Tuesday, November 13, 2007

The Privacy Lawyer: Cyberloafing's Drain On Productivity

The latest joke or freaky animal picture moves across the Internet at the speed of sound (or broadband), and you forward it along to a few others, and so on and so forth. Luckily, the work E-mail is much faster than the access at home. Besides, who can get to the home computer with the kids and teens hogging it all night and day?

Whoops ... here comes the boss. Quick! Minimize the screen! Phew! That was close. Now back to [fill in the blank with whatever fad site or online community calls your name]. Do you hear it? "Parry," it calls, "your Neopet needs to be fed." "Check the lineup for your fantasy football team," "What is your account balance? Did you pay the Visa bill this month?" "Have you checked your horoscope to see if you'll be having a good day?" "Hmmm, that cruise you always wanted to go on may be on sale at LuxuryLink.com." "That motorcycle auction oneBay (NSDQ: EBAY) closes today." "Maybe your soul mate finally saw your profile on Match.com." "Your Friendster private circle calls." It's hard to focus on work when our personal lives beckon so frequently and can be addressed via the Internet so easily.

Never before have employees been so excited to get to work and focus all of their attention on their computer screens. But what passes for enthusiasm in the workplace is often an enormous waste of an employer's money. Some studies estimate that employers are losing up to $50 billion annually in wasted employee time and resources online. Others believe that number is seriously understated.

Management experts have estimated that only about 67% of any employee's workday is actually productive (without factoring in personal use of the Internet). The typical productivity losses range from coffee breaks to downtime while changing tasks to lack of organization. But with the advent of music downloading, online shopping, auction sites, and fantasy sports, that percentage is reduced quickly and radically.


Instant messaging, always on, carries messages from others also wasting time at work. Communications that never would have been made during the workday, given the ease and instantaneous gratification of a reply, are made all day long.

The sites that eat up productivity at work include eBay (you name it, you can find it on eBay), travel sites (where employees can plan their vacations, usually at a discount), E-commerce sites over the holidays, car-shopping and price-comparison sites, pornography, fantasy sports, horoscopes, banking, investment and stock-watch sites, cyberdating services, and, to rub salt in the employer's wound, job-hunting sites. Some of the newest rages online catch on first in the workplace. It's a matter of faster access and fewer interruptions than at home. And where downloading full-length movies and lots of music files are concerned, endless storage capacity on the network's servers.

So how is an employer supposed to reduce cyberloafing? Some have gone cold turkey and cut off Internet access and E-mails altogether. But most experts believe that cutting off Internet access is throwing the baby out with the virtual bathwater. Along with the wasted time comes improved productivity when the Internet is used as intended. Many studies have been conducted in which employees have indicated that they would sooner give up the phone than E-mail at work.

Some employers have opted for software to monitor employees' surfing activities and in some cases restrict their online activities. Most have adopted acceptable-use policies, and it's reported that 22% of employers have terminated employees because of violations of those policies. Others have restricted Internet access to those employees who require it for their work, limiting nonessential access. (Does every clerk in your mailroom really need surfing capability?)

There are even outsourcing companies that manage oversight for you. But what's really working? And what's the best way to get the employees to resist the call of the Internet and personal instant and E-mail messaging? And which online activities and sites are the most addictive? It's a little of "one from column A and two from column B." Knowing what your employees are doing, and how much time they're spending doing it, will help you find solutions that work for you.

Before you can forge a solution, you need to understand the scope of the problem. Do your homework:

# Who has access to the Internet/E-mail and instant messaging at work?

# Do you have a workplace acceptable/Internet use policy? What does it say about personal use of the Internet?

# What monitoring practices are in place, if any, that check if employees are using the Internet for personal surfing?

# Do you block access to certain popular time-wasting sites, such as job-hunting, investment, cyberdating, gaming, and auction sites?

# What do you do when you discover an employee has breached the permitted-use policy?

# Are certain personal uses more objectionable to you than others?

# Is personal Internet use permitted as long as the employee is otherwise productive?

# Do you monitor other electronic communications, such as phone calls?

# Do you have the IT ability to block access to certain sites or applications? Are you using the blocking technology? Who decides which sites are blocked and which ones get through?


