Why a Policy is Needed - Case Study Example

Why a Policy is Needed? 1. Why a policy is needed? Breach of confidentiality A point of view exists that application of a policy that prevents Internet misuse at workplace sufficiently hurts employees’ confidentiality. But there is another opinion, that absence of such policy damages employers, or corporative confidentiality as well. Bassett (2002, para. 7) brings an example, when an employer stumbles across an employee's credit report or medical information. As employees spend many hours at work the ease of conducting some of their business via e-mail or the Internet, such as, for example, banking online may become a convenience that they are not able to forget. The result is that information that employees might prefer to keep confidential may be exchanged over the employer's network. Answers to these questions are, obviously, well beyond the scope of this article, but the questions do serve to highlight some of the issues that may concern employees about having their online activities monitored at work, and give some insight into the kind of interests for which employees might believe that they are entitled to legal protection of their privacy. In May of 2001 one group of employees, after discovering that their e-mail and Internet use was being monitored, even ordered staff to disable the monitoring software. (Bassett, 2002, para. 8) I think they were right, because the employer did not let them know about the monitoring software, and there wasn’t any Internet use policy in the company. On the other hand, if the policy that prevents Internet misuse at workplace exists, it makes employees think what private information about themselves they are ready to reveal to the management. Damage to reputation Also reputation of the company may suffer from thoughtless employees’ activities. Hines and Cramer consider reputation as a key component of any organization’s intellectual asset portfolio. Damage to reputation can mean huge differences in customer allegiance, shareholder confidence, sales and the bottom line. (Hines and Cramer, 2003, p.1) Really, employees can use Internet to disparage their existing or former employer. Internet chat rooms, bulletin boards, live journals and other Web sites can be used for this. They provide opportunity to communicate anonymously, at no cost and to an unlimited audience. Hines and Cramer note that technical and financial risk management tools are relatively ineffective for protecting reputation, and corporate defamation is frequently caused by existing or former employees, and that’s why organizations should focus more on protecting valuable reputation assets through the normative control – specifically, improved employment practices and education of employees. (Hines and Cramer, 2003, p.2) Lost productivity Intensive use of Internet at workplace with private purpose also causes productivity loss. Center for Online and Internet Addiction cites following statistics: Nearly 55% of workers are exchanging potentially offensive messages at least once a month (PC Week). Online industry analysts predict that Internet misuse will cost companies an estimated 1 billion dollars in lost productivity (Newsweek). In a recent survey of 224 firms that utilized monitoring software, 60 percent of the managers said they had disciplined employees for online misuse, and 30 percent had fired people for such behavior, which included downloading pornography and shopping and gambling online (Websense Security Software). 47% of employees send up to 5 personal emails per day, and 32% send up to 10 personal emails daily, and 28% receive up to 20 personal emails per day (Vault.com). Almost one in five people go to cybersex sites while at work (MSNBC poll, June '98). Recently a major US computer manufacturer installed monitoring software and discovered that a number of employees had visited more then 1,000 sexually oriented sites in less than a month. Twenty people were fired for misusing company resources (USA Today). 68% of companies characterized messaging misdemeanors as widespread, with losses estimated at USD$3.7 Million per company a year (Datamation). Employees from the top technology firms including IBM, Apple Computer Inc., and AT&T have accessed Penthouse thousands of times each month (Nielson Media Group, ’97). 52 of the Fortune 100 companies have an Acceptable Internet Use Policy (The Aberdeen Group). 58% of employers who monitor do so to control recreational use; 47% do so to reduce bandwidth abuse, 47% hope to eliminate downloads of pirated software, and 33% hope to reduce sluggish Internet connections due to recreational use. (PC World) ("Dealing with Internet Misuse in the Workplace", n.d., para.3) Despite these concerns, full-scale computer audits are completed by less than 25% of US companies. This means that more than 75% of US companies work much less effective and don’t get additional profit because their employees use Internet at workplace with private goals instead of their direct duties. Legal liability Hines and Cramer name two potential defendants in a cybersmear: the speaker and the operator of the service displaying the defamatory content (e.g. the portal, listserv, Web site, ISP, bulletin board, chat room, etc.). Bringing claims against either defendant can be highly problematic for two reasons: difficulty of detection and the right to free speech. (Hines and Cramer, 2003, p.2) It’s extremely hard to find the persons who cause damage to company’s reputation, but it’s harder to call them to account for the damage. It is not always easy to convince the court that some specific person is really guilty in cybersmear. Additionally, when employees download various files via the Internet (e.g. software, data, music, pictures, video etc.) whether intentionally or unintentionally, they may break the intellectual property rights of third parties, revealing the organization to possible legal action. Damage to IT systems and electronic files Misuse of Internet can damage IT systems or electronic files, change or corrupt information at the computer. It’s not a secret that some Web sites, such as gambling or porno sites leave cookies, plug-in or other uninvited