Chuck Krugel Interviewed for & Quoted in Internet Evolution’s “Policies Protect Employers Against Privacy Intrusion Claims”

29
Nov
2012
Posted by: charlesakrugel  /   Category: Business Ethics / Business Management / Charles Krugel / Employment Law / Human Capital / Human Resources / Interview / Me in the Media / Media / Policies   /   No Comments »
Share

Thanks to reporter Christine Parizo for interviewing & quoting me for her 11/15/12 Internet Evolution (“The Macrosite for News, Analysis and Opinion about the Future of the Internet”) article Policies Protect Employers Against Privacy Intrusion Claims. The article is available in the prior link & below. Also, I’ve included all of the readers’ comments through today. This includes my own responses to a couple of the comments.

Policies Protect Employers Against Privacy Intrusion Claims

Employees don’t just use the Internet to get sports scores and play games anymore. Their medical records and financial information are readily available online, and while employees may use the Internet at work to confirm their cholesterol test results or verify that their direct deposits went through, others might use it for more nefarious purposes.

But even if workers’ online use is completely innocent, employers need to guard themselves against claims of invasion of privacy and discrimination, according to experts.

Every company needs an acceptable use policy that clearly alerts employees that their electronic communications and activity are not private, legal experts agree. As Phillip Matlin, a partner at Los Angeles-based law firm Gordon & Rees, emailed me: “The business may monitor everything the worker does on the business’s computer as long as the employer publishes and circulates a clear policy alerting employees that computer and Internet use are not private.”

This policy protects the employer if an employee’s Internet use is not so innocent, such as if an employee is accessing someone else’s personal financial information, he added. In fact, employees should consider everything owned by corporate, says Elliot Lasson, adjunct professor of Employment Law at the University of Baltimore. “Generally speaking, anything that an employee does while on-the-clock on a company work station is property of the company.”

However, not all employees know this or expect it, which is why companies must have an acceptable use policy and get employees to sign it.

Employers need to be as explicit as possible regarding the use of company equipment, Charles Krugel, a management-side labor and employment attorney based in Chicago, told me. They also need to specify that if employees still use the company’s resources for personal use, there is no guarantee of privacy, and they do so at their own risk, he notes.

Resources also include company-owned WiFi networks, which Krugel says create their own issues when employees connect their personal devices: “You end up with the issue of whether or not it’s a secured network.” Within their policies, employers need to state that the network may not be secure for personal purposes.

Then employers need to enforce these policies consistently to avoid problems, says Krugel. “If you’re an employer who is worried about protecting yourself from legal liability or exposure, consistency will be key, especially when it comes to electronic communication.”

That consistency will help companies in the courtroom if an employee ever brings a privacy invasion or discrimination lawsuit.

Still, even if companies have ironclad policies in place, there are always employees who will disregard them. In addition to disciplining employees, Alix Rubin, an employment lawyer based in West Caldwell, N.J., advises companies to stop tracking data immediately once they notice an employee is accessing sensitive personal or financial information from a company-owned computer.

“In addition, the person conducting the monitoring should not be the employee’s supervisor or anyone in the employee’s chain of command who has the authority to alter the employee’s terms and conditions of employment,” Rubin cautions. This helps companies avoid discrimination lawsuits.

In the end, a comprehensive written policy will help protect companies — but make sure your attorneys have vetted the document before you turn it over to employees.

How comprehensive is your Internet use policy? Have you had problems with employees accessing sensitive data on company time?

— Christine Parizo is a freelance writer specializing in business and technology.

Comments

Current display:       chronological order
DukeW
IQ Crew
Thursday November 15, 2012 9:38:27 PM
You would think that people would do the right thing automatically.  They would not use company assets or company time to do personal work, especially if that “work” skirts legality.  You might think that, but you would be wrong.  People do some pretty thoughtless and even illegal things on your network every day, and if you haven’t told them it’s stupid and wrong, well, they can honestly say they didn’t know any better.  Ridiculous, but true.  That signed policy is your Get Out Of Jail Free card on the off chance that an employee does something that would attract the attention of, say, the Justice Department, or creates an unpleasant work environment, or any of a dozen other annoyances and vexations to the spirit.  Just because they shouldn’t doesn’t mean they won’t, so protect yourselves, while you still can.  It puts me in mind of a very old Doonesbury cartoon, in which the head of the law school is standing at a podium explaining that they had to put together an ethics curriculum because some lawyers just weren’t “getting it.”  Putting his face in his hands, he intones, “Right and Wrong 101 is one such shot in the dark.” Don’t be that guy.  Save yourselves, before it’s too late.
NicoleH
IQ Crew
Thursday November 15, 2012 9:50:06 PM