# Do you have the IT ability to monitor which sites are accessed by employees? Are you using the monitoring technology? Who decides what monitoring is used and when it is used? Who's monitoring the monitors?

# Would your employees object to restricting their Internet use to work-related surfing? Would clamping down on personal Internet use adversely affect your workplace culture?

# Have you conducted efficiency audits? If so, what did they find?

In an upcoming column, I'll review some of the monitoring and blocking technologies and talk to the professionals who use them. We'll also review some of the legal problems with monitoring employee communications. In the meantime, I've given a few examples of favorite time drains at work. What sites and online activities lure you away from productive work? Take our survey. We'll reveal the results here in a few weeks.


http://www.informationweek.com/showArticle.jhtml?articleID=16000567

The Privacy Lawyer: Want The Low-Down On Your Cheating Spouse? Consider That You May Be Breaking The Law

The virtual fly on the wall ... how tempting it would be to read others' E-mails. And many of us give in to that temptation! Sometimes our emotions outweigh our common sense and we find ourselves "telling it to the judge."

What can we do, and what should we do? What's the difference between monitoring employees' surfing and electronic communications and snooping if you suspect that your significant other is cheating? When are E-mails off-limits? Can you read their E-mails if you think your partner is doing some business on the side, or that your assistant is looking for a new job? Can you read your kids' E-mails if you worry that they're talking to strangers online? What about your spouse's ex's E-mails if you're involved in a custody battle for the children?

That's exactly what got Angel Lee into trouble when she wanted to know more about what her spouse's ex was saying in her E-mails. And this month she was sentenced to a 60-day home detention by Judge Richard Matsch (the Colorado federal district court judge who oversaw the Oklahoma City case). Using the logon name and password she had obtained without authorization, she accessed the former wife's E-mail account, reading at least 215 E-mails. The snooping was instigated by a very heated divorce and custody case. Ms. Lee pleaded guilty in March of this year, and the sentencing was delayed until now. Judge Matsch, known for being a tough, "no-nonsense" judge, opted for an in-home detention because of the children living with Ms. Lee. While criminal prosecution of these kinds of cases is rare, I suspect that we'll see substantial increases over the next few years. As more people use the Internet for communication, and resources and software applications become more readily available teaching you how to spy on others online, this will become a serious problem. Some think it is already.

Divorce lawyers around the United States see online communications as a fruitful source of evidence of infidelity and wrongful conduct. They also see it as a serious risk for their clients who have been accused of infidelity and wrongful conduct. Private investigators who used to travel with cameras in hand staking out hotel rooms now do their stakeouts in cybertime from computer terminals.

In my role as executive director of WiredSafety.org, the world's largest online safety and help group, I receive hundreds of requests weekly from spouses, people involved in faltering romantic relationships, and even other lawyers seeking legal methods of cybersleuthing. As a privacy lawyer, my answer is always the same. "Not everyone we suspect of cheating is always cheating. If you snoop and the other person finds out, there's very little chance you can salvage trust or even the relationship. If you are going to move ahead anyway, tread carefully ... the laws are complicated and broad. While you may find out information about your spouse or girlfriend, you may also find yourself violating the wiretapping laws. And whatever 'evidence' you do find may not be admissible in a court of law. Finally, what is good for the goose is good for the gander ... so look out for someone trying to spy on you!" (Whew! My kids tell me my lectures to people who ask me about this online are second only to my lectures to them...)

The prime law in this area is the Electronic Communications Privacy Act of 1986, an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968 commonly known as the federal "wiretap law." There are also similar state laws, most of which mirror the ECPA. The ECPA was adopted initially to govern third-party interceptions of electronic communications, not to govern a boyfriend's right to access his girlfriend's E-mails. It provides civil and criminal penalties for any person who intentionally intercepts, uses, or discloses "any wire, oral, or electronic communication." Electronic communication is defined as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo-electronic, or photo-optical system that affects interstate or foreign commerce...."

