This article by Stuart Adams appeared in Louisville Computer News March, 1999
The Internet is becoming the medium of choice for many businesses, for advertising, communications and commercial transactions. A high percentage of businesses had not figured out how to effectively deal with employee actions before the dawn of e-commerce. The telephone, office memo, fax, and copy machine have long been a veritable sieve in the unauthorized flow to the outside world of confidential company secrets and dissemination of inappropriate communications by employees.
Just as employees used to hide behind the anonymity of a "private" phone call, an unsigned memo, or suggestive cartoon secretly placed near the "water cooler," now there may be an even greater tendency to believe that the digital version of such communications will escape management scrutiny. In fact, electronic tools may provide more "bang" for the buck, but this isnt necessarily always a good thing.
Although many companies find it "essential" to give their employees nearly unfettered access to the Internet, both at work and away, such freedom does not necessarily always bring a corresponding compliance with regulations imposed by the employer. Even if the employer tries to curb or monitor such access, it may find that its employees are often just a little ahead of them on the learning curve. Just as many security companies are hiring hackers to help keep other hackers out of customer computer systems, some companies are finding "moles" placed by competitors, disgruntled or bored employees and other insiders to be their biggest nightmare.
WRONG TURN ON THE INFORMATION SUPERHIGHWAY
There are any number of ways under-restrained Internet access can harm a company. The damage can easily span the range from accidental to malicious. Some of these problems are:
Simply clogging the pipeline with non-business communications, as employees send e-mail to their college roommates and relatives, download (and perhaps store on company computers or storage media) huge graphics files, including pornography, music files and other non-business material. This takes up not only hard assets of the company, but also the costly time of the employees, who are perhaps avoiding long distance charges at home by using the Internet equivalent on the company "tab."
Further clogging of the network with spam received by the employee at work as a result of non-business communications, such as for vacation plans and other recreational or personal pursuits.
Subjecting the company to a whole host of criminal investigations for inadvertent hosting of such activities as online gambling, copyright violations, sexual harassment, pornography, etc.
Submitting the company to foreign jurisdictions for contract, tort and even securities claims. Case law and statutory law are still emerging in this area, but it is easy for a well intentioned employee to use electronic media, including e-mail, to build a case for a remote plaintiff to rightfully obtain legal jurisdiction over the company in a foreign country or even in another state where the business has not yet registered. Product liability and other negligence claims, sexual harassment, breach of contract, and sales tax implications can wind up being litigated in a remote jurisdiction as a result of the uninformed or under supervised employee "reaching out" to transact business or act in a negligent fashion somewhere the company never would have foreseen it would be involved.
Creation of the digital equivalent of the "paper trail" by sending and storing e-mail and attachments, can be devastating to a company. Bill Gates is today perhaps the classic example of this, as a reading of his e-mail will now show anyone in the world, who wants to see it online. It is now part of the governments antitrust case against Microsoft. The words he sent and received by e-mail regarding his competitors and internal strategic market tactics are now public record, viewable through many Web sites.
Downloading of viruses is an ever recurrent problem. Much of my time as a lawyer is now spent on the Internet sending and receiving documents with clients, co-counsel and others by e-mail. As invaluable a tool as this has become, it still bears the risk of "infection." Just last week a new anti-virus program I installed found what appeared to be a year old Trojan horse on my system, despite my subscription to one of the top "name" anti-virus programs and diligent updating of the latest virus patterns. I now have two programs checking out downloads, floppy media, (and probably each other) etc. but I still have to worry. I am, for instance, aware of at least one major local law firm that nearly got sacked by reading floppy disk data obtained from the adverse party during discovery. The diskette contained a particularly nasty virus. It had been scanned once by the "company" machine and found to be free of viruses. When one of the attorneys put the diskette in his machine, which had a recently installed additional anti-virus program from another vendor, all the bells and whistles went off. Had the file made its way onto the law firm network, it could have been lights out.
Another problem is the inadvertent creation of contractually binding obligations on the company by its employees. Most employees are trained in the supply chain of command and creation of appropriate documentation. The urge to grab that great price you found online for that part you must have to get the project back on schedule, may be leading to a "phantom" supply chain. Additionally, even if the transaction starts in regular channels, e-mail alterations of terms and conditions can lead to obligations the company would rather not have become involved in.
