacy expectations.
These scenarios continue to pose pressing questions for employers, employees and the courts in formulating adequate standards governing technology's use in the workplace.
What's being used
Most employees now have access to the Internet and the wealth of information it offers. In an ideal setting, employees would use this tool strictly for work-related purposes, but in reality, employees often spend excessive amounts of work time pursuing personal interests online. Among some of the more innocuous uses, employees shop, read news stories and entertainment articles, watch videos and catch up with friends, all of which distract from work responsibilities and ultimately amount to a waste of work time.
However, employees also may use the Internet for offensive or downright unlawful purposes, such as posting messages to co-workers that may be perceived as harassing or discriminatory; posting disparaging remarks about your company or management to a potentially limitless audience outside the company; publishing confidential or sensitive information belonging to your company, employees or clients; or viewing pornographic or other workplace-inappropriate sites.
In recent years, e-mail use has become a central aspect of business communication internally and externally—even more so now that e-mail can be readily sent from virtually any location by mobile devices such as personal digital assistants and cell phones.
Although e-mail is efficient, critics note it is highly impersonal. This impersonality has two potential pitfalls in the workplace: It can contribute to the misunderstanding of the intent, tone or substance of a sender's message because it cannot convey the subtleties and nuances of in-person conversations. In addition, the removed, isolated nature of e-mail as compared with live communication can and often does lead to failing to think through the consequences of what is being written and, as a result, treating e-mail less formally than one should.
Studies reveal employees often will write things in an e-mail they would not actually tell a recipient in person. It should come as no surprise that e-mail is frequently misused to forward inappropriate messages to employees and individuals outside the company or send attachments or comments that some employees may perceive as harassing and discriminatory.
And not withstanding the strong possibility of misinterpretation, employers often use e-mail to address employee issues relating to discipline or other important employment-related decisions rather than confronting employees face-to-face.
Instant messaging
E-mail revolutionized the way employees communicate, but instant messaging (IM) is further advancing the speed and informality of communications. IM is the real-time exchange of messages between two or more people logged onto a common IM service with the added benefit of being able to discern whether an individual is online at any given time and available for communication. Although IM at first blush may seem no different from e-mail, it poses additional risks for employers.
For instance, most consumer-grade IM software (the type that is downloadable at no cost, which a vast majority of IM users use) does not have the capability to detect and filter out potentially harmful communications, such as viruses or changes of log-in names, so individuals posing as others (such as other employees) can access a company's information and systems.
IM applications also are an ideal platform for computer worms—worms use IM "buddy lists" to send themselves to other users, and few, if any, firewalls are capable of scanning IMs (either incoming or outgoing) for viruses or other unwanted content. Most IM programs lack encryption capabilities and have features that bypass company firewalls, making it difficult for a company's information technology administrators to control and monitor instant messaging. And because most IM applications do not encrypt network traffic, a third party can eavesdrop on conversations between two IM users using readily available technology.
Similar to e-mail, IM systems allow users to attach and exchange files, but under most IM protocols, files are transferred directly between users rather than through a server and IM systems do not encrypt attached files transferred between IM clients. This means that if one user is outside your company's internal network, attached files are transferred unencrypted over the Internet. With the touch of a button, your company's confidential or proprietary documents can be on their way into the public domain.
All the risks are multiplied because more employees are using IM in the workplace than employers probably are aware. Virtually any Internet user can register for free IM service and be chatting in real time with friends, co-workers and clients in minutes. Most messages sent by IMs are not automatically saved to a system or otherwise backed up, which leaves employees to selectively save or print their incoming and outgoing IM communications and use them out of context for self-serving purposes, such as building a harassment or discrimination case.
Blogs
Web logs, known as blogs, are personal journals or diaries posted on the Internet. Blogs are created to continuously update a group of people or the public about the personal events in the blogger's life. Recent estimates from several online resources suggest there are more than 60 million blogs and more than 400 million Web sites that include some form of discussion on blogs. In contrast to personal diaries or journals, most blogs are available for viewing by anyone with access to a computer and Internet connection (some blogs may be restricted, for example, by password protection).
Many blogs also allow readers to post comments, which may then, in turn, be viewed by anyone who accesses the blog—a potentially limitless audience. Blogs are limited only by imagination. It should come as no surprise, then, that many individuals use their blogs as a place to vent frustrations with their jobs, employers or co-workers. As a result of the endless types of information bloggers can and do post, blogging, like IM, raises a number of concerns for employers.
