Thank you for sharing!

Your article was successfully shared with the contacts you provided.
High-speed Internet connectivity and sophisticated electronic communications devices have given company employees the ability, at the click of a mouse, to widely disseminate proprietary and otherwise harmful information, including documents, spreadsheets, source code, and customer data, within and outside the corporate network. As a result, a company that ineffectively restricts usage of its computer network and electronic communications may face a myriad of liability risks. Because e-mail, Internet access, and electronic communications devices like cell phones and personal digital assistants (PDAs) have become so integrated within the workplace, trying to limit such risks while complying with applicable privacy laws may seem as hopeless as Pandora trying to put the lid back on her box. Yet businesses today have little choice but to address these risks directly. Fortunately, there are ways to mitigate them without violating related privacy laws. LIABILITY AND SECURITY RISKS � Disclosure and theft of trade secrets. A trade secret may include the company’s strategic plans, financial data, and personnel payroll data, as well as technologies, formulas, processes, and work product that may or may not be eligible for patent or copyright protection. A company must also safeguard trade secrets of other parties that it may receive pursuant to nondisclosure agreements. If an employee or agent with access to a company’s computer network discloses the company’s trade secrets or those of another party covered by a nondisclosure agreement, such disclosure would likely result in the permanent forfeiture of its trade secret status, breach of nondisclosure agreements, and possibly incalculable losses as a result of competitors obtaining such information. With any removable, writable media (such as Zip disks, floppies, CD-RWs, e-mail, or FTP), an employee can steal trade secrets by downloading corporate files of proprietary documents, source code, business models, payroll information, and customer data. � Dissemination of harmful speech or obscene material. Electronic communications sent by employees or agents with access to the company’s computer network may contain content that, alone or together with other factual circumstances, constitutes sexual harassment, discrimination, defamation, or illegal pornography, for which the company may be liable. Such forms of misconduct may give rise to claims of negligent hiring or retaining. In addition, corporate e-mail containing such content could tarnish the company’s brand if the company’s name is in the domain address of the sender (e.g., [email protected]). � Infringement of intellectual property. Employees and agents can easily infringe copyrights by downloading and externally distributing files of audio and/or video works (via, for example, peer-to-peer file-sharing software). In addition, because employee work product is typically owned by the company, by either common law or contract, its computer network provides employees the ability to distribute their work product to third parties without the company’s consent, which in itself can cause infringement, forfeiture of intellectual property rights (such as the disclosure of a patentable invention before foreign patent applications are filed), or other economic harm. It is also possible for an employee to misuse the computer network to commercially exploit the company’s intellectual property for personal gain. � Inadvertent assent to contract or additional representations and warranties. E-mail communications frequently include an automatically generated electronic signature: the sender’s name, title, company, and contact information. Under the Electronic Signatures in Global and National Commerce Act, as well as under state laws adopting the Uniform Electronic Transaction Act, a statement made in e-mail with such a signature may constitute binding assent to a contract. In addition, electronic communications by sales or other personnel regarding a company’s capability to perform under a prospective contract could be construed as binding representations and/or warranties, unless the executed contract explicitly excludes such communications. � Disclosure of inside information. Employees of a public company using electronic communications can easily reveal “inside information” (i.e., any information that an investor in the securities of such company would consider material), in violation of federal securities laws. � Discoverable electronic communications against the company’s interests. E-mail and instant messaging services are intimate media that lead many users to forget the permanency and lack of security involved. An employee’s damaging statements against the interests of her company in an electronic communication are discoverable in litigation and could be used against the company in employment, contracts, fraud, securities, and antitrust cases. � Traceable purchases, competitor research, and communications. When an employee visits the Web site of a competitor from a workplace PC, he may leave a record of the Internet protocol address and domain name of the computer server that reveals the identity and location of the employer. The competitor’s Web site visited by the employee may also write a “cookie” to the employee’s PC, which gives the competitor a record of every page viewed by that employee, as well as the time, date, and duration of each visit. As a result, the competitor could obtain useful business intelligence about your company. Employee communications originating from a company network to bulletin boards, chat rooms, and discussion Web sites or stock-trading discussion boards under aliases can similarly be traced to the company’s computer network. � Improper use of network capacity. Employee use of streaming video or audio downloads for lengthy periods of time, even for legitimate business purposes, consumes bandwidth, may trigger costly bandwidth-overage charges, and can impair the network’s performance. Given the wide range of audio and video streaming content available on the Internet unrelated to business (music videos, sports games, pornography, etc.), employee downloads of