As you may recall, we recently posted about the potential business impact of the relatively new app Confide (Confide – a New App Touted for “Off-the-Record” Business Discussions – Good or Bad for Business?). We promised we would follow up with some practical reminders about why you should insure that your policies are keeping abreast of technology. Corporate policies and employee education are often two of the most effective means of placing employees on notice of company expectations of behavior, communication, use of electronic resources, and protection of confidential information – just to name a few. But what happens when those policies don’t even contemplate certain employee behavior because they don’t address the technology behind the behavior? Will those policies be effective in light of emerging technology?
Let’s evaluate some of the policies and training regimes that could be implicated, and might need to be reviewed, in light of new technology, or apps, like Confide and Snapchat:
If you permit employees to access company systems on personal devices and those employees keep company contact information on that personal device, you might want to consider whether your BYOD policy should prohibit the use of certain applications that require access to that information. Permitting employees to use apps, which require the User to grant access to the User’s entire address book, could later impact your ability to prevent the employee, or others, from using or disclosing that contact information. We have raised this issue in the past when talking about the ease with which LinkedIn makes uploading your entire contact database (See Who Owns Your Company’s Social Media Profiles, Contacts and Content?).
You likely have a policy that prohibits improper use or disclosure of confidential or sensitive information (such as client or patient information). Those policies could be updated to specifically reference that disclosure of confidential or sensitive information via any app or text message is prohibited – including taking or sending pictures of such information. The policy should remind employees that all company information, whether generated through a personal or corporate device, belongs to the employer – not to the employee – and is subject to company policies limiting use and disclosure of such information.
Stakeholders from HR, IT and corporate legal should discuss which apps the company will prohibit on corporate owned devices. Those prohibited applications should be spelled out in the company software/application policies. There are many reasons for preventing the use of certain apps (think possible malware) but companies should also think about how employee use of an application which automatically destroys the data being transferred will impact employer obligations to control or retain such information, particularly those in highly regulated areas, such as financial services or health care.
Code of Conduct
An organization’s Code of Conduct often addresses an employee’s obligation to prevent theft of trade secret information. Such policies often discuss how trade secret theft occurs and how employees can actively assist the company in protection of its trade secret information. Such policies – which also often prohibit the unauthorized use or disclosure of trade secret information – should specify whether the use of apps, like Confide or Snapchat, to transfer trade secret information is prohibited by the Company.
Electronic Monitoring/Electronic Use Policies
A company’s electronic monitoring and/or electronic use policies often provide notice to employees that the company will monitor employee conduct while using company provided electronic resources. Such policies should address whether sending text messages or any similar communications to prevent detection of that communication is a violation of company policy, and that the company will take disciplinary action should it learn that employees are engaging in unauthorized text messages or other interactions. Additionally, employees should further be reminded they have no reasonable expectation of privacy in their communications – whether sent via an app or via work email. As with other policies, an employee should sign off on, consent to and acknowledge an understanding of this as a condition of employment.
As we have often said in the past, training and education is key to preventing unauthorized behaviors, as well as insuring employees understand what is or is not appropriate use of electronic devices that access your systems. Your training could address, for example, appropriate business communications for your industry (e.g. via business email) and possible inappropriate business communications (e.g. via personal email, or via apps, like Confide and Snapchat). I have found that demonstrating the potential negative consequences of using a particular mode of communication provides employees a better understanding of why that communication is prohibited, could result in harm to the company, or might be viewed as unprofessional in your industry.
Litigation Holds/Employee Claims/E-Discovery Policies
Businesses must also recognize that certain applications, like Confide, could pose problems for e-discovery and data retention in the event of litigation or a potential claim. Employee use of certain apps could also impact an employer’s ability to fully investigate employee/supervisor harassment and discrimination, or to monitor illegal or unethical conduct by employees. If employees are using non-company supported means of communicating business information, a policy should require those employees to disclose that fact to IT and/or legal to insure the company can later meet any legal or compliance-related obligations to store and retain certain data.
Think back to when your company did not need a social media policy because social media did not exist – and no one ever thought that employees would share company information to 500 of their closest friends…but now most companies have policies to address employee use of social media. Emerging technologies certainly make it difficult for IT, HR and corporate legal departments to keep on top of employee behavior and to keep company information safe. What are you doing to keep abreast of technology? As always, we welcome your input.