The ECPA also prohibits the use or recitation of information obtained from any interception. Most of the cases developed under the ECPA involve wiretapping of telephone and E-mail communications by law enforcement. Civilly, most of the case law, until recently, involved telephone monitoring. Under the ECPA, though, the owner of the communication equipment and services can usually monitor activities from that equipment. And in the marital setting, the courts have generally refused to review unauthorized access of the spouses' electronic communications. (This unwillingness to review possible violations probably wouldn't apply to people merely living together or involved in a relationship and not living together.)

In certain states where they exist, the person being spied upon may be able to seek relief under the common-law tort of invasion of privacy. Although many state courts have held that no such tort exists, the tort generally requires an intentional intrusion, "physical or otherwise, upon the solitude or seclusion of another upon his private affairs, or concerns ... if the intrusion would be highly offensive to a reasonable person."



http://www.informationweek.com/showArticle.jhtml?articleID=15600188

The Privacy Lawyer: What To Do Before The RIAA Knocks

The Recording Industry Association of America is taking dramatic steps to protect its copyrights against free file sharing, and it hasn't ruled out serving subpoenas on companies and universities that offer E-mail and Internet access to employees and students if it suspects that they use those systems to pirate material. So what do you do if worse comes to worst and the RIAA knocks?

Check your privacy policies. What do you say is done with data collected from users at your sites? What do they say you do with the data? Do you have a legal-process exception, and does the exception state that you comply with court orders? Have your privacy lawyers review the language. Are you subject to confidentiality agreements that might be affected by a demand for user information?

Call your data-management contractor. What protections do you have if it's served with a subpoena? Review the contract, and make sure it provides for legal-process exceptions and for sufficient advance notice to you if it's served before your contractor complies.

If you're managing others' data, make sure you're indemnified for complying with a 512(h) subpoena, which can be used to obtain the identities of everyone sharing music online. If you belong to a privacy program like Trust-e, make sure that complying with a 512(h) subpoena doesn't violate its policies. Check with counsel in advance about what information you maintain and how it's collected, stored, and accessed. You don't have to give up data you don't have. Don't collect what you don't have to. If there isn't a valid business purpose for it, the risks will always exceed the benefits of keeping it.

If you are subject to the Children's Online Privacy Protection Act, don't respond to a subpoena unless you get knowledgeable advice. Any response to the 512(h) subpoena in connection with a child under the age of 13 may violate the act, which carries legal consequences.

Talk to your privacy professionals to see if health, securities, or financial-privacy regulations are relevant when complying with a subpoena and make sure your human-resources team knows these issues.

Make sure your data- or Internet-related insurance cover good-faith compliance with a 512(h) subpoena.

Pull together a privacy assault team that includes your legal, data-security, privacy, HR, operations, marketing, and public-relations teams. Working together in the event of a serious privacy-implicated event is key to being able to handle it successfully and with minimal adverse impact.

Warn the applicable departments about the process, and make sure you're informed quickly if a subpoena is served. Response should be done under the watchful eye and informed advice of your privacy professionals, not by a clerk.

Review your acceptable Internet-use policy and make sure you prohibit the misuse of peer-to-peer apps.

Consider offering educational and awareness programs for your employees. Helping your employees talk to their children about the implications of downloading music online is helpful as well.

Run frequent audits to make sure P-to-P apps haven't been installed and, if possible, block access to peer-to-peer services. Remember that you don't want to be served, but if you are served, you don't want to be unprepared.


http://www.informationweek.com/showArticle.jhtml?articleID=15201212

The Privacy Lawyer: The Magical World Of Music Online

What is that song that keeps running through your head? You can remember a few words from the title, perhaps. Maybe you can also remember a line or two. No problem, zip over to lyrics.com and do a search using what you can remember. Bingo! You found it.

Now zip over to Kazaa and check it out. Luckily for you, there are several versions offered today. Set up the software, double-click on the title and, thanks to the generosity of others, you're on your way to hearing the song in real time. No charge.

Want to share the wealth? That's easy. The system's default is set to allow others to download whatever you have in your shared folder. You download from "arethafranklin07" and "RESPECT01" downloads it from you, and so on and so forth. All you need to do is click on the search application to find others who are sharing the songs you want next. The fact that you're now sharing the file will come up in the search, too.

