acceptable use policy webcast slides
DESCRIPTION
Employers can be held responsible for wrongful acts committed by employees in the course of their employment: the principle of vicarious liability. After the June 2010 Supreme Court Ruling, this principle has increased in importance and has given the legitimate, work-related rationales for auditing, archiving, or reviewing employee communications and creating the expectation of privacy as not equivalent to an absolute right to privacy. With such a monumental ruling and privacy rights being called into question, it's important to review acceptable use policies and your business risks to determine the best next steps for your organization.View this on-demand webcast to learn clear steps your organization should be taking to mitigate the risks of uncontrolled employee email and Web use. Aside from the obvious risk of reduced productivity and wasted IT resources, from an employee who spends significant periods of the day engaged in personal email or Web use, other risks include harassment, defamation and the loss of intellectual property, contract information and confidentiality. View recording here: http://www.messagelabs.com/resources/events#TRANSCRIPT
Acceptable Use Policy:Diminish Your Business Risks
Sponsored by:
2
Nancy FlynnExecutive Director
The ePolicy Institute
Lee RothmanSecurity Engineer
Symantec Hosted Services
Potentially Costly & Protracted Business Risks
• Regulatory audits & fines.
• Security breaches.
• Lost productivity.
• Media scrutiny.
• Credibility destroyed.
• Lost customers & revenues.
• Career setbacks.
• PR nightmares.
• Personal & professional humiliation.
• Workplace lawsuits.
#1 Business Risk:Workplace Lawsuits
Best Practice: Use Policy to Manage Legal Risks
• Vicarious Liability
• Workplace email subpoenaed. 24%
• Battled email-specific lawsuits. 9%
Source: 2009 Electronic Business Communication Policies & Procedures Survey, American Management Association & The ePolicy Institute.
Amended Federal Rules of Civil ProcedureEmail & ESI Create Electronic DNA Evidence
• “Electronically stored information” (ESI) is discoverable & may be used as evidence—for or against your company—in litigation.
• Business record email must be preserved, protected & produced during discovery.
• Know—and adhere to—federal discovery rules. Research—and comply with—state discovery rules (where you operate or have customers or patients).
• Content & Retention Policies + Training + Hosted Content Control & Archiving Service = Strategic Risk Management
Best Practice: Focus on Content, Not Technology
– Email – IM & Text Messages– Blogs & Social Media– Internet & Intranet– Desktop, Laptop, Blackberry, Smartphone– Office, Home, Airports, Hotels, Etc.– Business Equipment & Systems– Personal Tools & Private Accounts
Remember, unless a written record is required for legal, regulatory or business reasons, email is not always the best way to communicate.
Welcome to the New Sexual Harassment
• Email & web content can trigger sexual harassment & hostile work environment claims & provide smoking gun evidence.
• Best Practice: Apply content rules & AUP to email, IM, texting, web, social media, blogs, camera & video phones, other tools.
• Best Practice: Apply content rules & AUP to business & personal, 9-to-5 & after-hours electronic communication.
• Best Practice: Use AUP to ban private accounts & tools at work. • Best Practice: Use AUP to limit personal use of company system.
Symantec Hosted Services Strategy & Vision 8
Best Practice: Enforce Personal Use Rules
• Company email• Company cell phones• Personal email account• Personal cell phones• Personal social media• Company IM• Company text• Personal text
83%
62%
50%
43%
43%
36%
35%
33%
Symantec Hosted Services Strategy & Vision 9
“Sexual harassment isn’t about being chased around the desk anymore.” —Newsweek• Hooters waitress files sexual harassment claim vs. Ft. Lauderdale restaurant.
Sexting claim based on explicit photos & text messages sent by manager (2010).
• Director of Delaware, OH county jail resigns after using personal cell phone to take & send inappropriate photos to female employee—while on duty and in uniform (2010).
• Lafayette College settles sexual harassment case for $1 million after campus safety officer sends pornographic email to female employees (2010).
• Offensive/pornographic email & web images evidence in class-action hostile
work environment claim against public company. Unmanaged content contributes to confidential settlement (2008).
Symantec Hosted Services Strategy & Vision 10
Online Venting Leads to Defamation Claims
• Email & social media content can trigger defamation claims and serve as smoking gun evidence.
