Checklist: Employee Technology Policies (Part 1 of 2)

I have argued elsewhere that employment lawyers should be an integral part of the creation of workplace policies that prioritize cybersecurity and recognize its centrality to the well-being of the organization.

What follows is a two-part checklist for employment counsel to use when designing employement-related technology policies.

       Contents: Part One (below) 

• Acceptable Use of Corporate Technology
• Security Compliance
• Electronic Privacy
• Data Governance
• Trade Secrets/Confidential Information
• Social media
• NLRB Compliance (and Caution)

        Contents: Part Two (found here) 

• Cellphone/Mobile Device
• ADA Policy/Accommodations
• Data Retention Across Devices and Apps
• Technology Acquisition
• Notes

Acceptable use of Corporate Technology

• Limit use to business uses/Describe limits of personal use.
• Prohibit unlawful uses; include specifically a prohibition on uses that violate sexual harassment/EEO policy or laws.
• Prohibit use of corporate systems to violate the company’s or other’s intellectual property, including copyrights, trademarks, confidentiality, and trade secrets.
• Prohibit off- hours use by non-exempt personnel; require reporting of off-hours use.
• Prohibit uses that yield unlawful exports of technology, violate anti-competition laws and/or violate any law of any jurisdiction (see Electronic Privacy, below).
• Prohibit any use that exceeds the authorization given by the company.
• Include a general savings clause.
• See NLRB Compliance, below.

Security Compliance

• Prohibit any use that is designed to effect a security breach or other malicious use of the system.
• Prohibit circumventing any user authorization requirement.
• Prohibit uses that exceed a user’s authorized access to network, software, data or files.
• Prohibit any access and, without permission, any use, misuse, abuse, damage, contamination, disruption or destruction of any corporate computer, computer system, computer network, computer service, computer data or computer program.
• Prohibit any activity that seeks to hide the user’s identity, except in conformity with the company’s ethics, whistleblower and harassment reporting policies.
• Prohibit interfering with another’s rightful use of the system.
• Ensure all postings to public-facing websites are vetted for cybersecurity compliance.
• Comply with password policy.
• Prohibit installation of non-approved software.
• Prohibit installation of non-approved hardware.
• Prohibit exfiltration of software, data or files, including by UBS Drive.
• Require reporting of known security issues, including:
  • incidents that result in misuse of confidential information of any form,
  • incidents that may impair the functionality of the network,
  • activities that seek unauthorized access to the network or access which exceeds authority, and/or
  • any violation of any information technology policies.

• See NLRB Compliance, below.

Electronic Privacy

• Clearly explain that data on network and all electronic equipment are owned and accessible by the company therefore, employees should have no expectation of privacy while at the workplace.
• Seek explicit consent for employer monitoring of electronic communications.
• Prohibit any use that infringes on privacy rights in violation of state, federal and foreign state’s laws.
• Company may preserve, access, or monitor data, accounts and equipment if required by law or an internal investigation into misconduct.
• Company may routinely audit use and traffic.
• Identity theft: Prohibit uses that violate the FTC Red Flagrules (if applicable).
• Prohibit storage of private employee, consumer or patient information on mobile devices and drives without explicit authorization.
• Require use of encryption for all private employee, consumer or patient information.
• Incorporate by reference, and update the policy based upon, industry specific regulations, such as HIPAA and SEC rules.

Data Governance

• See detailed discussion, here.
• Require that use of data is limited to permitted/authorized uses and complies with the data governance plan.

Trade Secrets/Confidential Information

• Prohibit unauthorized access to trade secrets.
• Prohibit disclosure (or soliciting disclosure).
• Prohibit use of unapproved file-hosting services.
• Prohibit storage of trade secrets on mobile devices (if possible); else, require use of encryption.
• Consider including choice of law provision given the disparity among states.
• (The Court’s recent decision on Department of Homeland Security v. MacLean, No. 13- 894 (U.S. Jan. 21, 2015) doesn’t change this analysis).

Social media

• Distinguish between personal accounts and corporate accounts.
• Use of personal accounts at work
  • Prohibit, or specify limits to use (see here).
  • Establish a policy regarding corporate access to private social media passwords.
  • See NLRB Compliance, below.
• Personal accounts at home
  • See NLRB Compliance, below.
• Social media – corporate accounts
  • Define clear ownership
  • Require passwords and account recovery information be given to managers
  • Define editorial/approval/brand protection policies
  • Prohibit uses that are outside of editorial/approval/brand protection policies.

• Strive for platform neutrality (e.g., should apply across all social media platforms).
• Account for progressing technology.

NLRB Compliance

• All policies must be NLRB compliant, even if you do not have a union.
• Explicitly state that the rules do limit any protected activity under Section 7 National Labor Relations Act.
• Do not use language that could be construed to limit such protected activity, including any policy designed to protect confidential information pertaining to an employee’s terms and conditions of employment or working conditions.
• Ensure that any policy regarding language, tone, media etc is consistent with protected activity.
• Do not issue a rule curtailing use of social media in response to such protected activity
• You may prohibit disclosure of privileged, trade secrets or other confidential information.
• You prohibit discriminatory remarks, harassment and threats of violence or similar inappropriate or unlawful conduct (including disclosures in violation of any financial disclosure law).
• Do not retaliate for reports concerning such protected activity.
• Use examples that help employees clearly understand that a particular policy does not reach protected communications.
• Recall that the NLRB has determined that employees may have a right to use corporate email to engage in statutorily-protected discussions about their terms and conditions of employment.
• Prohibit employee use of employer social media for personal purposes (see note below).

For more, and a sample policy, see the NLRB’s Acting General Counsel’s Operations Management Memo of 2014.

Note:  The NLRB does not clearly distinguish between policies that relate to employees using corporate accounts on behalf of the corporation, employees commenting using employer public-facing social media sites and employees using their own personal accounts as used at home or in the workplace.  For instance, in its model policy the NLRB approves the following:

Refrain from using social media while on work time or on equipment we provide, unless it is work-related as authorized by your manager or consistent with the Company Equipment Policy.

I think the Board’s decision in Purple Communications [.pdf] sheds some light on this by rejecting the applicability of the so-called “equipment cases” to e-mail.  Despite its protestations, this putatively technology-specific policy can easily be expanded to other technologies.

The Board in Purple gave one important caveat: “nor do we require an employer to grant employees access to its email system, where it has not chosen to do so.”  Accordingly, an explicit ban on the use of employer-owned social media may be warranted.