With ever-changing technological advances, easy access to employer networks from almost any location and the blurred lines between business and personal use, employers need to review and update their acceptable use policies (AUP).

This article provides 10 tips for drafting and implementing an effective AUP.

1. Define the scope and applicable terms

The AUP must define the covered users, systems and types of electronic communications.

As to "users," the AUP should provide that it applies to employees and anyone else with access to any of the employer's computers, electronic communication systems, networks and its hardware and software. The AUP should also define the covered "systems" to include any employer- and employee-provided systems or equipment used either in the workplace, during working time or to accomplish work tasks.

"Electronic communications" should be defined to include, among other things, messages, images, sounds, data and any other information used in an email, instant message, text message, voicemail, fax machine, computer, two-way radio, personal and digital assistant, pager, cellular and landline telephone, camera, back-up storage device, memory or flash key or card, jump, thumb or zip drive, any other type of internal or external removable storage drive and any GPS or other tracking system.

2. Avoid creating the expectation of privacy

The AUP should warn employees and any other users of the systems that the employer reserves the right to control, review, monitor, copy, disclose to third parties and use in any way it deems appropriate any electronic communications or electronically stored information (ESI) on any systems, with or without prior notice.

The AUP should caution users not to expect privacy in any communications that pass through the employer's systems, including those that may be for personal use. The AUP should expressly reserve to the employer and its administrators these rights, regardless of whether any device is used in the workplace, during working time to accomplish work tasks or for personal reasons.

Employees should be cautioned that any ESI in any personal file on any devices on the systems should be written as if a third party could review it. The AUP should also state any files and ESI may be discoverable in the event of any form of civil litigation or criminal prosecution.

3. Protect confidential information

The AUP should prohibit the dissemination of trade secrets and confidential information that are the employer's property and that of its customers, vendors, suppliers and others with whom it does business. Failure to protect such trade secrets or information can harm the employer's business interests and undermine the employer's position if it ever seeks to enforce standalone nondisclosure agreements.

4. Honor trademark, copyright and other laws

The AUP should state that employees must respect all trademark, copyright and all other intellectual property laws when using the employer's systems. The AUP should warn users not to duplicate or download software, music, videos, games and other media through the employer systems either for work-related or personal use without proper authority to do so. The AUP should specifically prohibit the illegal use, copying or distribution of copyrighted work.

5. Compliance with other policies and applicable laws

The AUP should state that the employer intends to comply with all applicable laws and expects employees to do the same. The AUP should remind employees that certain pre-existing employer policies also govern use of its systems.

For example, employees should be expected to comply with applicable equal employment, no harassment, anti-bullying, workplace violence and similar policies. The AUP may also remind employees not to violate applicable laws covering computer fraud, trespass, invasion of privacy or theft.

6. Define consequences of policy violation

The AUP should state that any violation of the policy may result in disciplinary action up to and including immediate termination of employment as well as possible civil liabilities or criminal prosecution. Additional consequences may include advising law enforcement officials or appropriate third parties of policy violations.

The AUP should also state the employer will cooperate with an official investigation and that may include providing access to the systems or any ESI on the systems to third parties. Finally, the AUP should state the employer will not retaliate against anyone who reports any policy violation or cooperates with any investigation.

7. Protect the systems' integrity and security

The AUP should state that all system passwords and encryption keys must be available and known to the employer. Employees should be prohibited from installing passwords or encryption programs without the express written permission of the employer's systems administrator and that employees may not use the password or encryption keys of others.

Employees should be warned to take appropriate precautions with respect to downloading unsafe materials, using virus software and being respectful of others when using network resources. Additionally, the AUP should notify users they are responsible for keeping up with any devices and that the employer is not responsible for lost or stolen devices or ESI.

8. Prohibit certain operations

Although the space constraints on this article do no permit an exhaustive list of the operational restrictions that should be contained in an AUP, some examples include prohibiting:

  • Downloading, saving, sending or accessing any music, audio or video files
  • Downloading anything from the Internet, including shareware or free software
  • Attempting to or gaining unauthorized or unlawful access to computers, equipment, networks or system of the employer or any other person or entities
  • Altering or attempting to alter files, systems security software or any aspect of the employer's systems
  • Attempting to alter, destroy, reconfigure, wipe or render otherwise irretrievable any element of the systems
  • Intentionally damaging or destroying the integrity of any ESI residing on the system
  • Intentionally destroying the employer's hardware or software
  • Storing the employer's confidential information, trade secrets or protected health information on a personal electronic device

9. Train all users

All users of the systems should be trained about lawful and appropriate use of the systems. At a minimum, such training should cover all aspects of the AUP. It could also include instructions about the use of personal devices on the systems and the limitations on the use of social media on the systems.

Training should be regular and periodic — not just a one-time event. In addition to dedicated training sessions, the employer's managers should mention and refer to the AUP regularly in other staff meetings.

10. Document relevant activities

The employer should document that employees received, read, understood and consented to the application of the AUP. Getting employee consent to the AUP in a standalone document is essential. Employee attendance at any training session should be documented with sign-in sheets and individual acknowledgement of training forms.

Whenever the AUP is revised, the employer should make sure it gets updated acknowledgement of receipt or training forms signed by all employees. Any discipline for violation of the AUP should be thoroughly documented, as well.

Conclusion

In today's digital world, employers must make sure that they have an up-to-date AUP. By following the 10 tips outlined in this article, employers can protect their businesses, prevent employee misconduct and, hopefully, avoid legal issues.