Greater risk of information security breaches from increased use of social networking and web mail at work

The Department for Business Enterprise and Regulatory Reform's 2008 information security breaches survey reports that the most common forms of staff misuse of information systems are visiting inappropriate websites, excessive browsing and sending inappropriate emails. The average age of the Facebook user has gone up, with those between 25 and 44 years old now making up more than half of the social network user base growing from just 32% a year ago.

The continuing trend of older users signing up for the service along with the substantial growth in the number of adults in the UK who have an online profile creates issues for every workplace in the UK, which cannot be ignored.

Risks associated with social networking sites include the slowing down of IT systems and lost work time with such sites proving addictive for employees. Another risk is corporate infiltration. A breach of confidentiality is also easily caused if employees leave information either about themselves, the company or clients on their own profiles.  

One of the more significant risks is damage to the employer's reputation. An employee posting negative comments about their employer can easily bring an employer's name into disrepute.

Employees may post discriminatory comments, which may be interpreted as representing the thoughts of the employer leaving the employer open to a discrimination claim. Other risks include the use of social networking sites to bully/harass employees. Consequently, employers may find themselves defending claims for discrimination and/or constructive dismissal where the employer failed to take appropriate steps to prevent bullying or harassment of its employees. An employer may be liable not only for its own actions but also for those of its employees and some third-party actions in relation to bullying and harassment. Employees can also be liable for their own actions. 

Other potential claims include health and safety for failure to provide a safe place for the employee to work, criminal proceedings, breach of privacy and/or personal injury.  

Despite the negatives, there are also various benefits to using social networking sites at work. They can facilitate corporate social networking and specifically networking with colleagues in other locations and current or new clients. Social networking sites may also act as a forum for holding company meetings and provide a place for industry-focused blogs.  Interestingly, they can also be used to create a spirit of camaraderie and can act as a motivational tool for staff.

Employers with an IT policy in place should ensure that it refers to social networking and preferably ensure that each employee completes training in relation to the policy. Caution should be exercised in producing a policy on social networking. Banning access to all social networking sites may not necessarily be the right approach. It is the easiest approach and certainly within an employer's right. However, it may not be very popular among employees. Guidance on access should be provided.  

Employers should clearly set out what type of activities will lead to disciplinary action and ensure that certain actions outside work are also included. Employers should warn employees that their actions and usage of such sites are being monitored. It is also important for employers to obtain employee input when writing the policy. A two way employer/employee approach to producing the policy will mean the policy is more likely to be adopted and adhered to.

The Data Protection Act forbids employers from monitoring emails without first notifying their staff and employers should not open an employee's emails without a valid reason either. Monitoring email web and internet use in the workplace can be permissible once the employee has been informed. However, monitoring activity should not constitute blanket monitoring but should be proportionate and justified. Employers should also consider first whether it has the authority to access such information.  

For those employers who do not have an IT policy in place, existing policies and procedures should be audited. Thought should be given as to what happens day-to-day and unwritten practices should be considered. The important thing to remember is communication is key to the successful adoption of a policy. Employees need to be aware of any wider implications of their online activity and the potential action that could follow.

A good IT policy will ensure clarity regarding access and use of email, internet and social networking sites. It needs to clearly define how much access is too much. Thought should be given to security and the use of passwords. Guidance should be given on the expected language and etiquette to be used by employees when online and guidance should also refer to the use of laptops, Blackberrys and access via personal mobile phones. An IT policy should also refer to any acts that are prohibited such as online gambling. It should also inform employees that their online activities will be monitored. Employees should also be reminded of their duty of confidentiality.  

The three things to remember when addressing this issue is to train employees, put in place ongoing monitoring and take action as appropriate. With the increase in the average age of employees using social networking sites, companies would be well advised to review their IT policies and look at ways to avoid the gap between policy and practice.

Nick Sheppard is a partner at Langleys Solicitors