Risks of the Electronic Age: Byting Back

By Melanie Herman, Executive Director of the Nonprofit Risk Management Center

To err is human - to really foul things up requires a computer.

In his 1996 book "Why Things Bite Back: Technology and the Revenge of Unintended Consequencies" Edward Tenner suggested that although technology brings tremendous benefit to modern life, for each advance there is also a cost. For example, few would argue about the flexibility and ease of travel that arrived with the popularization of the automobile in the 1920s. Yet along with the car came congestion and traffic accidents. Air bags installed in cars have saved thousands of lives, yet have unexpectedly increased the risk of injury to certain individuals in certain circumstances.

It is no different with computers and the rapidly emerging information technology. Although few would be willing to give up the improved access to communication and access to information that e-mail and the Internet offers, along with these advances come increased risk for the organizations that use them and a need to identify and manage these risks.

Managing the risks of the electronic age is made even more challenging because of the rapid pace at which the technology is changing. In 1994 there were approximately 15 million Internet users. By the end of 1999 there could be of 200 million. In 1997, the much hyped shopping on the net was considered mostly a no show , but in 1998 online commerce was nearly $2 billion. The computer and the Internet are changing the way we work, whether we like it or not organizations will have to struggle to adapt their internal policies to keep pace with the evolving workplace.

The best way of preventing problems is to have solid policies and procedures in place before things go wrong. If your organization does not have a technology policy in place, now is the time to begin putting one together. If you already have a plan in place, review it careful and make sure it is as thorough as it needs to be.

Here are some of the basic issues such a plan should address.

Privacy

Office technology creates its own challenges relating to violation of privacy. Given the nature of electronic mail or e-mail, and how easy it is to trace and intercept, employees should not have an expectation of privacy in e-mail communications, however, most still do. This is why it is so crucial for the organization to make it clear that the access to the Internet at work is provided for business purposes. If employees have access to the Internet or use e-mail from a computer at work, it is imperative that the organization have a written policy clarifying:

1. the appropriate use of e-mail and the Internet,
2. the fact that e-mail is the property of the organization, and
3. that e-mail and computer diskettes are subject to search at any time, passwords notwithstanding.

Even if the computer used at work is owned by the employee, the organization should make it clear that its e-mail and Internet policy should apply to the hardware and software in use.

Appropriate Use

When employees are using the Internet to send or receive e-mail or to retrieve documents, there is a risk that communications entering or emanating from the workplace will be inappropriate, and that the organization will be held legally responsible for the content of the communications. The use of e-mail at work raises the possibility that an employee will send or receive e-mail tainted with biased, discriminatory or defamatory language, or pornographic material. For this reason it is essential that e-mail policies define inappropriate communications as anything which is not work-related or which violates copyright laws or infringes on a trademark.

Several recent cases have highlighted the fact that personal communications sent internally to another employee via e-mail can result in liability for the employer. In one instance an e-mail communication which was presumably deleted came back to haunt the employer. In that case, one employee sent another a crude, racially biased joke about a co-worker via e-mail which was deleted by the recipient. However, the employee who was the subject of their humor heard about the joke, and used this fact as evidence of a hostile environment at the workplace in a sexual harassment trial. The plaintiff was able to enter a hard copy of the deleted message into evidence at trial, since the employer s computer system had backed it up. The employer was ultimately held responsible for the employee s biased e-mail message.

Consider including some or all of the following in your technology use policy:

• Prohibit or limit personal use of the Internet and e-mail while at work and prohibit personal use of the organization s hardware and software or copying of the organization s software;

• Define the systems used at work as the property of the organization;

• Prohibit use of the telephone, facsimile, or e-mail system for the dissemination or solicitation of information about for-profit ventures, religious beliefs or political causes, or any non-job-related business;

• Prohibit use of the telephone, facsimile or e-mail system to create or transmit any offensive, hostile, sexually explicit or suggestive messages, racial slurs, gender-specific comments or any comment that is unprofessional or offensive regarding someone s age, race, color, creed, sexual orientation, religious beliefs, national origin, gender, disability, marital status or any other protected category;

• State that the organization s e-mail system may not be used to upload or download any protected, copyrighted, or proprietary information;

• State that the organization reserves the right to review, audit, intercept, access and disclose all messages created, received, or sent through voice mail, facsimile or the e-mail system for any purpose, and that the content of such communications may be disclosed by the organization for any purpose with or without notice to the employee;

• State that the confidentiality of any message transmitted over the organization s telephone, facsimile or e-mail system should not be assumed;

• State that the use of a password does not indicate that the employee should have any expectation of privacy in computerized communications; and

• State that the organization will discipline any employee who violates the office technology policy, and that violations may result in termination of employment.