information or programs at user’s computer. The majority of computer viruses, that also can harm information or even computer hardware, are also spread via shady Web sites. Other viruses are spread via uninvited e-mails with attachment. Principle of their work is a message with request to open an attachment or visit a Web site. When recipient does it, a virus is downloaded to his or her computer. Then the virus can be executed or copied to the operational system of the computer. So employees who browse gambling or porno sites or read uninvited e-mails compromise their computers, operational systems and files to be a victim of computer viruses. Increasing IT network traffic Personal use of the Internet may occur when employees download resource intensive Web pages or large files (e.g. software, data, music, pictures, video etc.), which take up unnecessary network bandwidth. It can have a damaging effect on business related network traffic, especially on smaller networks. No one company is obliged to pay for content, which is not useful for direct corporative activity, but various studies name from 50% to 70% of total network traffic, is used for personal goals. 2. Legal challenges of implement a such policy Personal rights Association for Progressive Communications states following personal rights: Right to access: We believe the right to communicate is a fundamental human right. Rights related to access and use of the Internet and telecommunications are extremely important if ordinary people are to have their voices heard. Information Computer Technologies (ICTs) - and help to use them - effectively must be made available to all. Training to use ICTs: Most people need some training to be able to use ICTs to meet their needs. Local and national government and international organizations must support and promote the development of free or low-cost training methodologies, courses and materials for citizens on how to use ICTs for social development. Inclusiveness and usability: ICTs should be designed and developed to ensure that they are accessible to and easily used by marginalized groups, people who are not fully literate, minorities, and people with physical, sensory or cognitive disabilities. Innovations should promote the development of people's different capacities. Equity between genders: Strategies to provide access to ICTs need to advance gender equity by strengthening the economic power, access to education, freedom of mobility and freedom of speech of women. Access targets and efforts should protect and advance gender equality. Affordability: Governments must ensure that all citizens have affordable access to the Internet. The development of telecommunications infrastructure, and the setting of rates, tariffs, and equipment and software taxes, should work to make access a reality for all economic groups. Integration with media rights: Separate laws are not needed to regulate the Internet. The Internet should be regulated by the same laws that already govern other media to ensure compatibility between the laws in different media, and so that citizens and organizations have the same rights across all forms of ICTs (both new and old). Accessibility of public information: Government at all levels and international organizations must promote transparency by placing all the information they produce and manage in the public domain. They should guarantee that all information online is disseminated using compatible and open formats and is accessible to people using older computers and slower Internet connections. Rights in the workplace: Access to the Internet in the workplace must be permitted for the purposes of organizing, protecting workers' rights, and education. Developmental impact: Appropriately-developed Internet infrastructure should help create more egalitarian societies, and provide support for education, health, local business development, good governance and poverty eradication. We should not assume that all technological innovation is beneficial. Civil society organizations, governments and regulatory agencies should evaluate advances to Internet and other information and communication technologies for actual and potential positive and negative impact. (“APC Internet Rights Charter”, 2002, sec.1) Employees’ rights at workplace should be clearly stated. Implementing policy that prevents Internet misuse at workplace outlines personal rights of the staff and simultaneously informs them about restrictions. Privacy It is clear that most employees do not want to completely sacrifice their privacy at work. Typically employees’ access to the network and computer systems is password controlled. Privacy is reached by use of non-obvious passwords and changing them frequently. Employees’ personal passwords give them access to their files, e-mail account and to web browsing. This may give the impression that no one can access their files or monitor their activities on the network. Some staff may not be aware that system administrators are usually able to access everything on the network. ("Guidelines on Workplace E-mail, Web Browsing and Privacy", 2000, para.5) That’s why privacy issues should be clearly explained in the Internet use policy. Employees should know, in what cases their privacy is guarantied and what private information may be accessed by system administrators. Association for Progressive Communications states following privacy issues: Data protection: Public or private organizations that require personal information from citizens should collect only the minimal data necessary for the minimal period of time needed. Collection must follow a transparent privacy policy, which allows people to find out what is collected about them and to correct incorrect information. Data collected must be protected from unauthorized disclosure and security errors should be rectified without delay. Citizens should be warned about the potential ICTs have to manage the information they supply in order to prevent the misuse of their data. Freedom from surveillance: Citizens and institutions should be able to communicate online free from the threat of surveillance and interception. Right to use encryption: People communicating via the