New Jersey Law Journal    August 14, 2006 ,



By Jonathan Bick Bick is of counsel to WolfBlock Brach Eichler of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000].

An Electronic Communications Policy (ECP) is an internal publication for employees outlining a firm's Internet, computer and electronic assets guidelines with the objective of minimizing business risks. Along with saving employees time, such publications can improve employee morale, prevent employee-management disagreements and even keep users out of court.

ECP publications are usually composed of several standard sections. The most common sections include: Usage rules; Confidentiality and Security; Monitoring and Auditing; Reporting; Enforcement; and Acknowledgement. An ECP should be reviewed in conjunction with a firm's employee manual, and manuals related to records security. Some firms choose to integrate their ECP into such manuals.

A firm has a lawful property interest in, or a right to specify, the use of all information processing and communications facilities employed in its business. In addition, because computers can send faxes, telephone messages can be delivered by e-mail devices and many other electronic assets may exchange content, the ECP must cover computers, fax machines, telephones, pagers, e-mail devices, copiers, software and Internet assets. Internet assets include content stored on the firm's computers, on a third party's assets (Internet Service Provider's servers) and on the firm's property which has no physical location (domain names).

The most important clause in an ECP, and usually the first issue addressed, is resource ownership. The clause pertaining to resource ownership usually states that the employer owns or has the right to specify the use of all electronic communication resources. This clause is usually followed by one identifying authorized users, such as 'Only employees are eligible to use the electronic communications resources but may do so only in accordance with the ECP.'

In the event personal use of a firm's electronic communication resources is allowed, the ECP must detail the limits of such use. For example, if incidental personal use is allowed, the following clause might be used, 'Employer permits employee to use its electronic communication resources for legitimate business purposes, including some personal use. Any personal use must be limited and must not affect performance and normal business activities; must not interfere with the firm's operations; must not compromise the security or reputation of the firm, and must not burden the firm with noticeable incremental costs.' Some ECPs use the existing policy for personal use of the telephone, replacing the word 'telephone' with the phrase 'electronic communication resources.'

ECPs typically address employee communication procedures, such as disclaimers for electronic communications received in error. ECPs normally require authorized users to use disclaimers in e-mails and faxes sent to third parties. For example, an ECP may require that any privileged, proprietary or confidential information be sent as an e-mail attachment. The disclaimer in the body of the e-mail would then read, 'The attachment to this e-mail may be privileged, proprietary or confidential. Do not open it. It is intended only for the e-mail recipient noted above. If you are not the intended recipient or a person responsible for delivering this transmission to the intended recipient, you may not disclose, copy or distribute this transmission or take any action in reliance on it.' The ECP should also contain a notice that precedes faxes.

An ECP should also address instant messaging. The policy choices are: instant messaging is allowed; instant messaging is allowed using company-sanctioned software; and instance messaging is not allowed.

Most firms use IDs and passwords to limit access to their electronic communication resources. The ECP should set forth ID and password requirements, and describe what the user must do to protect them. The actual password and ID features should not be included in the ECP, to prevent a security breach should the ECP fall into the wrong hands. If encryption of e-mails or other electronic content is required, the ECP should so specify.

Some ECPs include best practices guidelines for electronic assets, such as e-mail and instant messaging. Such guidelines usually recommend that employees review the content of their e-mail communications prior to transmitting the messages. They also recommend use of the subject line to summarize the content of the e-mail. Since both e-mail and instant messaging have become mainstream communication methods, most best practices specifically pertaining to e-mail and instant messaging have been dropped from many ECPs.

The ECP section dealing with what an employee may and may not communicate on an Internet public forum, online discussion or personal blog, should dovetail with the employer's intellectual property policies. In short, an employee may not discuss corporate details or disclose proprietary or confidential information electronically.

Remote access and use of electronic assets should be addressed by an ECP. Some firms allow certain authorized users to access the firm's network and work remotely, either generally or when temporarily necessitated by circumstances, such as medical reasons. In some cases the company may provide equipment to facilitate remote access. The ECP should state that all the supplied equipment and software and the information stored in them are firm resources within the meaning of its ECP and the ECP is intended to apply to them.

An ECP should contain a monitoring and auditing section. Employees should be told to expect to be monitored and audited. The ECP should state that the firm retains the right to monitor and audit all use of the firm's electronic resources, regardless of where such use is initiated, and the right to access all files and messages stored on or processed through the firm's resources. It should be noted that auditing involves opening and reviewing the content of files; monitoring focuses on traffic patterns, general and individual levels of usage, file subjects and types, file origins and destinations and network efficiency and security.

A classic monitoring and audit clause would state: 'The company may engage in the systematic monitoring of electronic communications or other electronic files created by employees for valid business purposes, including employee supervision. Managers and supervisors may access, audit and disclose private electronic communications or files of an employee for any valid business purpose.'

Many ECPs require authorized users to report all suspected and known violations of a firm's ECP. The ECP typically requires such reports to be directed to an employee's immediate supervisor. Failure to conform to this provision is a common basis for disciplinary action, which may include revocation of the privilege to use one or more of the firm's electronic resources, dismissal without notice, payment in lieu of notice and any further disciplinary or other actions the firm may deem appropriate.

ECPs, as a rule, end with an acknowledgement section. This section usually states that the employee acknowledges receipt of the ECP and that, as a condition of employment, the employee is bound by the ECP.