Breaches of Confidentiality

Proprietary information (such as donor lists) and private, confidential information about clients and employees must be kept secure in order to protect against violations of privacy. The use of fax machines, the Internet, and telephone answering machines raises several challenges to maintaining confidentiality which merit thoughtful discussion among staff, and possibly will require the organization to customize internal operating procedures to maintain client and employee confidentiality. Organizations with social workers, medical health professionals and attorneys on staff need to be aware of the special ethical obligations relating to confidentiality which mental health and healthcare professionals must maintain in order to avoid liability for malpractice or the loss of professional licenses.

Don't forget that your data is only as secure as the physical hardware. If your data is stored on a local computer or server, ask yourself how easy would it be for a determined person to get access to the computer. If your computer can t be securely locked or completely disabled through password protection, it may be very easy for someone to gain access to sensitive data.

Protecting Privacy in Voice Messages

Although there is no case law on point, it is likely that the interception or monitoring of an employee s voice mail without authorization would be the equivalent of wiretapping, and would therefore give an employee grounds for a common law action of invasion of privacy. However, if the employee did not have an expectation of privacy in voice mail messages or had consented to voice mail being monitored or accessed, the organization would be permitted to intercept an employee s voice mail message at any time, without violating the employee s privacy. Consequently, it is prudent to state in writing that voice messages left for staff at work may be monitored by the organization and that staff are expected to maintain professional standards in voice-messaging at all times.

An example of a organization s need to monitor voice mail might be in a situation where a organization has concerns about a staff member s interaction with a vendor. Sure enough, when the organization listened to a voice message left by the employee on the vendor's voice mail, the organization immediately discharged the employee. The employee's voice message contained inappropriate language and threats that supported the organization s decision to discharge the employee for unprofessional behavior.

Finally, we need to consider the need for a good backup system. Every piece of computer equipment now humming along in your office, will one day fail. It may be sooner or it may be later but every hard drive will crash, every monitor will burn out, every screen will fry. That is the nature of mechanical and electronic devises. They don t last forever.

It was been said that the secret to living a successful life, is to live as if each day were your last. Well, the secret to successful data storage is to live as if each day is your computer s last. Backup your important work daily. Databases and financial records should be backed up daily or at least weekly. The key here is to ask yourself, How much of this information can I afford to lose? A day s worth, a week s? What if I had to reenter this data or recreate this document? Many files can be backed up onto floppy disks or Zip disks. Large files and servers may require tape or CD ROM backup. Also you should have some system in place for offsite storage of backups. A safe deposit box at a bank makes an excellent storage place and is not subject to the same vagaries of damage and security as the IT managers dresser drawer.

From online shopping to cellular phones, from instant messaging to distance learning, there is no doubt that technology is playing and increasingly important role in our lives both at home and on the job. As we have seen, along with the benefits that technology brings to our organizations it also brings new dangers and risks. Identifying, managing and reducing those risks, will make our organizations more effective and help us to realize the full potential of the emerging electronic age.

Melanie Herman is the Executive Director of the Nonprofit Risk Management Center, a resource center serving nonprofits throughout the U.S. For more information on the Center, visit or call (202) 785-3891.

SAMPLE Office Technology Policy

[Organization's] information technology systems (networks, software, and computers) are tools that are provided to employees to enhance productivity and performance on the job. Although limited non-business use may be permitted when on personal time (e.g. during lunch hour or after work), employees understand that such non-business use should create no expectation of privacy to any data, information, or files that are created or stored on [Organization's] information systems. The executive director or other employees may have a need from time to time to access an employee's computer or files.

In addition, employees are expected to exercise good judgment in their use of e-mail and the Internet and understand that access to these media is a privilege, not a right.

Examples of Inappropriate Uses of Technology

• Any use violating law or government regulation

• Use promoting disrespect for an individual, discrimination, or constituting a personal attack, including ethnic jokes or slurs

• Viewing, copying, or transmitting material with sexual content

• Transmitting harassing or soliciting messages

• Using copyrighted material without legal right

• Use for personal financial gain, or in a manner creating a potential conflict of interest for the employee or [Organization]

• Defamatory, inflammatory, or derogatory statements about individuals, companies or their product.

The failure to use good judgment or to abide by [Organization s] policies may result in suspension of privileges or other disciplinary action.

I have read and agree to abide by the Office Technology Policy described above. I am aware that violations of this policy may subject me to discipline, up to and including termination of employment.

Signature  Date

SAMPLE Investigation & Search Policy

The [Organization] reserves the right to inspect all of the organization s property, including, but not limited to: desks, file cabinets, computer files and disks, storage areas, vehicles, and all personal property brought into [Organization s] premises, including but not limited to: briefcases, purses, laptop computers, and computer files and disks. [Organization s] premises include all buildings, office space, grounds, and parking lots. Personal vehicles on [Organization s] premises are also subject to search. Consequently, employees should not have any expectation of privacy with respect to [Organization s] property or premises or personal belongings brought onto [Organization s] premises.

The purpose of this policy is to ensure that [Organization] can effectively investigate any problem, including workplace safety issues, technological issues with a computer system, and complaints of wrongdoing or otherwise to protect the interests of [Organization].