Why Employees Surf. And Why You Should Stop Them
Once you allow nonbusiness or non-IT-sanctioned applications to be installed, the network is at risk.
Employees are using the office network for personal use because they are working hard, and need to get other things done, often during work hours (56%). Others are surfing when bored. Monitoring personal Internet use may help identify those who are being under-worked or under-challenged. Deadwood who surf to fill their days are better off making way for someone who will actually do their job. Finding those who are good workers, but need some help balancing their work and private lives, also is a valuable byproduct of monitoring. Some employers are addressing these needs and reducing the stress level of valued employees by bringing dry-cleaning, postal, and other day-to-day services to the workplace to help their employees manage their personal lives.
Seventy-nine percent of those responding reported checking personal E-mail and instant messages from work. And most of those are using either their free Hotmail or equivalent accounts (30%) or their own subscriber accounts, such as AOL (26%). Forty-three percent are using their business E-mail accounts for personal correspondence.
Each nonbusiness use has its special risk-management problems. Employees permitted to use their personal E-mail or instant messaging accounts from work computers are using personal E-mail or IM applications on your system and may be accessing password-protected correspondence. Once you allow nonbusiness or non-IT-sanctioned applications to be installed, the network is at risk.
Network administrators need to have full control of everything on their network. In addition, unless the company approves software before installation, there's no guarantee that the software is legal, free of malicious code, or licensed, all of which could have serious security and legal ramifications.
And allowing password-protected correspondence, unless the employer knows the password and controls that access, is an invitation to litigation. Allowing password-protected correspondence also is often used as evidence that employees have reasonable expectations of privacy, which can then be problematic when the employer seeks to monitor and control Internet communications and use.
Then there's the problem of attachments, encrypted communications, and encoded E-mail (Web-bugs and the like), as well as spam clogging your network. So, the knee-jerk reaction is to block access to Web-based E-mail and instant messaging and prevent the installation of apps for AOL, MSN, and other subscription services. But that has its problems, too.
If employees still conduct personal E-mail communications from work, their only choice will be their business E-mail address. And that actually may be more of a legal problem than using a personal account. Third parties have relied on the use of a business E-mail account to sue the company itself when the employee does something actionable using that account. In addition, everywhere they surf, they leave your business IP behind. From downloading music on P2P sites (7% reported downloading music, software, or movies) to posting hate messages on bashing boards to sending sexually explicit E-mail attachments or messages, company execs may find themselves the deep-pocket defendant under respondent superior theories of liability. That's why most well-crafted acceptable-use policies prohibit all personal E-mail and IM correspondence. An employer, even if it wants to allow reasonable personal communications, may find itself between a rock and a proverbial hard place.
Some decisions are easy. Fourteen percent of those responding indicated that they used their workplace access to search for new jobs or compare compensation on their current job. Blocking access to the leading job-search sites is a quick fix to having employees rub salt in their employer's wound by wasting their employer's time and using that wasted time to find another job.
Six percent admitted to using the workplace computer to chat online. Web-based chat, Internet Relay Chat, and other chat applications can be easily blocked as well. (Besides not being terribly productive, chatting is ripe pickings for spam-harvesting programs.) The 14% who play games (including managing their fantasy sport teams online from work) can surf on their personal time by having access blocked to the more popular game sites. (Given that often good-natured wagers accompany the fantasy gaming, blocking access from work can limit legal risks as well.) P2P can be blocked for anyone not needing P2P access for work, thus reducing the risk that the Recording Industry Association of America will look into your employee's surfing practices.
So, how do you give your employees what they want and need without exposing yourself to legal and security risks unnecessarily? Several employers, recognizing the need for personal Internet use during the workday, have set up kiosks. These allow personal access outside of the workplace network and don't carry the same vicarious legal risks as using the company's network and IP address. Employees can then surf and access what they need, and send reasonable numbers of personal communications without jeopardizing the employer. The lack of privacy at the kiosks also minimizes the likelihood that employees will be doing something they shouldn't.
There's no easy answer here. But being flexible and trying to address employees' needs, while protecting your legal flank, is the goal. And asking your own employees what they think and what they need is a good place to start.
Return to main story, The Privacy Lawyer: Crack The Online Whip
Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law. She can be reached at [email protected].
About the Author
You May Also Like