Legal Aspects of Network Privacy and Security for Business

For the next three weeks, The Practical Mac will be exploring the topic of security and privacy in the Internet Age. Today, we begin a two-part series focusing on important topics for companies; the series will finish with an article geared toward home users.

Firewalls, intrusion detection systems, sniffers, content monitoring programs, virus protection suites and biometric authentication systems are all great ways for companies to protect their proprietary information and encourage efficiency among their user base. However, without a proper foundation, many of these tools are virtually useless. By foundation, I am referring to what is considered a four-letter word by most Information Technology Directors: paperwork. Proper policies and procedures - and thorough documentation thereof - are essential to a viable security and privacy system. The task of implementing these policies and procedures need not be daunting, however. The framework can be broken down into a few simple steps.

Policies/Procedures

Email: Email, like the telephone, is an area inevitably subject to abuses by a few employees. It is therefore important to lay out expectations clearly and concisely. A good email policy should, at a minimum, cover the following areas. I have included a few example sentences for each area:

Usage guidelines. The employee must know what constitutes "acceptable use."

The Company provides electronic mail ("email") capability to selected employees for the purpose of assisting employees in performing their work-related duties. The Company believes the use of email can greatly facilitate and enhance communication both within the Company and with outside parties and encourages the use of electronic mail for such purposes. Occasional personal use of the email system is acceptable, but such personal usage should be limited so as not to interfere with the employee's job responsibility. Email capability may be revoked by the Company at any time.

Establish that the employee has no expectation of privacy in their email communications. This is extremely important should monitoring of the employee's email become necessary in the future. In fact, without this clause, you cannot monitor your employees' email!

The nature of electronic mail makes electronic mail less private than users may anticipate. For example, electronic mail intended for one person sometimes may be widely distributed because of the ease with which recipients can forward it to others. No employee shall have an expectation of privacy in their email usage. All email correspondence, both incoming and outgoing, shall be the property of the Company, just as any other employee work product. Senior Management, the IT Director, and the employee's immediate supervisor may inspect employee email at any time, but shall not be obligated to do so.

Spell out, in no uncertain terms, that the employee's email is subject to monitoring.

All employee email is subject to monitoring, both electronically and by any other means, at all times. Although the Company reserves the right to perform such monitoring, it shall not be obligated to do so. Regular and routine monitoring of employee email shall not be the policy of the Company.

Define what is unacceptable use.

Employees are expected to exercise good judgment in their email activity, just as in all other aspects of their employment with the Company. Employees may not use the Company email system for any improper purpose(s), including but not limited to: sexual harassment; indecent or obscene communications; threatening or harassing communications; libelous remarks; disseminating "spam;" carrying on of employee's outside business interests; communications favoring any political party, politician, or political issue; communications racist in nature; any communications that may be defined by state or federal law as "hate speech;" and any other communications prohibited by state, federal, or local law.

Make the employee aware that the Company cannot monitor or be responsible for the content of email the employee may receive.

The Company cannot, in general, protect users from receiving electronic mail they may find offensive. Any employee who receives such email, whether it originated outside the Company or from within, should immediately report this to the immediate supervisor and to a member of the IT staff.

However, if the offensive email did originate within the company, you'd better do something about it pronto.

Make sure you can read the monitored email, should the case arise.

No employee may encrypt any email without the permission of the IT Director and the employee's immediate supervisor and without first providing a member of the IT staff with the decryption key.

Keep your secrets your secrets!

Employees may not send any proprietary, sensitive or confidential material to outside parties without the express permission of the employee's immediate supervisor. If in doubt as to the status of any material to be sent outside the Company, the immediate supervisor should be consulted.

One way to keep proprietary information from outside viewing is to insure that the employee does not catch a nasty bug that causes these trade secrets to be automatically sent to everyone in their address book.

Care should be exercised when opening any email attachment. No employee should open an email attachment sent to them from any unknown party. Attachments to email received from familiar parties, but from whom the employee was not expecting an attachment, should not be opened without first contacting the sender and verifying the contents of the attachment. Any known or suspected computer virus should be reported immediately to a member of the IT staff. If unable to immediately reach an IT staff member, the immediate supervisor should be contacted.

Of course, to greatly reduce or even eliminate this worry, issue each employee a Mac on which to do their work. You can click all day long on the attached ".exe" file, but nothing will ever happen! Trade in the PC on something more useful and with a longer life, such as a nice potted plant.

To alleviate the possibility of your employees passing out from hysteria when Ed McMahon emails them to say they have won a trillion dollars.

There is no guarantee that electronic mail received was in fact sent by the purported sender, since it is relatively straightforward, although a violation of this Policy, for senders to disguise their identity. Furthermore, electronic mail that is forwarded may also be modified. As with print documents, in case of doubt, receivers of electronic mail messages should check with the purported sender to validate authorship or authenticity.

And finally, spell out the consequences of transgression.

Misuse of the email system and/or violation of any provision of this policy may subject the violator to discipline up to and including termination of employment by the Company. Certain violations may also subject the violator to prosecution by federal, state, and/or local law enforcement agencies.