The company I work for definitely is strict on this policy.  During the first week of your new hire period and periodically afterwards, you login to the online learning management system and read the policy and acknowledge it.  So whether you actually read it or not, once you check the acknowledge button, it is tracked in your curriculum history.  So if there is ever a question, the company can say that you were aware of the policy.  Also, several of the social websites that people would typically go out to is blocked and of course all traffic is being monitored.

asanka.geek
Rank: Cave Painter
Friday November 16, 2012 3:38:42 AM
I dont have that much of faith in policies especially the ones which have been implemented via online since those policies do cover every aspect on paper but nothing when it comes for practical issues.
slfisher
Thinkernetter
Saturday November 17, 2012 10:43:34 PM

between “professional” and “personal.” I write about politics and computers, and a bunch of my friends are involved in politics and another bunch are involved in computers, so I end up with a lot of interesting ideas and contacts by surfing Twitter and Facebook every day.

It’s one thing to bring one’s own device and use the corporate network to do one’s “personal” stuff, but what if one brings a device that has its own data plan? I think that’s going to be more of a problem going forward, trying to secure that — and that’s the question I hae about the whole General Petraeus incident, how much that was a factor.

nasimson
Thinkernetter
Sunday November 18, 2012 5:57:52 AM
Do you really think employees will consider these policies while bringing any privacy invasion or while using the company’s internet for some personal work??
i don’t think so, because signing the policies  has now become a formality rather than an oath as employees do not have any other option except to accept the terms and conditions of a company.
so if companies want to be more secure they have to take some major steps rather than just presenting a policy infront of an employee at the time of hiring.
stotheco
IQ Crew
Sunday November 18, 2012 7:04:43 AM
In our firm, most social networks are blocked. I agree with this decision, because it doesn’t really do anyone much good if the employees are posting on Facebook or checking status updates during work hours. I think the periodical agreement policy pop-ups and reminders are a good idea on the side of the company; it’s like their insurance in the future if ever an issue ensues and cases have to be settled.

Good suggestion, Christine. Along with the comprehensive written agreement, I’d go for a virtual one as well.

 

 

cparizo
Thinkernetter
Sunday November 18, 2012 2:19:37 PM
It would be really nice if everyone did the right thing… but they don’t, unfortunately. Sometimes an employee has to verify a doctor’s appointment or a bank deposit, but why that can’t happen over the phone on a lunch hour is anyone’s guess. (Really, it’s not that hard to find a quiet space during lunch, coming from someone who worked in what felt like a zoo. Stairwells are nice and quiet. Dirty, but quiet.) It’s just how this day and age is…
DrT
IQ Crew
Sunday November 18, 2012 2:47:05 PM
Acceptable Use Policy is one thing but now that we have to embrace BYOD, we know one thing for sure, this concept will get more complex. Employees would accept privacy in their own devices, it will not be like employers will be able to enforce everything they need. Separation of business app/data and personal app/data will play a key role in finding a right solution.
Mitch Wagner
Thinkernetter
Sunday November 18, 2012 11:21:19 PM

DrT – The same question occurred to me — how does BYOD affect these issues? What if an employee accesses personal information on a personal device used also for work, with employer’s software on it?

And what about remote and home-office workers, who will use a mix of corporate and personally owned equipment. (For example, my employer here at Internet Evolution provides the notebook computer, but the keyboard, mouse, display, Wi-Fi router and Internet connection are all mine.)

cparizo
Thinkernetter
Monday November 19, 2012 7:49:35 PM
That’s a good point, @Mitch. What do you do with BYOD, or with telecommuters? Or even people who work from home on occasion, using their personal devices that are set up to access the company network?
Jason Adams
Rank: Cave Painter
Tuesday November 20, 2012 9:19:23 AM
@cparizo, good question and although it wasn’t directed towards me, I’d like to share my experience :). Anytime a device is used for work purposes, even if it’s BYOD, we have a form that needs to be filled out and signed basically stating that they agree that we have the right to that data and if something were to happen, we also have the right to wipe the device clean. If they don’t like it then we’ll issue a phone to them. This also applies to laptops, of course.
cparizo
Thinkernetter
Tuesday November 20, 2012 10:27:56 AM

