Employee "A" is fired for downloading inappropriate material from the Web. It is not that he did not know his job was on the line when superiors discovered the downloaded files. But to be fired from a company he has been with for five years is a blow. He is a family man. Married for 15 years, four children - not to mention his reputation. One simple act and the repercussions are huge.

According to an article written by James A. Martin, from the November 1997 issue of PC World, access to the Internet has come at a high price for many organizations. Employers pay the cost in lost productivity, as some workers use their "free" Net access to shop, chat, pay bills, play games, or even download sexually explicit material. For employees, misuse of the Net can cost them their jobs.

A PC World survey of top executives found that, one in five firms has disciplined employees for improper Internet use - from taking away their surfing privileges to taking away their livelihood.

In fact, one-third of the companies contacted in the survey, "monitor where their employees go on the Net. Another 12 percent plan to begin this kind of monitoring in the next 12 months. In addition, firms with more than 1000 employees are twice as likely to monitor than their small and midsize counterparts."

But according to the survey, one half of the executives do not want to peer over employees' shoulders during work hours. And the reason they gave was simple: Employee rights.

Free speech has gone a long way since our founding fathers drew up the Bill of Rights over 200 years ago. Does it apply to an employee's use of the Internet while at work, when they use their employer's resources? Well, yes and no. In most cases companies are well within their rights to block their employees access to the Internet.

Firewall sales will grow from $160 million in 1995 to $980 million in 2000. That computes to 44 percent compound annual growth in the firewall market. (UBS Securities LLC)

It is important to also note that there is no pending legislation that would protect employees from electronic observation. And according to the survey, nearly 14 percent of companies that monitor have not told employees about the practice. Large companies were less likely to tell their employees they were being watched.

A good rule of thumb to keep in mind when dealing with email and other electronic correspondence at work is that it is not absolutely private. In some network situations, managers do not allow individual passwords specifically to prevent privacy.

The Center for Public Interest Law www.privacyrights.org prepared a fact sheet about employer/employee rights regarding workplace privacy and computer monitoring. The following paragraphs are excerpted from the report:

Computer Monitoring
A computer terminal at work may be a company's window into an employee's workspace. There are several types of computer monitoring.

• Employers can use computer software that enables them to see what is on the screen or stored in the employees' computer terminals and hard disks.
• People involved in intensive word-processing and data entry jobs may be subject to keystroke monitoring. This system tells the manager how many keystrokes per hour each employee is performing. It also may inform employees if they are above or below the standard number of keystrokes expected. Keystroke monitoring has been linked with health problems including stress disabilities and physical problems like carpal tunnel syndrome.
• Another computer monitoring technique allows employers to keep track of the amount of time an employee spends away from the computer or idle time at the terminal.

Can My Employer Read My Terminal While I am Working?
Generally, yes. Since the employer owns the computer network and the terminals, he or she is free to use them to monitor employees.

Employees are given some protection from computer and other forms of electronic monitoring under certain circumstances. Union contracts, for example, may limit the employer's right to monitor. Also, public sector employees may have some minimal rights under the U.S. Constitution, in particular the Fourth Amendment, which safeguards against unreasonable search and seizure.

Email
Is email private? In most cases, no. If an email system is used at a company, the employer owns it and is allowed to review its contents. Messages sent within the company as well as those that are sent from your terminal to another company or from another company to you can be subject to monitoring by your employer. Court cases are currently pending in which employees' rights to privacy on electronic and mail systems are being considered.

When I delete messages from my terminal, are they still in the system? Yes. Email systems retain messages in memory even after they have been deleted. Although it appears they are erased, they are often permanently "backed up" on magnetic tape, along with other important data from the computer system.

My employer's email system has an option for marking messages as "private." Are those messages protected? In most cases, no. Many email systems have this option, but it does not guarantee your messages are kept confidential. An exception is when an employer's email policy states that messages marked "private" are kept confidential.

Is there ever a circumstance in which my messages are private? Some employers have begun to use encryption to protect the privacy of their employees' email. Encryption involves scrambling the message at the sender's terminal, then unscrambling the message at the terminal of the receiver. This ensures only the sender and his or her intended recipient read the message. While this system prevents co-workers and industrial "spies" from reading your email, your employer may still have access to the unscrambled messages.

Workplace Privacy Protections
What about my employer's promises regarding email and other workplace privacy issues. Are they legally binding? Yes. When an employer states a policy regarding any issue in the workplace, including privacy issues, that policy is legally binding. Policies can be communicated in various ways: Through employee handbooks, via memos, and in union contracts. For example, if an employer explicitly states that employees will be notified when telephone monitoring takes place, the employer must honor that policy. If you are not already aware of your employer's workplace privacy policies, it is a good idea to become informed.