For instance, blogging can result in the widespread exposure of confidential or negative information about your company, specific employees and clients. Such exposure could generate ill will or negative publicity that is difficult to counteract. It also could expose sensitive data to the public. Many employers have expressed concerns that blogging detracts from productivity, particularly when employees access blogs during work time using their employers' systems.
Such use can be disciplined only if detected and proper policies are in place. Indeed, many employers have turned to "doocing," the term used for terminating an employee for inappropriate blogging activity, only to be subjected to wrongful termination claims by the terminated employee.
Monitoring employees
As the cost and accessibility of technologies used to track and monitor employees has decreased, their use by employers has increased dramatically. More employers rely on electronic technology to "supervise" employees while on the job—both indoors and outdoors—which permits employers to acquire large amounts of specific data concerning employee performance or productivity. The use of such technology invariably is accompanied by increased tension between employers and employees and by resentment based on employee perceptions that the monitoring infringes on their privacy.
Devices such as video cameras and Internet site visitation records are common means of employee monitoring. But they have been supplemented in recent years by more sophisticated technology such as keystroke software, which allows employers to obtain a record of every key entered by an employee in the course of the workday; GPS software in employer property such as vehicles, equipment and cell phones to track employees' locations in real time; smart cards that can track employees' movements through the workplace (allowing employers to determine, for instance, how long an employee was in the bathroom or break room); and packet-sniffing software that allows employers to track most employee communications on the employer's network.
One company, VeriChip Corp., Delray Beach, Fla., has gone as far as developing a radio-frequency identification system the size of a grain of rice that actually is implanted in an individual's arm and used to track the individual's movement.
Because data gathering and processing through these techniques is quick and fully automated, it might be tempting to rely excessively on the results even though employee productivity or conduct might not directly relate to the specific data collected.
Cyber liabilities
A multitude of federal and state laws prohibit various types of discrimination and harassment, and recent court decisions firmly establish employer liability for such unlawful conduct directed at employees through the employer's electronic communications systems, whether by a co-worker or third party. Indeed, such cases may be more difficult to defend because technology has permitted the rapid dissemination of unlawful content to a vast number of people while leaving a damning trail of digital evidence.
The concerns are the same regardless of the technology used as long as the technology enables an individual to convey a message or image to an employee that happens to include harassing or discriminatory content.
For instance, a male supervisor who regularly views and jokes about Internet pornography with co-workers, even within the confines of his office, may lead to a justifiable claim of a hostile work environment against the employer by a female employee who works in the same area and regularly observes the conduct—even if the pornographic content is not directed at her.
The same holds true for a client or vendor who repeatedly sends pornographic images accompanied by inappropriate and unwelcome comments to an employee. You are equally responsible to prevent such harassing conduct directed at employees even if the perpetrator is not an employee.
Recent court decisions suggest employers also may be held liable to third parties as a result of an employee's misuse of workplace technology.
In one case, an employee used his company's computer system to upload nude pictures of his stepdaughter onto pornographic Web sites. The child's mother (the employee's wife at the time) sued the company on behalf of her daughter for the harm the daughter suffered as a result of the employee's actions. Although the employer suspected the employee was improperly using the company's system, had information that some of the Web sites visited may have contained child pornography and had even warned the employee against engaging in such behavior, the court held the claim was valid and could proceed.
The court's decision was based on the employer's failure to investigate the employee's activities and take prompt, effective action to stop the unauthorized activity. Warning the employee not to use the company's system for improper purposes was not enough in the court's view to satisfy these legal duties.
This decision sends a clear message that you cannot idly stand by or ignore employees' actions vis-à-vis your systems, particularly when those actions have the potential to harm another individual. You can and, in many jurisdictions, will be held responsible for failing to enact effective policies and supervise and regulate employees' actions and use of company equipment.
Protecting information
You must pay particular attention to preserving confidential or sensitive information, such as Social Security numbers and financial information, particularly when so much information often is not secured properly and is readily available for other employees or cyber thieves to exploit.
Under negligence theories, courts have imposed on employers the duty to protect such information and awarded damages stemming from breaching that duty. In one recent case, identity theft victims recovered damages from their employer after a co-worker accessed personal information from the company's systems to open credit cards, purchase cell phones and rent apartments. The employees claimed their employer failed to implement adequate safeguards to prevent access to personnel information.
In another case, a court affirmed a jury award of $275,000 to employees who filed suit against their union after a union official's daughter acquired personal identification information from union membership records to steal the employees' identities.