Jason, that’s a good policy. I’m rather anti-BYOD for that reason – what if my phone (full of quirky kid and pet pics and craft snapshots) were wiped, then I found it under my bed or something with a dead battery? Or I decided to download a banking app to check my balance or pay bills? Too many risks to my personal device, I say…

Jason Adams
Rank: Cave Painter
Tuesday November 20, 2012 10:48:29 AM
I’m with you on that. I too keep a lot of things on my phone that I would not want to lose. But, as a precaution, I also use the Cloud backup that Apple provides with the iPhone and keep all pictures backed up on my computer. The one beauty of the iPhone is how easy it is to restore it if something happens.
syedzunair
IQ Crew
Tuesday November 20, 2012 12:12:52 PM
cparizo:

Look at the flip side. With BYOD you could do a lot work on the go and you might not necessarily be confined to the office space for your work.

Using web based applications will solve the issue of wiping the phone if it is lost. If the corporate data is being kept on the web wiping the phone might not be required.

 

Mitch Wagner
Thinkernetter
Tuesday November 20, 2012 11:50:52 PM

Keeping a backup of the device is a good policy, particularly for employees who practice BYOD.

Of course, that undercuts an employer’s phone-wiping policy.

Mitch Wagner
Thinkernetter
Tuesday November 20, 2012 11:52:14 PM
Sandboxing has potential to solve some BYOD problems. Employers would run their apps and store data in a sandbox on the BYOD device. Or vice-versa — employees could run their own apps and store personal information on the employer’s device.
Mr. Roques
Researcher
Wednesday November 21, 2012 2:48:46 PM
Where do employers draw the line? Should they stop people from accesing their personal email account or should they read the emails? Can they?

Also, what if they find something criminal, should they act right away?

 

Mitch Wagner
Thinkernetter
Wednesday November 21, 2012 8:51:52 PM
Mr. Roques, I expect that if employers find evidence of criminal activity they are required by law to act immediately.
Usman Ejaz
Rank: Cave Painter
Saturday November 24, 2012 9:40:13 AM
BYOD solves a lot more problems than it gives rise to and as such, in my opinion should be encouraged. Employers, from what I’ve seen are more threatened from issues arising from the use of BYOD than the employees. whatever policy is determined, employees need to be taken into confidence before enforcing it otherwise there’s risk of employees flouting it.
syedzunair
IQ Crew
Sunday November 25, 2012 9:39:20 AM
Scheduled backups could make life a lot easier for employees who practice BYOD. The data cleansing activity will still be debatable if some data is still resident on the phone. Unless, everything goes to the cloud or to corporate servers the companies will not be satisfied and will resort to remote wiping.
charlesakrugel
Rank: Cave Painter
Monday November 26, 2012 10:26:50 AM
This isn’t legal advice but, as a general rule, employers shouldn’t read employees’ personal emails. However, if an employee is using an employer-monitored, it’s very likely that the employer will end up reading those personal emails.

Employers shoud have a clear & easy to understand policy that if employees use company owned or operated IT, then employees should have no expectation of privacy. Moreover, if the employer learns that an employee MIGHT be using company owned/operated resources for criminal activities, those activities will be IMMEDIATELY reported to the proper authorities. Should an employer ignore possible criminal activity, it risks exposure & liability for negligence or even criminal charges; when in doubt, act right away.

 

Kim Davis
Thinkernetter
Monday November 26, 2012 12:40:56 PM

I agree, Mitch.  The policy approach seems clear and simple, but confusion exists not only between devices (does a personal device become a work device when it’s used for work?) but between accounts.  Policies need to get into nitty gritty detail…

That is, if they’re needed at all.  I’m not an attorney, but I should have thought the law governs what employers can and can’t review and respond to; a policy isn’t going to change that, is it?

 

charlesakrugel
Rank: Cave Painter
Monday November 26, 2012 6:04:04 PM
You’re right to an extent. The policies are primarily to protect the employer because government enforcement agencies like the Equal Employment Opportunity Commission, the National Labor Relations Board & the Department of Labor demand that employers put such policies in writing (even if employers aren’t legally required to do so). In those agencies’ minds, if it’s not in writing, then it doesn’t exist.
Share

No Comments



Please leave these two fields as-is:

  • StatCounter

  • “People @ Work”

    www.flickr.com
    This is a Flickr badge showing public photos from charlesakrugel. Make your own badge here.


    See My "People @ Work" Photo Series (photos from the early 1900s to the present). Just click on the Flickr Badge, click here or on my "Pictures" page link above.
  • Member-2015 Workforce Magazine Business Intelligence Board