Internet should have the right to use tools, which encode messages to ensure secure, private communication. (“APC Internet Rights Charter”, 2002, sec.5) Unions’ point of view Delbar, Mormont and Schots note that the issue of privacy and the use of new technologies at the workplace are thus becoming increasingly important for employers and trade unions (though to varying extents). For example, at international level, Union Network International (UNI) - the global union federation for white-collar and private sector workers' trade unions - and its affiliates have been campaigning for some years on the issue of the protection of workers 'on-line rights' at work (EU0210205F). At national level, trade unions and employers/employers' organizations in many countries are increasingly issuing or proposing guidance, policies and codes of practice on workplace ICT use (see below under 'Social partner views and initiatives' for more information on these various initiatives). An indication of the significance that these issues are gaining at the workplace is provided by a survey conducted in the UK in 2002 by the solicitors of Legal and Personnel Today magazine. It claimed that UK employers spent more time disciplining staff over Internet and e-mail abuse than any other workplace issue. The three most commonly disciplined 'cyber crimes' were excessive personal use of the Internet or e-mail, sending pornographic messages and looking at pornographic websites. In a number of cases this has led to dismissal - most commonly in relation to the exchange of pornographic e-mails. International and European institutions are also paying increasing attention to the relationship between ICT and privacy at work, with a number of recommendations and codes drawn up by bodies such as the Council of Europe and the International Labor Organization (ILO) - for example, in 1996, the ILO issued a code of practice on the protection of workers' personal data, covering general principles of protection of such data and specific provisions regarding their collection, security, storage, use and communication. There have also been relevant recent cases in the European Court of Human Rights. Turning to the EU, in 1995 it adopted a Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data, which is relevant to the privacy issue in that electronic monitoring in the workplace can be treated as a form of collecting or processing personal data. More specifically, the European Commission has recently consulted the social partners on the protection of workers' personal data and now appears to be planning a draft Directive on the issue. At national level, a few countries have started to adopt or propose workplace-specific data protection/privacy legislation, while all countries have general data protection legislation in place (Delbar, Mormont and Schots, 2004-2005, para. 5-6) 3. Cost and benefits of implementing this policy In many companies access to the Internet was initially limited to a few people in the IT or marketing groups. Today, with a PC on every desk, many employees find themselves with access to the Internet and email but with little understanding of either the potential problems or the real benefits, which this can bring. Organizations therefore have to introduce Internet use policy to the employees. The purpose of implementing policy that prevents Internet misuse at workplace is to ensure that employees understand the way in which it should be used. This enables both employees and the management to gain the maximum value from the Internet, alerts them to the dangers that can arise to the company if the technology is misused, which may put the organization at technical or commercial risk. Also Internet use policy informs every one of the consequences of misuse by employees. The content of such policy depends on the needs of the organization and the expectations and requirements of its staff. Before producing an Internet policy, an organization must have developed an agreed strategy for using the Internet. Internet use policy needs to address the following activities: Looking for information on the Internet - browsing the Web Downloading information from the Internet Communicating via email, both internally and externally Working on the corporative website. The policy should form part of the standard organization policies and procedures document or handbook. They should be introduced and explained during the employee induction program. Where necessary, the policy should be reinforced during specialist training sessions. Internet use policy should give details of the penalties for breaking the rules for Internet use. Since the issues covered by the policy range from inconsiderate right through to illegal activities, the sanctions would similarly be expected to range from a verbal warning through to instant dismissal. Since employers are responsible for their employees' activities when using the Internet, the purpose of the policy is to minimize risk that may occur from Internet misuse by employees. The policy is intended to minimize loss concerned with breach of corporative confidentiality, damage to company’s reputation, lost productivity, legal liability, probable damage to IT systems and electronic files and increasing IT network traffic. Works sited "APC Internet Rights Charter". Association for Progressive Communications (APC). 1999 - 2005. November 10, 2005 Bassett, Morgan J. "An Overview of E-Mail and Internet Monitoring in the Workplace". Ford Marrin Esposito Witmeyer & Gleser, L.L.P. 2002. November 10, 2005 "Dealing with Internet Misuse in the Workplace". Center for Online and Internet Addiction. n.d. November 10, 2005 Delbar, Catherine, Mormont, Marinette and Schots, Marie. "New technology and respect for privacy at the workplace ". Institut des Sciences du Travail. 2004-2005. November 10, 2005 "Guidelines on Workplace E-mail, Web Browsing and Privacy". The Office of the Privacy Comissioner. March 30, 2000. November 10, 2005 Hines, John L. Jr. and Cramer, Michael D. "Protecting Your Organization’s Reputation Against Cybersmear". Legal Report published by Society for Human recourse Management. 1800 Duke Street, Alexandria, VA 22314. May-June 2003. 1-2 Read More