• Best Practice: Apply AUP—including content rules, language do’s & don’ts, netiquette guidelines, code of conduct, ethic guidelines, and specific usage rules—to email, IM, texting, web, social media, blogs, camera & video phones, other tools.
• Best Practice: Inform employees that all electronic policies and all employment rules apply at all times—business & personal, 9-to-5 & after-hours electronic communication.
• Alert Employees: A policy is a policy & compliance is 100% mandatory.
Symantec Hosted Services Strategy & Vision 11
Defamatory Online Comments:Click to Destroy Reputations, Careers & Companies
• Daniel Duran, head of nonprofit US Soybean Export Council, sidelined by board following email allegations of affair with employee & other leadership shortcomings. Filed defamation suit in MO federal court. Duran granted directed verdict (2010).
• Dr. Eric Henne filed malicious defamation claim against Philadelphia’s Thomas Jefferson University Hospital & 2 docs following distribution of email implying Henne was interfering with physician-patient relationships & engaged in kickback scheme. Confidential settlement reached (2008).
Symantec Hosted Services Strategy & Vision 12
Content Can Trigger Costly PR Nightmares
• Online content can create avalanche of negative publicity. Recovery is not a given.
• Domino’s Pizza humiliated when prank video became YouTube sensation. Employee stuffed cheese up nose while preparing food. Massive media coverage forced Domino’s to address food prep allegations online & via mainstream media (2009).
• California Pizza Kitchen server Tweeted protest against new uniforms. Fired for Tweeting complaints. Server responded to termination on YouTube, taking personal gripe global (2009).
• Goldman Sachs’ internal email, inc. “Sounds like we will make some serious money.” Lawmakers & public recoil as GS execs brag about profiting from housing market crash—after helping orchestrate market inflation (2010).
Symantec Hosted Services Strategy & Vision 13
Content Can Create Costly Compliance Disasters
• Online content can put confidential company, customer, patient data at risk of exposure.
• Regulated firms obligated to safeguard customers’ financial data & patients’ EPHR.
• For all organizations, survival depends on the protection of confidential data, inc. IP, trade secrets, R&D, marketing plans, customer lists, personnel data, internal email, etc.
• Thousands of pages of classified docs about Afghan War leaked to WikiLeaks.org on July 25, 2010. Mainstream media worldwide quickly respond by reporting contents.
Symantec Hosted Services Strategy & Vision 14
Best Practice: Enforce Clear & Specific Content Rules
No Harassment or Discrimination Based On: Sex, Sexual Orientation, Sexual Preference, Race, Color, Religion,
National Origin, Age, Disability, Other Status Protected by Law.
No Disclosure of Confidential Company, Customer, Patient Data
Rules Apply to Written Text, Photos, Videos, Art of Any Kind
Adhere to All Company Rules & Policies
Symantec Hosted Services Strategy & Vision 15
Best Practice:No Funny Business Online
– No rumors or gossip about company, customers, competitors, employees, or 3rd parties.
– No defamatory comments about anyone—internal or external parties.
– No whining or complaining about the organization, its customers, management, products, services, mission, procedures.
– No external distribution of internal documents including company email, IP, confidential customer/patient data, eyes-only info.
– No transmission, downloading, uploading of “funny,” off-color, or offensive/non-business-related cartoons, videos, photos, files, art.
– No shooting or posting business-related photos or videos without authorization.
Symantec Hosted Services Strategy & Vision 16
Best Practice:Support Content Rules & AUP with Training
– Full-Time Employees– Part-Time Workers– Freelancers & Independent Contractors– Executives & Professionals– Supervisors, Staff & Interns– Board Members & Volunteers– Train Everyone…From the Summer Intern to the CEO
Best Practice: Support Policy with Content Control Technology
• Email Monitoring: Internal & External• Email Content Control• Web Monitoring • Web Content Control• URL Blocking
Best Practice:Exercise Your Legal Right to Monitor
• Electronic Communications Privacy Act (ECPA).• Computer system = property of employer.• Informed users should not consider
email, text, tweets, posts, online conversations their own.• Even if management says online conversations are not
monitored, employees should not expect privacy.• Supreme Court Of The United States: Monitoring trumps privacy
on employer-provided text system, June 17, 2010 (City of Ontario v. Quon).