You will notice in more than one instance above, the Company reserves the right to monitor but explicitly states that it shall not be obligated to do so. This is a very important distinction. Consider the following scenario: A female employee receive harassing, obscene, and sexually suggestive email from an unknown sender outside the company. It may even be a "generic" spam mailing, not even specifically directed at her. However, the employee is deeply offended by this and sues the company for not protecting her from such obscenity at work. Her basis? The personnel handbook is filled with references to all sorts of email monitoring. "Why didn't the monitoring catch this email and protect me from it?"

How would you like to be responsible for screening each and every piece of email that is sent from and delivered to your mail server, every minute of every day? If you are not careful in the wording of your policy, this may be exactly what you imply is being done and perhaps even what you are obligating your company to do.

The above topics are not intended to be exhaustive. For example, in the policies I write, I usually define what constitutes the "email system," "spam," etc., as well as including some more mundane subjects, such as "representing the company in a professional manner" and "using proper grammar and spelling." Hopefully the above topics will be enough to get you headed in the right direction.

Internet/Network Usage: Most of the same topics covered under "Email" are equally applicable to usage of the Internet and the Company's internal network. However, there are a few additional areas which should be covered in an Internet policy.

Once again, lay out the ground rules.

The computer network is the property of The First National Bank ("Company") and is to be used for legitimate business purposes. Certain employees ("Users") are provided access to the computer network to assist them in the performance of their jobs. Additionally, Users may also be provided with access to the Internet through the computer network. All Users have a responsibility to use the Company's computer resources and the Internet in a professional, lawful and ethical manner.

The Company's computer network may not be used to disseminate, view or store: commercial or personal advertisements other than those related to Company; destructive code (e.g., viruses, Trojan horse programs, etc.); obscene or indecent material; material racist in nature; any material prohibited by federal, state, or local law; or any other unauthorized materials. Occasional limited appropriate personal use of the computer is permitted if such use does not: A) interfere with the user's or any other employee's job performance; B) have an undue effect on the computer or Summit's network performance; or C) violate any other policies, provisions, guidelines or standards of this agreement or any other of Summit. Further, at all times Users are responsible for the professional, ethical and lawful use of the computer system. Personal use of the computer is a privilege that may be revoked at any time.

The list of prohibited activities will necessarily be a little different this time.

Prohibited Activities. Company's computer network may not be used to disseminate, view, or store: commercial or personal advertisements other than those related to Company; destructive code (e.g., viruses, Trojan horse programs, etc.); obscene or indecent material; material racist in nature; any material prohibited by federal, state or local law; or any other unauthorized materials. Occasional limited appropriate personal use of the computer is permitted if such use does not: A) interfere with the user's or any other employee's job performance; B) have an undue effect on the computer or Company's network performance; or C) violate any other policies, provisions, guidelines or standards of this agreement or any other of Company. Further, at all times Users are responsible for the professional, ethical and lawful use of the computer system. Personal use of the computer is a privilege that may be revoked at any time. Illegal Copying. Users may not illegally copy material protected under copyright law or make that material available to others for copying. Users are responsible for complying with copyright law and applicable licenses that may apply to software, files, graphics, documents, messages, and other material you view on the Internet. Users may not agree to a license or download any material for which a registration fee is charged without first obtaining the express written permission of Company. Communication of Trade Secrets. Unless expressly authorized to do so, Users are prohibited from sending, transmitting, or otherwise distributing proprietary information, data, trade secrets or other confidential information belonging to Company.

In order for your firewall and elaborate security systems to work, usage has to actually occur through these systems.

To ensure security and avoid the spread of viruses, Users must access the Internet through a computer attached to Company's network. Bypassing Company's computer network security by accessing the Internet directly by modem or other means is strictly prohibited.

Finally, the "offensive material" warning should be worded differently as well.

The Internet is a worldwide network of computers that contains millions of pages of information. Users are cautioned that many of these pages include offensive, sexually explicit, and inappropriate material. Even though purposeful access of such material is a violation of this policy, in general it is difficult to avoid at least some contact with this material while using the Internet. Even innocuous search requests may lead to sites with highly offensive content. The Company is not responsible for and cannot protect users from material viewed or downloaded by users from the Internet. To minimize these risks, use of the Internet is governed by this policy.

Although the following policies do not fall into the "must-have" category, they can be of significant benefit to companies:

Software Acquisition: It is important to set down guidelines for introducing software to the network. Generally, no end user should be able to do this without the approval and assistance of a member of the IT staff. Typically, new or updated software should be installed in a testing environment prior to being installed in production systems.

Hardware Acquisition: Without this policy, one day you will inevitably have an unenlightened user show up with a Windows notebook he found laying on the sidewalk and want you to make it work with the Macs. The Macs will rebel, you will be frustrated and the user will feel stupid. Avoid the subject by having a policy to cover this scenario already in place!

