Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
It’s hard to stay ahead of the curve on creating technology use policies when what you want to govern changes at lightning speed. But keeping a broad, forward-thinking approach to such policies will help protect your company. Organizations need policies that govern employee use because each new technology opens a virtual can of worms full of legal, ethical, security and productivity issues.
“Technology is developing so quickly, and in so many directions, that any policy that goes into specifics about cell phones or e-mail or instant messaging is going to be out-of-date before it is written,” says John Greer, senior vice president of human resources at Smart Financial Credit Union in Houston, and vice chairman of the International Association for Human Resources Information Management board. “The policy has to be broad enough to deal with the issue of data privacy and other things without talking about the specific devices.”
Anthony J. Oncidi, a partner and chairperson of the labor and employment committee in the Los Angeles office of Proskauer Rose LLP, understands that frustration, but he cautions, “These technologies are not so revolutionary that you can’t get a bead on them.” Whereas cell phone technology is not going to change radically and texting might become richer in content, these factors should not deter technology-specific policies.
Organizations should address policy on two levels, says Kent Anderson, managing director of Envurve LLC in Portland, Ore., a technology risk and security management consultancy. He encourages companies to develop a general framework that deals with privacy, appropriate use, intellectual property protection and other broad issues, as well as statements detailing practices for each technology. The statements should be reviewed at least once a year, preferably twice, and in some casesquarterly in organizations that are quicker than others to bring on new technologies. Anderson and others say the responsibility for these policies falls to many stakeholders.
Below, Oncidi and Joseph L. Beachboard, a partner in the Los Angeles office and chair of the client services committee at Ogletree, Deakins, Nash, Smoak & Stewart PC, examine some flash points in technology policy, discuss common risks and offer some guidance.
E-mail continues to be fraught with legal, ethical and productivity issues. One problem: Users think of e-mail the way they think of oral communication—as informal, not as a medium that sticks if the wrong words come out. But written e-mail, stored on hard drives, is not like oral communication: A wrong word or phrase offered inadvertently, mischievously or angrily can have legal repercussions.
Who Should Develop Technology Use Policies?
Many stakeholders should be involved in creating employee technology policies, but getting them to collaborate isn’t always easy.
“I encounter turf wars all the time, especially between [information technology] auditors and HR,” says Kent Anderson, managing director of Envurve LLC, a technology risk and security management consultancy. “I often have to educate them on how important this is to everyone. I have to explain to IT why legal and HR must be involved.”
Lawyers, IT and HR professionals are the usual stakeholders who need to be represented on a policy committee. In some cases, business unit executives need to take part when the technology under discussion has strategic impact—say, when the committee measures the ramifications of salespeople texting sales figures from hand-held mobile devices back to headquarters.
One expert argues for including a junior employee from the millennial generation on the committee. Members of that generation are most likely to demand use of these technologies, so allowing them to contribute to policy creation could be productive, says Arthur J. Mazor, senior vice president of offering management and marketing for Fidelity Human Resources Services, a division of Fidelity Investments in Boston. “I haven’t seen anyone tap this group to help develop policy.”—Bill Robert
The courts are slowly defining the legal risks of e-mail, but gray areas remain. “Given that existing law is largely tailored to more traditional means of communication, employers often confront uncharted legal waters in managing and regulating employee use of e-mail,” Beachboard notes.
As much as employees need a clear use policy that the company enforces, they also need training and regular reminders not to write messages they do not want permanently recorded and to edit e-mails for tone before sending them. Diversity training should include an e-mail component emphasizing the need for racial, gender and other sensitivities in electronic communications.
Instant messaging (IM) is on a trajectory to replace e-mail as the main form of electronic communication. The problems are similar to e-mail, only more so because IM’s real-time, instantaneous nature makes such messages seem less formal than e-mail. “Psychologically, employees think IMs are less traceable, and therefore they become more free-form,” says Oncidi.
IM and its first cousin, cell phone texting, pose myriad problems: security of transmissions, reduced productivity and potential liability for offensive messages. The problems increase with the speed of transmission and the fact that many workers install the necessary software on their computers without the employer’s knowledge—all issues a policy must address.
Blogging can be a useful tool for knowledge sharing among workers, partners and customers. But employers can be at risk when employees blog outside the enterprise. There are hundreds of blogs about individual companies, with workers, former workers and others weighing in on all kinds of topics—including some that may breach proprietary, confidentiality and privacy rules.
Despite the obvious risks, “I’m not sure that many employers understand the need for a blogging policy,” says Oncidi.
As for wikis, a first cousin of the blog, most HR professionals don’t even know how many exist in their enterprises. Motorola, for example, conducted an audit recently and found more than 3,000 wikis on its intranet. Wikis carry many of the same potential problems as blogs and require similar policy attention.
