<iframe src="//www.googletagmanager.com/ns.html?id=GTM-NQZ8BZF&l=dataLayer" height="0" width="0" style="display:none;visibility:hidden"></iframe>

Internet Access: Should Your Company Restrict Employee Internet Use?

Article

In-Sites

September 10, 2001

Companies must craft Internet access policies with care.

The Internet contains a treasure trove of information on all conceivable subjects. Lawyers can use it to find local, state, and federal government information ranging from the most recent decisions of various courts through current statutes and regulations; corporations can find information on competitors and products; investors can find securities information; researchers can find statistical and socio-political material; and administrative assistants can access numerous phone and informational directories and arrange for travel. A current FIND/SVP American Internet User Survey estimates that there are 27.7 million adult Internet users who currently use one other Internet application besides e-mail. With all this, however, there are potholes in the information highway, and companies who send their employees out to cruise the net and look for data should be aware of these pitfalls and plan on how to deal with them. There are at least four major concerns in allowing employee access to the Internet: productivity, security, reputation, and liability.

Godzilla vs. Gigan?

Many companies fear that if they allow their employees freedom to surf the Web they will spend their time in chat rooms discussing the relative strengths of Godzilla vs. Gigan, or visiting sports sites for the latest stats on their favorite teams, or downloading cake recipes, or, to press that perennial public opinion hot button-visiting porn sites. These are legitimate concerns. Negotiating the information super highway is time consuming enough without succumbing to the siren call of the latest Dilbert cartoon strip. Nonetheless, just as it is impossible to become a good driver without practice, it is nearly impossible to become an efficient websurfer without some detour and frolic to the food and sports sites.

That being said, a company should still be concerned about the sites being visited by its employees. They can inadvertently download viruses and other Trojan horses. Recently, there was a news story about individuals who had responded to promises of free X-rated pictures from a Web site. To view the pictures, one had to download viewer software that surreptitiously tumed down the dial tone on the accessor’s modem and rerouted Internet access through Moldova, an Eastern European country. The rerouting was not discovered until receipt of the telephone bill with huge international long distance charges.

According to the Federal Trade Commission, consumers were defrauded of about $1 million in this scam. Although no networks reported being victimized by this scam, technologically it could be done. Indeed, the Federal Bureau of Investigation reports that nearly half of the 5,000 universities, Fortune 500 companies, and federal offices polled suffered computer security breaches in 1995.

“Cookies”

Companies should also be concerned about what sites their employees are accessing because some sites capture the addresses of their visitors. Your company may not want to be known as a visitor to sites offering sizzling pictures or recipes for overthrowing the country. Thus, a company’s reputation and good will potentially could be damaged by the sites visited by its employees. Moreover, the Web site can collect identifying information from the visitor even without formal registration.

Some Web sites create what are known as “cookies,” data files created on the visitor’s computer that record the trail of Web sites visited, on-line purchases, and private information. Furthermore, if an employee visits chat rooms and identifies himself as an employee of a specific company, it could be embarrassing, or a potential basis of liability for the company, depending upon what the employee has posted.

Downloads

There is also potential liability for a company based on the activities of its employees in downloading material. Employees who download offensive material and expose co-workers to it could subject the employer to liability.

While this is no different from employer liability for sexual harassment or hostile workplace liability, the problem is enhanced by the technology. Offensive material can be downloaded and circulated by e-mail very quickly. A 1996 American Management Association survey found that “sexual harassment situations are affecting a growing number of U.S. companies.” The internet could add to this problem. In a survey conducted in 1991, 52 percent of responding companies reported receiving at least one sexual harassment report. In the 1996 survey, the number had grown to 73 percent. In addition, if an employee downloads and circulates copyrighted material the employer could be subjected to liability for copyright infringement. For these reasons most companies adopt a policy on e-mail use that includes the right of the company to monitor employee e-mail.

Protection

With all of these pitfalls, what can a company do to protect itself? Some companies avoid the problem entirely by denying physical access to the Internet to all but a few select employees. This is rather draconian, and deprives employees of tools that can enhance their productivity and utility to the company. Short of complete denial, there are three basic protective strategies:

  • develop a company policy on Internet access and usage
  • monitor usage with monitoring software and
  • block access to prohibited sites with blocking software.

At the very least, a company should develop and circulate a company policy on Internet access and usage that clearly alerts employees to what usage is allowed and what is prohibited. Computers and, in particular e-mail and Internet access, are business tools that belong to the company and are for legitimate business use, which may be monitored. Saying this clearly in a company policy helps defend the company against invasion of privacy claims. In addition, although an Internet usage policy will not actually control employee behavior, if a problem develops, the company will have company guidelines for imposing discipline and asserting a defense, if the employee’s activity subjects the company to potential liability.

A more intrusive step is to install monitoring software that allows you to monitor what sites your employees are visiting or trying to visit. If you take this step, you should carefully investigate the software you wish to use; not all of the monitoring packages give you the option of creating reports. In addition, if your company is going to take the step of monitoring, it has to decide what it will do with the results. Just monitoring with software and doing nothing with the resulting information opens you up to a claim that the monitoring was done negligently in the event there is a problem. Monitoring software can provide a false sense of security. At the minimum, it should be coupled with and consistent with a formal written policy on Internet access.

The most effective step is to block access to objectionable sites. Many blocking products provide lists of objectionable sites and also allow you to add your own. In addition, because new sites are being added to the Web all the time, you will want a blocking software that provides periodic updates.

It is important to keep in mind that it is easy to stumble across objectionable sites innocently and inadvertently. The links from one site to another do not always clearly describe the destination site. In addition, search engines that are based on word searches, are extremely literal. Even the most benign search can turn up unwanted sites. As an example, I was searching for product information on timber swing sets. Using wordbased search engines turned up a massive number of obviously X-rated sites, along with one or two legitimate playground equipment manufacturers.

In sum, it is key that a company develop and distribute a company policy on what is acceptable and unacceptable. The company should enforce the policy. Monitoring employee usage may be appropriate and blocking access to certain types of sites should also be considered.

Reprinted with permission from Director’s Monthly, August 1997, Vol. 21, No. 8.