Symantec Hosted Services Strategy & Vision 19
Monitoring Rights & Privacy Realities
• First Amendment only restricts government control of speech.• Private employers are free to fire at will in employment-at-will
states.• SCOTUS ruling 2009: Even government entities may now fire
employees if comments—email, Tweets & posts included—harm mission & function of workplace.
Symantec Hosted Services Strategy & Vision 20
Best Practice:Support AUP with Content Monitoring & Blocking
• 43% monitor email.• 96% monitor external email (incoming & outgoing).• 58% monitor internal email.• IM is turbocharged email. Texting is mobile email. Monitor
both.
Source: American Management Association/ePolicy Institute 2007 Electronic Monitoring and Surveillance Survey
Symantec Hosted Services Strategy & Vision 21
“You Have No Reasonable Expectation of Privacy”
• Notify employees of monitoring 71%• Employee handbook 70%• E-mail notices 40%• Written notices 35%• Intranet postings 32%• Formal onsite training 27%
Source: 2007 Electronic Monitoring & Surveillance Survey, American Management Association/The ePolicy Institute.
Symantec Hosted Services Strategy & Vision 22
Porn Pummels Productivity…and Public Image!
• 2010: SEC lawyer, employees, contractors caught surfing porn on the job. Over 1,800 attempts to access porn in 17-day span.
• 2009: At DC govt agencies, 9 employees each surfed 20,000+ porn sites (200 hits/workday). 1 employee visited 48,000+ porn sites in 12 months. 32 employees = 2-week suspensions to terminations.
Symantec Hosted Services Strategy & Vision 23
Best Practice:Combat Content Risks with URL Blocks
• 65% employers in 2007 vs. 38% in 2001.• Sexual/romantic/pornographic 96%• Game sites 61%• Social networking sites 50%• Entertainment sites 40%• Shopping/auction sites 27%• Sports sites 21%• External blogs 18%
Source: 2007 Electronic Monitoring & Surveillance Survey, American Management Association
and The ePolicy Institute.
Symantec Hosted Services Strategy & Vision 24
Acceptable Use Policy:Best Practices to Minimize Risks
• Establish comprehensive, written rules and policies addressing employee use of email, the web, and all other electronic business communication tools—old, new & emerging.
• Assign legal to review AUP & ensure that all federal/state laws and industry/government regs are addressed.
• Educate employees about risks & rules, policies & procedures.• Make clear the fact that the company’s system & tools exist
primarily for business purposes.
Acceptable Use Policy:Best Practices to Minimize Risks
• Provide clear guidance on what is—and is not—appropriate business use & content.
• Establish clear, specific personal use rules. Do not leave personal use policy open to individual interpretation.
• Include overview of harassment/discrimination guidelines & all other employment policies.
• Remind employees that a policy is a policy.
Acceptable Use Policy:Best Practices to Minimize Risks
• Stress the fact that policy compliance is 100% mandatory—during business hours & at home, on company-provided systems/equipment & on personal tools.
• Review AUP & all employment policies with all employees.• Do not rely on employee handbook or Intranet alone. Best
practices call for formal, onsite training.• Address ownership issues & privacy expectations. If you
monitor, let employees know what you are monitoring, how & why.
• Explain that employees have no reasonable expectation of privacy when using the company system.
Acceptable Use Policy:Best Practices to Minimize Risks
• Establish netiquette guidelines to help ensure civil business environment.
• Define “electronic business record” for all users.• Support record retention policy with Hosted Email Archiving
Service to ensure your ability to preserve, protect, produce ESI.• Protect confidential data, customer financials & EPHI with a
proven-effective Hosted Encryption and Security Service.• Apply technology—monitoring, blocking & content control—to
help manage people problems.
Acceptable Use Policy:Best Practices to Minimize Risks
• Review and update AUPs & employment policies annually.• Require all employees to sign and date Acknowledgement Form
following training.• Notify employees that violation of AUPs or any employment
policy may result in disciplinary action, up to & including termination.
• Maintain comprehensive records of your policy, training & technology program. You may need to prove your commitment to best practices one day.
• Do not allow employees to dismiss AUP/electronic risk management program as insignificant or unenforceable.