Employee Monitoring

As stated earlier, before you can monitor any employee computer activity, that employee must have adequate notice that they are subject to monitoring. One thing you cannot do, regardless of notice, is to monitor email in transit by using "sniffer" technology or otherwise intercepting messages. There are not a lot of court cases on this subject, and even among those dealing with the issue,there is some contradiction. With that caveat, here is where the law seems to stand today:

Assuming adequate notice, email may be monitored and investigated without restriction when residing on the employee's company-owned computer. You can check the "inbox," "deleted items," "sent items," and anywhere else you believe something of relevance may be found.

Messages in transit may not be monitored under any circumstances.

Messages residing on the company email server are in a state of limbo, both legally and technically. Some courts have considered them as being in transit and deemed them off-limits. Others have pronounced them as fair game, since they reside on a piece of company-owned equipment. The better advice, should it become necessary to undertake monitoring on any given employee, is to gather all you can from their computer and not even broach the email server unless you feel the information to potentially be gained is worth the risk. The best advice is to consult a local attorney and find out what the state of the law is in your particular jurisdiction.

Backup Considerations

I won't belabor the point of how important it is to have good backups of all your data in case disaster strikes. That could be the subject of an entire column in itself. I will instead endeavor to drive home the importance of not ever, under any circumstances, having any sort of backup of one particular system: the email server. Yes, you read correctly, and no, your eyes do not deceive you. Never back up your email server. Despite any benefit you might incorrectly perceive to be derived from this procedure, you are in fact creating one thing and one thing only: evidence.

Anytime you have a backup of your email server, it is subject to subpoena in case of legal action. In layman's terms, this means you will have turn over all backups of your email server to the party suing you. If you have not passed out by this point, read on. Otherwise, lie down, catch your breath, and continue reading when you are sufficiently recovered.

Having represented both the party who received the email backups (the legal term is called "hitting the jackpot") and the party who was forced to turn over the email backups ("losing your shirt"), I can say unequivocally that, in this scenario at least, it is infinitely better to receive than to give. In a typical company, reference to every secret that the company would not want to be exposed is contained in those backups, not to mention quite a few personal emails that the senders and/or recipients would probably not want paraded about in a courtroom open to the public.

A good case in point is the Microsoft antitrust trial. In the early 80s, Lotus 1-2-3 was the overwhelming choice for DOS spreadsheet programs, and with good reason: It was a wonderful program years ahead of its time. Microsoft produced its own, very lame attempt at a spreadsheet program (being an attorney, "alleged" spreadsheet program might be a more accurate term) in an attempt to wrest the market from Lotus (they failed; Excel was still years away). Around the same time, Lotus 1-2-3 started developing bugs. Lotus suspected Microsoft was purposefully manipulating DOS to prevent 1-2-3 from running. Microsoft denied it and eventually prevailed. Email from that time period subpoenaed in the recent antitrust trial produced a startling discovery. Email messages sent by the DOS development team of the day carried the tag line, "DOS isn't done 'till Lotus won't run!" I wonder what the statute of limitations is there? Lotus is probably also wondering what the monetary damages from lost revenue would be on sales over a 17-year period if Excel had never existed.

This does not mean that you have to leave yourself exposed to a disaster. Most email servers contain some mechanism by which you can back up configuration information, such as accounts and so forth, without actually backing up the messages. One server that doesn't is one you should not be using anyway. More details in next week's column.

Here is the way I covered this policy recently:

The Company does not perform or maintain any backups of the email server. Once email messages are downloaded to user's computers, they are deleted from the email server and no backup is made.

Let me be very clear: You are under absolutely no legal obligation to make backups. However, if you choose to do so, you cannot destroy them or deny their existence ("tampering with evidence" and "perjury," respectively) without suffering severe legal consequences ("go directly to jail; do not pass 'go'"). As an IT professional, you must summon the strength to deny your most basic of instincts: backing up your stuff. However, you must be strong - it ain't worth it.

Conclusion

It is not enough to merely have these various policies and procedures in place. The employees must be made aware of them. Many companies have a disclaimer in their personnel handbook that policies may be adopted and/or changed at anytime with or without notice to the employee. This is not something that should be regularly relied upon. The only reason this language is included in handbooks is to give the company a fallback position should they find themselves in litigation over failure to cross a "t" or dot an "i."

Anytime policies or procedures are changed or new ones are adopted, the company should get a copy of the policy or procedure signed by every effected employee and maintain this signed copy in their personnel file. Contrary to popularly held notions, ignorance of the law is sometimes an excuse, and ignorance of company policies or procedures is often an excuse! If you find yourself in court against an employee or former employee litigating an alleged transgression of company policy, the jury is not going to care how much money you paid your attorney to write that flowery language in your handbook. All they will care about is whether this employee had actual knowledge of the policy allegedly violated. Having practiced law for over eight years and served on three different jury panels prior to that, I speak from ample firsthand knowledge. Be forewarned and be prepared!

Having laid the proper framework, we will examine Internet/Network privacy and security from the technical perspective next week.