E-Commerce Law & Strategy
October 12, 2006

Jonathan Bick is of counsel to WolfBlock Brach Eichler of Roseland, New Jersey, and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of "101 Things You Need To Know About Internet Law" (Random House 2000). He can be reached at bickj@bicklaw.com.

An electronic communications policy (ECP) is an internal publication for employees outlining a firm's Internet, computer and electronic assets guidelines with the objective of reducing business risks.

Along with saving employees time, such publications can improve employee morale, prevent employee/management disagreements and keep users out of court.

An ECP, it's easy to see, is an important part of safeguards and employee knowledge bases at e-commerce firms.

ECP publications are usually composed of several standard sections. The most common sections include:

· Usage rules;

· Confidentiality and security;

· Monitoring and auditing;

· Reporting;

· Enforcement; and

· Acknowledgment.

An ECP should be reviewed in conjunction with a firm's employee manual, and in conjunction also with manuals related to records security. Some firms choose to integrate their ECP into such manuals.

WHAT AN ECP COVERS

A firm has a lawful property interest in, or a right to specify, the use of all information-processing and communications facilities employed in its business. Also, because computers can send faxes, telephone messages can be delivered by e-mail devices and many other electronic assets may exchange content, the ECP must cover:

· Computers;

· Fax machines;

· Telephones;

· Pagers;

· E-mail devices;

· Copiers;

· Software; and

· Internet assets.

Internet assets include content stored on the firm's computers, on a third party's assets (Internet service providers' servers) and on the firm's property that has no physical location (domain names).

WHO OWNS IT?

The most important clause in an ECP, and usually the first issue addressed, is resource ownership. This clause usually states that the employer owns or has the right to specify the use of all electronic communications resources. This clause also is usually followed by one identifying authorized users, such as: "Only employees are eligible to use the electronic communications resources but may do so only in accordance with the ECP."

If personal use of a firm's electronic communications resources is allowed, then the ECP must detail the limits of such use. For example, if incidental personal use is allowed, then the following clause might be used:

Employer permits employee to use its electronic communications resources for legitimate business purposes, including some personal use. Any personal use must be limited and must not affect performance and normal business activities; must not interfere with the firm's operations; must not compromise the security or reputation of the firm; and must not burden the firm with noticeable incremental costs.

Some ECPs use the existing policy for personal use of the telephone to construct the policy on other devices, replacing the word "telephone" with the phrase "electronic communications resources."

INCLUDE COMMUNICATIONS PROCEDURES

ECPs typically address employee communications procedures, such as disclaimers for electronic communications received in error. ECPs also normally require authorized users to use disclaimers in e-mails and faxes sent to third parties. For example, an ECP may require that any privileged, proprietary or confidential information be sent as an e-mail attachment. The disclaimer in the body of the e-mail would then read: "The attachment to this e-mail may be privileged, proprietary or confidential. Do not open it. It is intended only for the e-mail recipient noted above. If you are not the intended recipient or a person responsible for delivering this transmission to the intended recipient, you may not disclose, copy or distribute this transmission or take any action in reliance on it." The ECP should also contain a notice that precedes faxes.

An ECP should also address instant messaging. The policy choices are:

· Instant messaging is allowed;

· Instant messaging is allowed using company-sanctioned software; and

· Instant messaging is not allowed.

SETTING UP ID AND PASSWORD REQUIREMENTS

Most firms use IDs and passwords to limit access to their electronic communications resources. The ECP should set forth ID and password requirements and describe what the user must do to protect them. The actual password and ID features should not be included in the ECP to prevent a security breach should the ECP fall into the wrong hands. If encryption of e-mails or other electronic content is required, then the ECP should so specify.

Some ECPs include best-practices guidelines for electronic assets, such as e-mail and instant messaging. Such guidelines usually recommend that employees review the content of their e-mail communications prior to transmitting the messages. They also recommend use of the subject line to summarize the content of the e-mail. Since e-mail and instant messaging have become mainstream communications methods, most best practices specifically pertaining to e-mail and instant messaging have been dropped from many ECPs.

The ECP section dealing with what an employee may and may not communicate on an Internet public forum, online discussion or personal blog should dovetail with the employer's intellectual-property policies. In short, an employee may not discuss corporate details or disclose proprietary or confidential information electronically.

REMOTE ACCESS GUIDELINES

Remote access and use of electronic assets should be addressed by an ECP. Some firms allow certain authorized users to access the firm's network and work remotely. In some cases, the company may provide equipment to facilitate remote access. In those cases, the ECP should state that all the supplied equipment and software, and the information stored in them, are firm resources within the meaning of its ECP and that the ECP is intended to apply to them.

MONITORING AND AUDITING DISCLOSURE

An ECP should also contain a monitoring and auditing section. Employees should be told to expect to be monitored and audited. The ECP should state that the firm retains the right to monitor and audit all use of the firm's electronic resources, regardless of where such use is initiated, and retains the right to access all files and messages stored on or processed through the firm's resources. It should be noted that auditing involves opening and reviewing file content; monitoring focuses on traffic patterns, general and individual levels of usage, file subjects and types, file origins and destinations and network efficiency and security.

A classic monitoring and audit clause would state:

The company may engage in the systematic monitoring of electronic communications or other electronic files created by employees for valid business purposes, including employee supervision. Managers and supervisors may access, audit and disclose private electronic communications or files of an employee for any valid business purpose.

REPORTING VIOLATIONS

Many ECPs require authorized users to report all suspected and known violations of a firm's ECP. The ECP typically requires such reports to be directed to an employee's immediate supervisor. Failure to conform to this provision is a common basis for disciplinary action, which may include revocation of the privilege to use one or more of the firm's electronic resources, dismissal without notice, payment in lieu of notice and any further disciplinary or other actions the firm may deem appropriate.

OBTAINING EMPLOYEE ACKNOWLEDGMENTS

ECPs, as a rule, end with an acknowledgement section. This section usually states that the employee acknowledges receipt of the ECP and that, as a condition of employment, the employee is bound by the ECP.