Symantec Hosted Services & Acceptable Usage Policies30
We help solve the Top Challenges of Messaging Security
EMAIL-BORNE THREATS CONTINUE TO EVOLVE
Symantec State of Spam Report and MessageLabs Intelligence
COMPLIANCE WITH USAGE POLICIES
Inappropriate Content
Confidential Content
SENSITIVE DATA IS LEAVING THE ENTERPRISE
1:400 emails contain confidential information
59% of ex-employees admit to stealing confidential company
information
88% of all cases are due to insider negligence
Ponemon Institute, 2009
COST AND COMPLEXITY
Keeping systems current
Responding to end user requests
Generating management reports
Managing policies across systems
* Ponemon Institute, 2009
Sensitive Data is Leaving the EnterpriseSensitive Data is Leaving the Enterprise
• Over 88% of all data loss cases are due to insider negligence*
Blocking Inappropriate Images and ContentBlocking Inappropriate Images and Content• Organizations must protect employees from offensive, unwanted
images and content
Ensuring Compliance with Usage PoliciesEnsuring Compliance with Usage Policies• Organizations must protect themselves from legal exposure and
regulatory fines
Managing Cost, Efficiency and AccuracyManaging Cost, Efficiency and Accuracy• Managing filter accuracy while ensuring that legitimate emails are
not blocked
Control Challenges
Risk of Data Loss
Data Loss Can Result In:
• Regulatory fines
• Litigation
• Lost business
ConfidentialConfidential
Ponemon Institute, 2009 IIDC nformation Protection and Control Survey: Data Loss Prevention and Encryption Trends 2008
1:400emails contains confidential information
of data loss occurs through email
of all data loss cases are due to insider negligence
56%
88%
How our service works…MessageLabs Email Content Control
Key Features:
• Highly flexible, intuitive rule-building processes
• Scans email header, subject and body, as well as supported PDF, MS Office and compressed file attachments
• Configurable notifications for each rule and action type
• Word list thresholds determine how often keywords or phrases must occur before a rule is triggered
• Extended character list recognition for non-Western keywords or phrases
How our service works…MessageLabs Email Image Control
Key Features:
• Configurable, highly accurate image scanning engine
• Scanning within supported Microsoft® Office and PDF documents attached to or embedded in emails
• Customizable lists of approved senders and recipients
• Customizable local databases of image signatures
• Optional global image signature database submitted by the MessageLabs client community
Business Benefits of our ServicesEmail Image Control and Content Control
• Increase User and IT Productivity
• No Software or Hardware to Manage
• Easy to Configure
• Enforce Acceptable Use Policies
• Filter Inbound and Outbound Emails and Attachments
• Aggressive Service Level Agreement
• Data Loss
• Sexual Harassment
• Regulatory Penalties
• Reputation and Business Loss
Reduce RiskReduce Risk Increase Confidence
Increase ConfidenceLower CostsLower Costs
Cloud computing vs. SaaSWhere do we fit in?
37
General Benefits of SaaS
Lower Total Cost of Ownership (TCO)
Simplified Management
Shorter Deployment TimeSeamless Integration
No hardware. No software. Little maintenance
Ease Internal IT Pains
Symantec does it betterHighest SLA Performance backed by Cash-Back Remediation
Best SaaS Support: 24x7X36595% satisfaction+
Global, redundant infrastructure14 data centers
Converged Threat Analysis Powered by SkepticTM
Market Leader
Next Steps
• Begin a free trial of MessageLabs Email Security services• See a demo• Request a quote• Visit www.messagelabs.com for additional information
The ePolicy Institute™www.epolicyinstitute.com
• Contact us• Seminars & Webinars• Policy Consulting & Development• Litigation Consulting & Expert
Witness Services• ePolicy Forms Kits, Books, White
Papers & Other Content• Surveys with American
Management Assoc & Other Partners.
Thank You Sponsors!
• Technical Demo & Overview:• Email Anti-Spam & Anti-Virus• Email Content & Image Control• Email Archiving• Email Continuity• Email Encryption • Web Anti-Virus & Anti-spyware • Web URL Filtering
Symantec Hosted Serviceswww.messagelabs.com
(866) 460-0000