Twittering is another phenomenon employers may need to address. The micro-blogging free service allows users to text updates called tweets to their friends who sign up to follow their feeds on computers, cell phones and personal digital assistants (PDAs). As with other new forms of electronic communication, managers must determine the possible risk from twittering. For example, employees may twitter about what product they are working on at the office, how HR is treating them during a layoff or if the boss is giving them a hard time. These real-time updates can show raw, unfiltered emotion that could be detrimental to the employer. So far, there has been little or no guidance from the courts about twittering.
Policing Social Networking
Facebook, LinkedIn and other social networking sites pose two types of risks. First, workers on social networking sites might disclose confidential, proprietary or private data to the detriment or legal risk of the employer. Oncidi suggests that a use policy “at least acknowledges the existence of social networking sites and tells the employees that if they use them, they are still bound to confidentiality and proprietary information requirements.”
Employers cannot bar employees from using Facebook when they aren’t at work, but according to Oncidi and Beachboard, they can demand that workers not identify themselves as employees of a particular company or issue disclaimers that they are not speaking for the company.
Appropriate use policies can be written to cover all of the above: e-mail, blogging, wikis, social networks and Internet use in general, including sites inappropriate to access from the workplace. Employers are more on top of the inappropriate web sites, with about two-thirds saying they use software to block certain web sites, according to the 2007 Electronic Monitoring & Surveillance Survey, co-sponsored by the American Management Association in New York and The ePolicy Institute in Columbus, Ohio.
The second risk that arises from social networking sites can also be an issue with blogs and web sites: Privacy questions surface when employers search social networking and other web sites for information about current employees or candidates. (For more on collecting information on employees, see “How Deep Can You Probe?” in the October 2007 issue of HR Magazine.)
In a 2007 survey of 304 employers:
Source: 2007 Electronic Monitoring & Surveillance Survey, co-sponsored by the American Management Association and The ePolicy Institute.
Locking Down Data
Despite headlines underscoring the problem of data theft, many policies don’t address the issue. “There is still a lot of room for education,” says Oncidi.
Most organizations have made progress in protecting networks and data in desktop computers and servers in the office, but they haven’t done as much to secure data on laptops and other mobile devices. If employees take data home, then employers must consider encryption of the file or hard drive.
Oncidi warns of carrying laptops across international borders. Customs and immigration officials have a right to inspect and confiscate laptops, presumably when concerned about terrorism or other illegal activities. A policy could require employees to back up data elsewhere before they cross borders and, if proprietary information was collected during travel, to send it home before passing through customs.
Employers that focus their data protection policies only on laptops are ignoring the next variations of the problem.The media don’t report much about loss of confidential data from cell phones, PDAs, iPods or USB drives, but it is only a matter of time. These devices are also used for texting and e-mail, so policies should reference them.
Before an employer gives PDAs to workers, it should “think about how this impacts wage and hour rules,” warns Oncidi. “If the employee has consistently left the office at 5 p.m. and now has to take e-mails from his boss at all hours, then how do you compensate him?”
Electronic Monitoring Best Practices
Every employer needs policies that deal with use of the company’s electronic communication equipment and services. Here’s what should be covered:
Source: Ogletree, Deakins, Nash, Smoak & Stewart PC, Los Angeles.
In addition, attorneys representing persons injured by drivers using cell phones for business-related calls have begun to sue the drivers’ employers, frequently winning sizable settlements. The plaintiffs claim the employer is vicariously liable because the employee talking on the cell phone was acting within the scope of his employment. They also frequently claim the employer is directly liable for encouraging or condoning cell phone use while driving without appropriate safeguards. Many states now have hands-free cell phone laws.
Beachboard says at least one law firm is marketing itself as the expert in these suits. He advises, “If you do not have a comprehensive policy in place addressing cell phone use while driving, it is highly recommended that you draft and implement one.”
The biggest risk is any disconnect between policy and practice. “Writing a policy and putting it in a desk does nobody any good,” says Anderson, adding that the connection between policy and practice protects you in court.
The courts appear willing to give employers great latitude in monitoring, regulating and dictating how, when and where workers can use these tools—if an employer can prove to the court that it applies and enforces its policies consistently. “HR people have to get over the fear of technology and start appreciating its capabilities,” Greer urges. “We have to know how people use technology and address those issues.”
The author is contributing editor for technology at HR Magazine.
More from this issueHR Magazine homepage
SHRM article:Risky Business (HR Magazine)
SHRM article:Privacy Officers Merge Roles of Technologist, HR Pro, Lawyer (SHRM Online HR Technology Focus Area)
SHRM article:Protecting Employee Data Globally (HR Magazine)
SHRM article: SHRM article: How Deep Can You Probe? (HR Magazine)
SHRM article:Social Networking at the Office (HR Magazine)
SHRM article: E Is for Evidence (HR Magazine)
SHRM article:Speak, You’re on Candid Recorder (HR Magazine)
SHRM webcast:Ten Key Steps for Protecting HR Data (SHRM Online HR Technology Focus Area)
SHRM sample policy:Technology
Press release:Electronic Monitoring & Surveillance (American Management Association)
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 10,000 companies