In these types of cases, employers are held to a "reasonable" standard of care, meaning they must reasonably monitor, investigate and remedy any workplace misconduct involving the misuse of technology to misappropriate confidential information.
Trade secrets
Adequate safeguards to ensure the proper use and access of workplace technology also are required to protect your intellectual property rights, including trademarks, trade secrets, and any other company-specific confidential or protected information. Theft of trade secrets (such as technologies, business or strategic plans, financial documents or client information) and the infringement of trademarks or copyrights are not difficult if appropriate safeguards are not put into place. An employee may need only a few minutes to access your network and download confidential data onto high-capacity, portable, writeable media such as flash drives and DVD-ROMs or circulate it to competitors or the public.
Unions and free speech
Employers with unionized work forces also must consider the National Labor Relations Act, which limits employer policies restricting employee use of technology and the technological tools employers may use to investigate misconduct and discipline employees.
The National Labor Relations Board (NLRB) has, to some degree, defined the scope of these limitations in recent decisions addressing workplace technology.
In one case, a company installed hidden video cameras where it suspected employee misconduct without notifying the union. During the first month of surveillance, the cameras revealed 16 employees engaged in various forms of misconduct, ranging from urinating on company property, smoking marijuana or taking breaks during work time. The employer notified the union and either fired or suspended all the offending employees. But NLRB concluded the employer violated the law by unilaterally installing the cameras without first bargaining with the union.
NLRB's holding in this case suggests other types of monitoring technology, such as GPS software in company trucks or cell phones, cannot be installed if used to track and discipline employees unless the employer first bargains with the union. Many unions and employers have compromised by agreeing to the installation and use of such technology but imposing restrictions that the data collected from monitoring technology may not be used as the sole basis for disciplinary action.
In previous decisions, NLRB has held that an outright ban of nonbusiness use of workplace e-mail is overbroad because a computer network constitutes a "work area."
In late March, NLRB held oral arguments in a case that addresses employers' rights to restrict employee access to systems for nonbusiness use. Depending on NLRB's forthcoming ruling, you may need to review and update your technology usage policies to ensure proper compliance.
Tips
Although there are many risks associated with employee use of technology, there are just as many ways for you to effectively manage their use.
Adopting and implementing a comprehensive technology usage policy that clearly communicates to employees the rules and expectations associated with technology is one way. A policy should articulate your company's stance on the various issues raised by the technology's use. Key components of such policies include:
In addition to a general technology policy, you should either adopt a blogging policy or include a section in your general usage policy that specifically addresses blogs. The policy or section should explain your approach to blogging during work hours and, regardless of that approach, should at minimum define "blogging" and its distinguishing characteristics because some employees disciplined for blogging have claimed they did not understand their blogs would become so widely available.
Generally, if blogging occurs during business hours, you have some latitude to discipline or terminate employees for inappropriate blogging activity. "Off-duty" blogging usually does not pose significant concerns for employers. However, if a blogger publicly discloses confidential information or undermines your company's public image, discipline may be appropriate and necessary as long as it does not violate whistleblower or other laws. Of course, such discipline must be in accordance with well-implemented and maintained technology and blogging policies.
Generally, a blogging policy or section should contain the following provisions:
Additional terms may be necessary depending on the company and any particular sensitivities relating to confidential and proprietary information, staff access to technology, particular types of technologies used and a company's systems.
Once you create a comprehensive policy that suits your company's specific technology needs, the job has only just begun. Effective dissemination and education of the policy is essential to any company's success in overcoming the risks associated with new technologies while still harnessing the increased capabilities and productivity that the use of such technologies affords. All employees must become aware of their duties and responsibilities when using technology. Managers must be trained so they are fully apprised of what activities are allowed and committed to consistently and even-handedly enforcing the policy.
Plainly, technology is here to stay. It is a desirable and valued tool in the workplace. Employers simply need to institute proactive, affirmative measures to understand the technologies existing in their workplaces and their various possible uses and take the necessary steps to ensure appropriate protections are in place. This requires the collaborative efforts of all facets of management; otherwise, an employer's technology will be vulnerable to misuse and abuse and the technology usage policy won't be worth the paper (or hard drive) it is written on.
Victoria L. Donati and Jason C. Kim are partners in the employment law group with the Chicago-based law firm Neal, Gerber & Eisenberg LLP.
COMMENTS
Be the first to comment. Please log in to leave a comment.