The ease of "broadcasting" e-mail messages has spawned a whole new wave of litigation. When two people talk by phone, they only have to watch out that no one is eavesdropping on them. When it is over, there is no real trace of the contents. With e-mail, however, jokes and other comments can be passed between multiple parties and end up being electronically stored automatically. Unlike telephone conversations and faxes, however, some of these conversations are re-transmitted with each reply to the previous message, creating a "string" of conversations that may span days, weeks or months. As a message has been copied to another party, the portion of prior messages (which may be way down the electronic page and off screen at the time) may also be inadvertently passed on to the third party. When that party, who has now been added on to the electronic conversation string, opens the e-mail from a coworker in his or her browser and scrolls down to earlier parts of the string they may find a racial epitaph, sexually suggestive remark or other comment which might be considered defamatory, or worse. If the company, for whom they all may work, fails to take action to prevent continuing dissemination of such offensive and possibly illegal communications, they may have liability. Very significant verdicts have been obtained. One example of this is an action filed against Morgan Stanley & Co. for $30,000,000.00 by two minority employees because of allegedly racist jokes sent over the companys e-mail by co-employees.
EMPLOYER LIABILITY FOR EMPLOYEE ACTIONS
Typically, an employer can be held liable for acts of an employee committed within the scope of their employment. They can also be held liable for acts committed outside of the scope, if the employer was negligent or reckless in supervising them. Additionally, there is the legal theory of apparent authority, which may come into play. This theory of employer liability for employee action arises when the employers own negligent act or inaction has aided the employee to hold themselves out to the public as having the authority to act on behalf of the employer.
DEVELOPING AND IMPLEMENTING AN INTERNET POLICY
Drafting and taking reasonable steps to enforce an employee Internet policy will go far to protecting the business from liability for inappropriate uses of the Internet by employees. The policy should:
advise employees that they are subject to it, without exception;
define what is or is not appropriate use of and behavior on the Internet or Intranet;
make crystal clear that the software, hardware and time involved in use of the Internet at work belongs to the company and not the employee;
state that the employee has no reasonable legal expectation of privacy in communications on the Internet, and that such communications, including downloaded material and e-mail transmissions may be routinely monitored;
define what level, if any, of personal use is acceptable, similar to personal use of a phone at work, keeping in mind that the employer may have to show a reasonable effort to enforce any guidelines it imposes;
define a specific written, uniform progressive disciplinary chain of enforcement of violations
require employee "consent" qualifying under laws such as the federal Electronic Communications Privacy Act, which generally prohibits the interception of wire communications unless one party consents;
requires the employees to properly identify themselves in all communications;
sets out procedures for all downloads and storage of such material.
There is certainly software available which would allow an employer to automatically screen and block many uses of the Internet by employees, in a way similar to that being used by parents to keep their children from inappropriate sites. How many people reading this article, however, had a co-worker download and perhaps print out the voluminous report by Ken Starr, when it was released over the Internet. I can tell you that I was in a clients office while this was being done by a secretary at the request of the owner, but I suspect some owners had the same experience without knowing it.
Keep in mind also that the Digital Millennium Copyright Act makes it illegal to alter copyrighted material, such as by manipulating graphic images or removing the authors name to incorporate in your "own" work. Employees eager to finish the report and incorporate data found on the Internet may easily be guilty of such violations. There are a wide variety of such potential illegal acts by employees which may come back to haunt the employer. With embedded identification of graphic images and the new Pentium III being released with an embedded identifying number, many of these acts may now be traced back to a company workstation.
CHAT ROOM BLUES
How many of your employees may be spending their time in non-business oriented chat rooms. With AOL and other services now allowing you to know who is online in real time, many employees may be tempted to try to catch friends and family while they are at work or may try to bridge a time zone issue through a chat room. When they send the e-mail message, however, will it carry "email@example.com" for the world to see as the home address? Obviously this presents a whole new wave of issues.
There may actually be some help for bad actions under your companys general liability insurance policy. If you are the boss, CIO or risk assessment manager, you might want to have your lawyer or insurance agent help you check out your coverage and exclusions. Quite often, harassment claims are excluded from such policies, although there are new policies coming out specifically for such matters. Check this out with your team of business counselors.
The Internet opens a whole new world of opportunity for business. Along with the open door there are new issues and challenges. As you explore, make sure you monitor the direction and extent of your employees exploration, and that of your competition to keep your company headed in the right direction.