Features – My Kingdom for an Effective Internet Policy!


Wendy R. Leibowitz, Legal Technology Columnist, Editor, E-Filing Reports,

Another day, another story about an executive who loses his job or reputation because of questionable use of e-mail. This month, it was a 24-year old new associate at the Carlyle Group in Seoul, South Korea, who sent a message about his recent sexual conquests and bohemian lifestyle to 11 friends at his recent stomping ground, Merrill Lynch in New York. In a vivid illustration of the potential of “viral marketing,” or in this case, “viral destruction,” the message was forwarded to hundreds of people on Wall Street, and eventually made its way back to the Carlyle Group. The young man was fired.

A few months ago, an associate at a British law firm, Norton Rose, was allowed to keep his job after he forwarded an e-mail from his girlfriend to several of his buddies, who embellished the missive and passed it on to hundreds of their friends on several continents in the English-speaking world. Though the law firm chose not to fire the young man or his colleagues, the woman was temporarily forced to leave Britain to escape the tabloid hell her life had become–her full name and obviously her e-mail address, had been on the e-mail.

About six months ago, an assistant to an elected government official in Virginia passed on an e-mail about contracting AIDS from needles attached to pumps at a gasoline station. The assistant assumed it was true–after all, it was headlined, “THIS IS NOT A JOKE!!!!!!”–and she sent it to 100 friends. The e-mail displayed the name of her boss, so the e-mail appeared as if it were an official communication from the government. Although she quickly sent out a correction after she learned, from a police officer, that it was not true, the damage had been done when she pushed, “send.” She is still fielding queries about the matter from as far as East Asia. Fortunately, her boss is understanding. For anyone else who is thinking of forwarding a dire warning or chain letter, please first consult http://HoaxBusters.ciac.org.

Let’s not even count the ways that Internet gambling and porn sites have invaded the workplace. Last year employees of the New York Times were fired for downloading and circulating hard-core porn on the company’s e-mail system. Presumably these people had never heard the slogan, “If you don’t want to read about it in the New York Times, don’t forward it on.” I’ve also heard, “Would you do this if your mother were watching?” Apparently many people will download porn even if their mothers were watching.

The Difference Between Having a Policy and Having An Effective Policy

While it’s amazing to realize that, to paraphrase the old New York Telephone commercial, we really are all connected, it’s sad that people’s lives were disrupted this way and their employers’ reputations called into question. It’s also obvious that these e-mails were sent by people who (a) knew better or should have known better, and (b) from places of employment which were presumably governed by e-mail and Internet policies that banned such use of the employer’s computer system. These were sophisticated people (or at least people working at sophisticated places) who assumed that their work at their computer was never monitored, and that e-mail they sent was the equivalent of a private conversation. People can be shocked, shocked to discover that their employer has the right to monitor everything they write on their company’s system, and that many employers do. E-mail is not merely unlike a private conversation–it’s a permanent record that can turn up in your performance evaluation and in court.

There is a difference between having an Internet and e-mail policy and having an effective, enforceable policy. An effective policy will educate employees to avoid improper uses of the technology in the first place, and perhaps–who knows? result in people getting more work done.

Elements of an Effective Internet and E-Mail Use Policy

1. An effective policy should be short, clear and courteous. Many lawyerly-written policies are too long and confusing to be understood by many people, especially as most people scan, rather than read, documents full of “wherefores.” (“Whatever.”) Issuing a draconian policy (“Company’s e-mail is never to be used for personal purposes”) turns all your employees into potential lawbreakers and alienates many people. And it might actually be more efficient and less disruptive for employees to arrange some personal matters via e-mail rather than by telephone.

Think of e-mail as a telephone. (Both technologies use telephone wires.) Would you ban employees from ever using the telephone for personal purposes? No.

The important part of an e-mail policy reminds employees that their e-mail is not private, and may be read at any time, without notice.

2. An effective e-mail policy is issued upon the first day of employment, with reminders sent out periodically throughout the year.

Generally, their first day on the job, employees are handed a huge employee manual that no one has read since 1979, and told to sign on the last page. Most people do–who wants to make trouble their first day? (“Whatever.”) Somewhere in the big fat notebook is the Internet and e-mail use policy.

Why not send the Internet and e-mail acceptable use policy via e-mail to employees, and ask that they type in their name and the date, and return the message via e-mail to the HR department after they’ve read and agreed to it? Pressing “return” indicates that they agree to the policy–and also gives them the name of a person to whom to turn with questions about the policy.

That message should be sent out periodically through the year, especially around holiday time, when people are tempted to send holiday greetings electronically. The law firm of Skadden, Arps, Slate, Meagher & Flom in New York saw their computer system brought to its knees by a dancing Christmas tree that contained a virus. However innocent or clever, these electronic greetings should not be allowed. (Printed greeting cards are more personal, anyway, and decorate the office without endangering the network.)

A few companies post their e-mail policies on employees’ opening screens so that every time they log on, the employees confront the policy. If they then violate it, the employer has adequate grounds to know that the violation was willful or so grossly stupid or negligent that any penalty will be seen as justified.

Enforcement mechanisms and reporting procedures should be clear

If an employees passes by a colleague’s desk and is persistently faced with pornographic pictures on a screensaver, what is the person to do? Don’t laugh–it happened in a newsroom where I worked. (Policy? What policy? We just wrote about the need for policies, we didn’t actually have one.) No one knew what to do. Obviously, the steps to take depend on your corporate culture. But the person to whom such questions should be addressed should be known to all.

A good penalty for abuse of the system (short of termination) is to deprive the person of the use of e-mail, the Internet, or of a computer, for a certain period of time.

A Sample Policy

Michael Crowley, a professor at the University of Miami, posted a comprehensive Internet, voice mail, and e-mail policy at his site, http://personal.law.miami.edu/~mc4388/emailpolicy.html.

It’s a little long for my taste, but it starts where most policies should start: by informing the employees that “The Company reserves the right to enter the e-mail or voice mail systems of any and all employees whatsoever regardless of what position they may hold, and to review, copy or delete any messages and disclose such message to others as it shall determine. These systems are not private.”

One would hope that that would deter about 90 percent of the people from stupid uses of the system. And it probably does. For those of us in the other ten percent, I’d recommend something more straightforward, like that used by Virginia Tech to its students:

“In making acceptable use of resources you must:

  • use resources only for authorized purposes.

  • protect your user ID and system from unauthorized use. –You are responsible for all activities on your user ID or that originate from your system.


  • Refrain from monopolizing systems, overloading networks with excessive data, degrading services, or wasting computer time, connect time, disk space, printer, paper, manuals, or other resources.

Finally, here’s a short excerpt from a clearly-written policy in attorney Michael Overly’s excellent book, “E-Policy: How To Develop Computer, E-mail, and Internet Guidelines to Protect Your Company and Its Assets.” The essence of the policy is:

You are given access to our computer network to assist you in performing your job. You should not have any expectation of privacy in anything you create, store, send, or receive on the computer system…Without prior notice, the company may review any material created, stored, sent or received on its network or through the Internet or any other computer network.”

A few more disaster stories, and people should get the idea. In the meantime, remember: if you get an e-mail about a Trojan Horse made of wood, DO NOT OPEN IT!!! IT WILL DESTROY EVERYTHING IN YOUR CITY. FORWARD THIS TO EVERYONE YOU KNOW!!!!!!!

Posted in: Features, Internet Use Policies