These questions and answers highlight several issues that organizations must address. First, companies should clearly identify employee rights and responsibilities regarding Internet use. Secondly, each organization must consider how sensitive internal information is and how to secure it from unwanted access. While the Electronic Communications Privacy Act protects employees from employers monitoring personal communications, it also supports an employer's right to monitor stored electronic communications. But employers do have some restrictions in monitoring personal communications. The primary requirement: Employees must give their consent and that consent usually comes when an employee agrees to take the job. It is however in the best interest of the company to have a policy in writing.

Security Policy
Security is a business decision. Attached to any business decision should be a policy and security is no different. The process for creating a security policy usually requires the creation of a task force made up of representative members of your company to build a draft policy. Once the policy is finalized the most senior person, preferably the CEO, should sign it.

It is a good idea to have a small, simple policy augmented with standards and guidelines for appropriate and expected behavior.

Policy
The role of the policy is to first make clear what is being protected and why. Secondly, to clearly state the responsibility for that protection. Thirdly, it provides a ground on which to interpret and resolve any later conflicts that might arise.

Standards
Standards are intended to codify successful practice of security in an organization and are usually phrased in terms of "shall." Standards are developed in support of policy, and change slowly over time. They sometimes cover issues as how to screen new hires and how long to keep back-ups.

Guidelines
Guidelines are the "should" statements in policies. The intent of guidelines is to interpret standards for a particular environment - whether that is a software environment, or a physical environment. Unlike standards, guidelines may be changed if necessary. As the name suggests, guidelines are usually used as ways to help guide behavior.

A standard policy is the best way to avoid confusion among employees. The company's policy may give the employer the right to monitor electronic communication and when the job is accepted, the employee consents to being monitored. It is in the best interest of the company however, to make sure that policy is in writing.

There are organizations that offer Internet security software and/or consulting. The best way to find a Web security company to meet your needs is to do a search on the Internet. The following are a few to check out:

• Software Intelligence www.si.com.au, a consulting service that helps companies develop information security policies.
• Firewall Security Corp. achilles.wlk.com, which supplies expert design and installation of IP based Internet connectivity.
• Internet Security Systems Inc. (ISS) www.iss.net, a worldwide innovator of security solutions designed to augment the security performance of existing systems by complementing security safeguards such as firewalls, authentication and encryption.

Both employers and employees have a responsibility to know their rights and work together to responsibly utilize the Internet's vast resources of news, information and research tools.

Employee "A" is fired for downloading inappropriate material from the Web. It is not that he did not know his job was on the line when superiors discovered the downloaded files. But to be fired from a company he has been with for five years is a blow. He is a family man. Married for 15 years, four children - not to mention his reputation. One simple act and the repercussions are huge.

According to an article written by James A. Martin, from the November 1997 issue of PC World, access to the Internet has come at a high price for many organizations. Employers pay the cost in lost productivity, as some workers use their "free" Net access to shop, chat, pay bills, play games, or even download sexually explicit material. For employees, misuse of the Net can cost them their jobs.

A PC World survey of top executives found that, one in five firms has disciplined employees for improper Internet use - from taking away their surfing privileges to taking away their livelihood.

In fact, one-third of the companies contacted in the survey, "monitor where their employees go on the Net. Another 12 percent plan to begin this kind of monitoring in the next 12 months. In addition, firms with more than 1000 employees are twice as likely to monitor than their small and midsize counterparts."

But according to the survey, one half of the executives do not want to peer over employees' shoulders during work hours. And the reason they gave was simple: Employee rights.

Free speech has gone a long way since our founding fathers drew up the Bill of Rights over 200 years ago. Does it apply to an employee's use of the Internet while at work, when they use their employer's resources? Well, yes and no. In most cases companies are well within their rights to block their employees access to the Internet.

Firewall sales will grow from $160 million in 1995 to $980 million in 2000. That computes to 44 percent compound annual growth in the firewall market. (UBS Securities LLC)

It is important to also note that there is no pending legislation that would protect employees from electronic observation. And according to the survey, nearly 14 percent of companies that monitor have not told employees about the practice. Large companies were less likely to tell their employees they were being watched.

A good rule of thumb to keep in mind when dealing with email and other electronic correspondence at work is that it is not absolutely private. In some network situations, managers do not allow individual passwords specifically to prevent privacy.

The Center for Public Interest Law www.privacyrights.org prepared a fact sheet about employer/employee rights regarding workplace privacy and computer monitoring. The following paragraphs are excerpted from the report:

Computer Monitoring
A computer terminal at work may be a company's window into an employee's workspace. There are several types of computer monitoring.

