As the holidays approach, more of us will be utilizing work time, and likely work resources, to handle our holiday shopping. Some of us may even post our shopping successes or gift ideas on Facebook or email coupons to friends. Doing so not only results in a loss of employee productivity, but also creates significant risk that personal data will be breached, or employers’ software or hardware compromised.
A recent survey conducted on behalf of the Information Systems Audit and Control Association (“ISACA”) found that over half of employees surveyed planned to shop online from a work computer this holiday season, spending nearly two full working days (14.4 hours) doing so. With convenience and boredom listed as the biggest motivators, one in 10 planned to spend at least 30 hours shopping online at work.
The survey also found that those who shop online are more likely to engage in other high-risk behaviors, such as banking online, clicking on links from social networking sites like Facebook, and clicking e-mail links redirecting them to shopping sites. Employees engage in these high-risk behaviors with nearly universal disregard for the safety of the employer’s IT infrastructure. This is highlighted by the fact that one in 10 Americans who use a mobile work device, such as a Blackberry or iPhone, plan to use it for holiday shopping, notwithstanding the lack of security measures on those devices.
Robert Stroud, international VP of ISACA and VP of IT service management and governance for the service management business unit at CA Inc., in connection with the survey above was quoted as saying,
[I]t’s unrealistic to think that companies can completely stop the use of work computers for online shopping…[W]hat companies can and should do is educate employees about the risks…and remind them of their company’s security policy. This is especially important this year, when the convenience of shopping online may be very appealing to employees whose workloads have doubled or tripled because of downsizing.
The Wall Street Journal recently published an article highlighting employers’ efforts to monitor employees’ usage of company time and resources for personal e-mail exchanges, and suggesting a trend that courts seem to be more protective of employee privacy rights than in years past. The WSJ article raised a number of concerns for employers, including that of our own Jane McFetridge, a Jackson Lewis partner in our Chicago office –
Employers are right to expect their employees when they are paid for their time at work are actually working.
What ever a company’s policies are concerning managing or monitoring employee communications, now is as good a time as any to revisit those policies and remind employees of their existence. With the use of technology increasing and the position of the courts appearing to shift toward employees, it is becoming more difficult for employers to manage the employee use of their electronic systems. Having and communicating a clear and comprehensive electronic communications policy is critical.
Steps an employer can take include having acceptable-use policies, reviewing those policies with employees to educate them about the risks, and familiarizing themselves with state laws governing the monitoring of employee computer usage.