streaming content from the Internet may reduce workplace productivity or create a hostile work environment for co-workers. � Unsafe uses. In recognition of the apparent dangers caused by drivers distracted by operating wireless communications devices, several states have proposed or enacted legislation prohibiting the use of handheld wireless phones while operating a vehicle. Even outside these states, if an employee uses a cell phone, PDA, or two-way pager while driving to carry on a business communication, and that distraction is later determined to be the cause of a car accident involving injury or death, the company may become entangled in litigation as the allegedly responsible party. � External threats to network security. A computer network or company Web site can be the target of denial of service (DoS) attacks (where a single computer “pings” a target Web site thousands of times per second to shut it down), distributed denial of service (DDoS) attacks (where multiple computers launch the DoS attack), hacking, vandalism, a virus, a worm (a program that delivers a virus), a packet sniffer (a program that captures a copy of each data packet sent within the company fire wall), or a “root kit” (a program that takes control of critical services, changes security settings, removes evidence of intrusion from log files, and may forward data packets from the computer network to an external domain address designated by the hacker). WHAT CAN BE DONE? The first thing a general counsel must do to mitigate these risks is establish a comprehensive and up-to-date electronic communications policy that governs access to and usage of the computer network and all company-issued electronics communications devices. (Note that monitoring of employees’ telecommunications raises a host of other legal issues, which are not addressed here.) The policy serves several purposes. First, it gives notice to employees regarding restrictions and thereby provides a fair basis for taking disciplinary action in the event of a violation. Second, should the company seek to monitor electronic communications and computer network usage in the workplace to safeguard against such risks, it provides a mechanism to do so while complying with the Electronic Communications Privacy Act (ECPA). Third, it is evidence that the company has taken reasonable steps to protect its trade secrets and other computer information under applicable state trade-secret laws and the Computer Fraud and Abuse Act. The CFAA protects all valuable computer information, even information not qualifying as a trade secret, provided that the company took reasonable steps to protect its data, such as having a policy restricting access and prohibiting disclosure. Fourth, a policy establishes a common standard for all employees that the company can enforce consistently. Finally, if the company has affiliates in the European Union, a policy is an important step toward compliance with the safe harbor agreement between the United States and the European Union. The ECPA prohibits employer monitoring and disclosure of intercepted employee electronic communications (although stored electronic communications, such as e-mails retained after delivery or saved to a server or an employee’s hard drive, are not covered by the ECPA). The primary exceptions to the ECPA are: (1) where an employee has given prior consent and (2) where the situation meets the business-use exception. The business-use exception allows the employer to monitor electronic communications without the consent of the employee where monitoring is in the “ordinary course of business” and the subject matter is of “legal interest” to the employer. Reliance on the business-use exception, however, is precarious since it depends on an assessment of the facts surrounding each case of monitoring. For purposes of ECPA compliance, the safer course from a liability standpoint would be to establish an electronic communications and computer network usage policy to which all persons granted access to the company network must consent. The policy should advise all persons granted access that they should have no expectation of privacy in their use of electronic communications and the computer network, and that their use may be monitored to ensure compliance with the policy. The policy should be comprehensive, updated regularly to address evolving workplace technology and privacy obligations, and written in plain English, to be easily understood by all levels of the work force. When considering how strictly to limit usage of and access to electronic communications and the computer network, the general counsel should take into account the company’s culture and line of business, how likely it would enforce the adopted policy across all employee levels, the willingness of company management to monitor employee usage, and the possible effects that restrictions and monitoring would have on workplace morale. For example, the safest and easiest course would be to prohibit employee access to the Internet and all personal use of e-mail and electronic communications. But how practical would such a policy be in a technology or telecommunications company setting? If it is unlikely to be enforced as written, then consider writing its terms more realistically. The promise of technology in the workplace is increased efficiency, productivity, and quality. Unfortunately, the tools designed to help employees achieve these ends can be easily misused, causing significant harm to the company. A flexible but firm usage policy that addresses the risks to the company will provide employers with an effective and lawful means to deter such misuse — and to ensure that technology remains a valuable partner in achieving business objectives. Marc S. Martin recently served as vice president, general counsel, and secretary of two technology companies: Convera Corp. and BET Interactive LLC. He is currently a special counsel in the Tysons Corner, Va., office of Kelley Drye & Warren ( www.kelleydrye.com). Evan Wagner is director of information technology at the Convera Corp. If you are interested in submitting an article to law.com, please click herefor our submission guidelines.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.