If this doesn't come naturally, just ask your kids for help. Peer-to-peer music and media downloading accounts for a substantial portion of our kids' surfing activities. It's fast, easy, and free. And, obviously, it's not just for kids, either.

But all is not right in the magical world of P2P music and other media file sharing. The recording and music industry watchdogs are understandably reacting to large reported losses. While the numbers differ, losses as high as $14 billion in annual sales have been reported between 2000 and 2002, and several billion files are purportedly downloaded monthly. With the reported 60 million file sharers downloading music online, the recording industry attributes this lost revenue (and the high price of CDs) to the enormity of the online piracy problem. They are probably right.

Having complained about the problem for a few years without much sympathy and without any effect on the problem, the recording industry is now using strong-arm tactics to try to get the kids (and adults as well) to stop downloading music. They're suing kids and asking for the statutory damages of between $750 and $150,000 per shared song (plus attorneys' fees). So far, thousands of subpoenas have been issued and it's estimated that 76 new subpoenas are issued daily.

Litigants are lining up to either support or fight the Recording Industry Association of America's enforcement efforts. Lawyers have volunteered to handle some of the cases for those charged with piracy without charge. Defenses include claims that the person charged actually owned a copy of the CD before downloading the music online. (Experts tell us that it makes no difference whether she owned the CD or not, since she downloaded it from another source and shared it online.) In the several cases that have been settled before a lawsuit was actually brought, the accused have paid damages ranging from $2,000 to $15,000. This is a substantial reduction from the potential damages of millions or even billions of dollars if a lawsuit had been successful.

Bringing It Home
So, aside from worrying about how you're going to react when the cease-and-desist letter arrives charging your pre-teen with copyright piracy, how does this affect you and your employer? Why should you care about the online habits of copyright pirates? Let me count the ways.


http://www.informationweek.com/showArticle.jhtml?articleID=15200400

Legal Brief: When The Unthinkable Becomes A Reality

Child-pornography images are showing up in the most unlikely places--the desktops of professors and senior executives, lawyers, teachers, and others you would never have suspected, even your trusted employees. What would you do if the police heard about this before you did, directly from another one of your employees?

Suddenly, your carefully crafted Internet-use policy doesn't give you the coverage you expected. How should you deal with the contraband you discover on your company's computers? How should you handle the police, the employee who is implicated, and the employee who called the police?

The time to think about these questions is now. Being prepared, and preparing your employees, can make the difference between a difficult situation and a public-relations and legal disaster. To do that, you need to have a policy in place and procedures that implement that policy. Then you need to make sure that those policies and procedures are communicated to your employees.

First, review your existing Internet-use policy. Does it contain a provision dealing with criminal activities? What about pirated software and music? Have you created a procedure through which people can report abuses of the policy?

Next comes the hard part. You need to decide whether to report criminal activity to authorities or handle it as an internal matter. Many companies elect not to report employees' criminal activities to law enforcement. They handle these activities as a violation of company policy. Should your decision for handling discovered criminal activity depend on the type of activity involved? Are you more likely to forgive music pirating than child pornography? You need to work out these issues in advance and consult with your legal advisers. Failure to take action when you discover criminal activity may result in the company itself facing criminal charges.

Once the parameters are decided, create written policies and procedures that deal with criminal activities that are found on your computer system. They should include a description of the kinds of actions that are illegal, as well as a statement that they are only some examples. They should also include to whom and how violations should be reported. Make sure employees know that ignoring procedures is a violation of company policy and can be disciplined as such. Make sure the policy is signed by everyone.

Then you need to establish methods of investigation. Investigating child pornography is especially tricky. It doesn't take much for the investigator to violate the law. Possession, downloading, printing, or saving child-pornography images, in any format, or delivering it to anyone else is illegal, even when you intend to report it to legal authorities. When child pornography is suspected, law enforcement or private consultants trained in this area should be called, and the computer isolated immediately.


http://www.informationweek.com/showArticle.jhtml?articleID=9800062