Your boss knows you're reading this article -- as may your network administrator, help-desk attendant, and probably a number of other people. Why? As businesses seek tighter control over employees and electronic communications, the extent and detail of corporate monitoring of computer, e-mail, and Internet use continues to grow. Regardless if you are the CEO or an administrative assistant, you are being watched. Monitoring Exists Businesses already can, and do, monitor employees' computer, e-mail, and Internet use. According to a survey by the American Management Assn. (AMA) -- 2001 AMA Survey Workplace Monitoring & Surveillance -- more than one-third of firms store and review computer files and just under one-half store and review e-mail messages. Additionally, 40% of employers block employee Internet connections to selected Web sites, and over 60% monitor Internet connections. The AMA survey also found that more than half of all survey respondents have disciplined employees for inappropriate use of e-mail or the Internet. According to a similar study by the Privacy Foundation -- The Extent of Systematic Monitoring of Employee E-Mail and Internet Use -- the number of employees worldwide whose e-mail or Internet use is monitored has reached 27 million. The fact is electronic monitoring can take place without any notice to or awareness of the individual employee. Monitoring can take various forms such as duplicating files on an individual's computer or network drive, copying incoming and outgoing e-mail, scanning incoming and outgoing e-mail for particular code words or file attachments, or even using software designed to store every individual keystroke made on a computer. While the 1986 Electronics Communications Privacy Act brought e-mail and similar electronic communications under the federal definition of wiretapping, businesses that provide wire or electronic communication services to employees, which includes any business that provides e-mail, computers, or Internet access to its employees, are exempt. There is currently no federal law requiring employers to notify their employees that they are being monitored and a state law currently is in place only in Connecticut. Even if you aren't being explicitly monitored at work, remember that your e-mail or computer files can wind up in very unexpected places. Once e-mail leaves the sender it can be forwarded to a third party without any notification to the original creator. A few months ago, I personally received an individual's rant against a supervisor that had been mistakenly sent to an entire address book of several hundred names. In some cases misaddressed mail may be automatically forwarded to an administrative "dead e-mail" account with the content subject to review and forwading to the intended recipient. In the case of the magazine I work for, I am the recipient of these misdirected e-mails. While the great majority of them are spam e-mails or press releases, I do occasionally discover more sensitive material. Also, be aware that when a computer is repaired or upgraded, the programs and files on it are visible to the individual doing the repair. Adopt An Explicit Corporate Computer-Use Policy Businesses adopt electronic monitoring for a number of reasons. Reducing the potential for sexual harassment and other inappropriate workplace behavior and guarding against the installation and use of pirated or unauthorized software are just a few reasons. Other occasions include ensuring high levels of employee productivity, obtaining data for employee performance reviews, gaining legal protection in the company's dealing with clients, guarding against inappropriate use of corporate assets, and protecting intellectual property. According to the Privacy Foundation, annual sales of employee-monitoring software are around $140 million, which results in a $5.25 cost per employee. The number and types of monitoring software in use continues to grow, despite a general overall decline in IT spending. When deciding to monitor employee computer use, companies should create and post an Employee Internet-Use policy. From my experience, I believe the basic policy should:
- Have a clear business purpose.
- Be distributed to all employees.
- Be included in the corporate human-resources manual.
- List a human-resources contact for questions about the policy.
- Include the statement that Internet usage can or will be monitored.
- Include acceptable and unacceptable personal uses of the corporate. electronic communications system, if any personal use is allowed.
- Include any relevant time restrictions on personal computer and Internet use.
- Include the types of Web sites not to be visited if those are restricted under the policy.
- Include the range of disciplinary actions that may be taken for violations of the policy.