• Employers can use computer software that enables them to see what is on the screen or stored in the employees' computer terminals and hard disks.
• People involved in intensive word-processing and data entry jobs may be subject to keystroke monitoring. This system tells the manager how many keystrokes per hour each employee is performing. It also may inform employees if they are above or below the standard number of keystrokes expected. Keystroke monitoring has been linked with health problems including stress disabilities and physical problems like carpal tunnel syndrome.
• Another computer monitoring technique allows employers to keep track of the amount of time an employee spends away from the computer or idle time at the terminal.

Can My Employer Read My Terminal While I am Working?
Generally, yes. Since the employer owns the computer network and the terminals, he or she is free to use them to monitor employees.

Employees are given some protection from computer and other forms of electronic monitoring under certain circumstances. Union contracts, for example, may limit the employer's right to monitor. Also, public sector employees may have some minimal rights under the U.S. Constitution, in particular the Fourth Amendment, which safeguards against unreasonable search and seizure.

Email
Is email private? In most cases, no. If an email system is used at a company, the employer owns it and is allowed to review its contents. Messages sent within the company as well as those that are sent from your terminal to another company or from another company to you can be subject to monitoring by your employer. Court cases are currently pending in which employees' rights to privacy on electronic and mail systems are being considered.

When I delete messages from my terminal, are they still in the system? Yes. Email systems retain messages in memory even after they have been deleted. Although it appears they are erased, they are often permanently "backed up" on magnetic tape, along with other important data from the computer system.

My employer's email system has an option for marking messages as "private." Are those messages protected? In most cases, no. Many email systems have this option, but it does not guarantee your messages are kept confidential. An exception is when an employer's email policy states that messages marked "private" are kept confidential.

Is there ever a circumstance in which my messages are private? Some employers have begun to use encryption to protect the privacy of their employees' email. Encryption involves scrambling the message at the sender's terminal, then unscrambling the message at the terminal of the receiver. This ensures only the sender and his or her intended recipient read the message. While this system prevents co-workers and industrial "spies" from reading your email, your employer may still have access to the unscrambled messages.

Workplace Privacy Protections
What about my employer's promises regarding email and other workplace privacy issues. Are they legally binding? Yes. When an employer states a policy regarding any issue in the workplace, including privacy issues, that policy is legally binding. Policies can be communicated in various ways: Through employee handbooks, via memos, and in union contracts. For example, if an employer explicitly states that employees will be notified when telephone monitoring takes place, the employer must honor that policy. If you are not already aware of your employer's workplace privacy policies, it is a good idea to become informed.

These questions and answers highlight several issues that organizations must address. First, companies should clearly identify employee rights and responsibilities regarding Internet use. Secondly, each organization must consider how sensitive internal information is and how to secure it from unwanted access. While the Electronic Communications Privacy Act protects employees from employers monitoring personal communications, it also supports an employer's right to monitor stored electronic communications. But employers do have some restrictions in monitoring personal communications. The primary requirement: Employees must give their consent and that consent usually comes when an employee agrees to take the job. It is however in the best interest of the company to have a policy in writing.

Security Policy
Security is a business decision. Attached to any business decision should be a policy and security is no different. The process for creating a security policy usually requires the creation of a task force made up of representative members of your company to build a draft policy. Once the policy is finalized the most senior person, preferably the CEO, should sign it.

It is a good idea to have a small, simple policy augmented with standards and guidelines for appropriate and expected behavior.

Policy
The role of the policy is to first make clear what is being protected and why. Secondly, to clearly state the responsibility for that protection. Thirdly, it provides a ground on which to interpret and resolve any later conflicts that might arise.

Standards
Standards are intended to codify successful practice of security in an organization and are usually phrased in terms of "shall." Standards are developed in support of policy, and change slowly over time. They sometimes cover issues as how to screen new hires and how long to keep back-ups.

Guidelines
Guidelines are the "should" statements in policies. The intent of guidelines is to interpret standards for a particular environment - whether that is a software environment, or a physical environment. Unlike standards, guidelines may be changed if necessary. As the name suggests, guidelines are usually used as ways to help guide behavior.

A standard policy is the best way to avoid confusion among employees. The company's policy may give the employer the right to monitor electronic communication and when the job is accepted, the employee consents to being monitored. It is in the best interest of the company however, to make sure that policy is in writing.

There are organizations that offer Internet security software and/or consulting. The best way to find a Web security company to meet your needs is to do a search on the Internet. The following are a few to check out:

• Software Intelligence www.si.com.au, a consulting service that helps companies develop information security policies.
• Firewall Security Corp. achilles.wlk.com, which supplies expert design and installation of IP based Internet connectivity.
• Internet Security Systems Inc. (ISS) www.iss.net, a worldwide innovator of security solutions designed to augment the security performance of existing systems by complementing security safeguards such as firewalls, authentication and encryption.

Both employers and employees have a responsibility to know their rights and work together to responsibly utilize the Internet's vast resources of news, information and research tools.