Employee Use of Company Computers: The Importance of a Comprehensive Acceptable Use Policy (AUP)
Employee use of company computers can lead to both foreseeable and unforeseeable problems – most of which can be avoided or minimized by developing a comprehensive acceptable use policy (AUP) that makes clear the employees’ and employer’s rights and responsibilities and the rules regarding employee use of company equipment.
An AUP tailored to your company’s needs and practices should address the most common issues faced by employers as well as the unique issues faced by your company, and can prevent conflicts related to:
Loss of productivity,
Broken equipment and who is responsible for repairs,
Use of computers for personal business,
Employee confidentiality and employer monitoring, and
Potential civil and criminal liability for employers.
Creating an Acceptable Use Policy (AUP) for Personal Use of Company Computers
A comprehensive acceptable use policy (AUP) that covers employee use of company computers is essential to ensure that both employee and employer understand when an employee can or cannot use a company computer for personal business, who owns the employee’s personal information found on the computer, and when it is appropriate for the employer to monitor an employee’s activity on a company computer.
Who Owns the Right to Personal Information on Company Computers?
Your company owns the right to all information that is stored on your company’s computer, if this is made clear to the employee in the acceptable use policy (AUP).
For example, you can include a provision in your AUP that clearly states:
Email, software, and other programs and files provided by the company are to be used for company purposes only,
All data stored on company computers, including emails, software, programs, and data stored on the company computer are the property of the company, and the employee waives any right to ownership of data stored on a company computer, and
The company has the right to take, search, or monitor any company computer without advance notice for business purposes including company security and monitoring of employee productivity.
Employee Confidentiality and Employer Monitoring
Employers can and often do monitor their employee’s activities when they are using company computers, including:
Email content and private messages,
Screen content and keystrokes,
Social media activity,
Time spent online on the device, and
Websites visited on a company computer.
It is legal for a business to monitor its employees’ activities, but the best practice is to also inform your employees that they will be monitored and why – valid business reasons for employee monitoring could include security concerns, crime prevention and investigation, protection of trade secrets and client confidentiality, and the company’s interest in employee productivity.
These notifications can be provided as a part of your acceptable use policy (AUP) for company computers, which should clearly state what activities will be monitored and how and that there is no expectation of privacy when an employee is using a work computer. The AUP should include a written acknowledgment to be signed by the employee.
Appropriate Use of Company Computers
Unauthorized employee use of company computers for personal business can lead to a number of problems that could be avoided by a comprehensive AUP, including loss of productivity, unauthorized use of company resources and supplies, and criminal or civil liability based on the employee’s actions.
Although your AUP should be tailored to your company’s needs, provisions often include requirements like:
Use of company computers for personal reasons is strictly prohibited,
All email, messaging, and other programs on the company computer are to be used for company purposes only,
All computer logins and passwords must always be available to the company,
Employees may not install external software or programs on a company computer without prior approval, and
No company software, files, or other data may be copied or removed from the company computer without prior authorization.
The AUP should apply equally to all employees and should be enforced even-handedly without showing favoritism to any employees.
A comprehensive acceptable use policy (AUP) for company computers should also make clear what the rules are if an employee is working from home – they could be the same rules, or they can be adjusted based on your company’s needs.
BYOD (Bring Your Own Device)
When employees are permitted or required to use their own devices, there may be additional considerations – for example, the Electronic Communications Privacy Act (ECPA) of 1986 limits what you can monitor on your employee’s personal devices.
Your company should have a BYOD policy in place that details what the employee can expect, what type of monitoring will take place, and what the acceptable uses are for a BYOD computer that is used for company business.
Employer Liability for Personal Use of Company Computers
Another important function of a comprehensive acceptable use policy (AUP) is to limit the employer’s liability for employee conduct whenever possible by 1) clarifying what type of conduct is prohibited and 2) making it clear that the prohibited conduct is not within the scope of the employee’s work duties.
Employers can prevent or minimize civil and criminal liability by including provisions in the AUP that prohibit:
Use of the company’s computer, internet, email, or IP address to send, receive, or store any communications or content that is discriminatory, harassing, pornographic, or inflammatory including but not limited to remarks on a person’s race, age, disability, religion, national origin, physical attributes, or sexual preference.
Use of the company’s computer, internet, email, or IP address to send, receive, or store materials that include disparaging, abusive, profane, or offensive language.
Any illegal activity including but not limited to piracy, copyright infringement, extortion, or unauthorized access of any computer networks or email accounts.
Accessing any site on the “dark web” without prior authorization.
Use of any “peer to peer” file sharing programs without prior authorization.
Spamming, sending unsolicited emails, or sending or receiving excessive numbers of large files if it is not required by the employee’s work duties.
Downloading software, programs, internet services, or any files without prior approval.
Sending any communications that hide the identity of the sender or identify the sender as another person.
Sending any communications that do not identify the employee and the company they work for.
A detailed AUP that is tailored to your company’s needs can prevent or minimize employer liability for harassment, discrimination, unauthorized criminal activities, pirated software, and copyright violations, as well as unknown and unanticipated problems that are sure to arise.
Please feel free to contact one of our Murray Lobb attorneys to obtain our legal advice regarding the development of an acceptable use policy (AUP) for employee use of company computers or employee use of any company equipment. We also remain available to help you with all your general business, corporate, and estate planning needs.