Careless talk costs business

Implementing a firm but fair policy regarding the use of Web 2.0 applications in the workplace – and making penalties for misuse clear to all – are key to best practice

Businesses are now opting to use Web 2.0 applications such as social networking sites, instant messaging and corporate blogs. But should companies really integrate such technologies into the workplace, or are there too many hidden dangers?

Are Web 2.0 communications an essential part of modern business?

Many corporations have jumped at the opportunities presented by Web 2.0 applications. Consultant KPMG and researcher the Economist Intelligence Unit carried out a survey of 472 executives around the world and found that about 70 per cent of them believe that Web 2.0 tools will help employees to work more efficiently.

Instant messaging is less intrusive than a phone call and, unlike email, is immediate. Business social networking sites help develop contacts, and blogging can reveal a company’s personality and improve marketing, branding and PR.

Is it all good news or are there associated risks and liabilities?

Although Web 2.0 applications can all be used as valuable business tools, IT managers must ensure that workplace internet policies are prepared.

Corporate rumours, derogatory comments about colleagues and negative PR are all risks associated with online communications. Other potential problems include harassment, the leaking of confidential information and damage to company reputation. In short, there are many potential perils to be faced by employers as a result of online employee communication.

IT managers need to be aware that a company can be held responsible for the statements made by an employee, just as if the comments had been made by the company itself. Such a situation is known as vicarious liability, which may arise, for example, where a company sets up a blog as a marketing initiative, through which employees post material on behalf of the firm.

The company may still be liable where a blog is hosted or funded by the company, even though an employee might not be writing “on behalf of the company”. Defamatory statements can result in damage to a company’s reputation or brand and this is one of the greatest risks associated with corporate blogs.

How can I reduce the risk from Web 2.0 applications?

When communicating, employees must ensure they do not make reference to a third party’s trademarks, copy content, graphics or music. Such actions carry a risk of infringing the intellectual property rights of other organisations and could subsequently put the company at risk of being held liable.

It is important that companies make it clear to their employees that blogs are not the appropriate forum in which to raise statutory grievances. Where corporate blogs do express statutory grievances, the employer is required to follow a particular procedure.

If the employer does not notice the blogged grievance and the statutory procedure is not followed, the employee could be entitled to a significant increase in any damages awarded in an employment tribunal.

Even simple emails can cause employers sleepless nights. For instance, a court recently decided employers can be liable for sexual harassment as a result of the circulation of distasteful jokes.

Social networking sites can also act as a platform for anonymous racial/sexual discrimination because of their lack of background checks and some corporate use policies ban the accessing of such sites.

Should I be aware of other productivity issues?

A further troublesome issue for both employees and employers is the addictive nature of social networking sites. Some companies have even imposed “Facebook time” for employees. Employers have also been known to delve into personal profiles to check the character of job applicants, even though such use is potentially discriminatory.

However, the most dangerous aspect of applications such as Facebook or pe rsonal blogs is the damage that can be caused to a business through negative comments posted on such pages.

In February 2007, an Asda employee was sacked for creating a Facebook group which portrayed Asda in a negative light. And in 2005, a Waterstone’s employee was dismissed for being critical towards his boss and the bookseller on his personal blog. He was sacked for gross misconduct, though later successfully appealed against the decision.

But it is important to remember that with regards to both the Asda and Waterstone’s cases, the damage had in effect already been done. Bloggers are now largely remaining anonymous and actions against employee bloggers writing in the private environment are likely to remain few and far between.

What steps can I take to help limit potential damage?

Not all employees will be aware of what company information is, and what is not, appropriate to disclose. The situation can lead to slips, such as breaches of insider trading rules or the leaking of details about new product launches and poor financial figures.

Research suggests that a little less than 50 per cent of people discuss work-related issues on social networking sites and the increase of instant messaging has also had an impact on the security of confidential information.

Such instant messaging programs can leave the path open to hackers and allow easy access to sensitive information.

IT managers should also take note that derogatory company information, or video evidence of internal breaches of company health and safety measures, can also appear on video sites such as YouTube.

Dealing with potential problems in an effective manner could be troublesome, especially if the video exposes an issue that might be in the public interest. However, a possible remedy may be to seek an injunction to remove such videos from the relevant web site.

Is the monitoring of employee communications sufficient to mitigate identified risks?

Employers are responsible for monitoring the quality and quantity of work produced by their staff. Firms need to decide whether they should embrace a relationship of trust with staff and permit unrestricted access, or whether they should take steps to limit potential dangers.

Concerns over employee use of email and other online communication tools has led to the tightening of policies and monitoring of employees, which has in turn led to the sacking of employees for misuse of internet or email, as illustrated in the Asda case above.

Employers have access to technology that can monitor every key stroke or telephone call made by employees. However, employers must be careful to bear in mind the legislation and guidance which limits their scope for monitoring employees.

The Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 and the Employment Practices Data Protection Code (the “Code”) all apply. The Code, for example, specifies that employers should only monitor employees proportionately.

If the system involves the processing of information from which a living individual can be identified, the monitoring of employees’ email and internet use will be covered by the Data Protection Act 1998. The employer must inform employees that processing is taking place
and comply with the Act.

Employers should ensure that they have a widely publicised IT policy in place which covers all communications and compliance. Failure to do so would provide employees with a better chance of winning a summary dismissal case at an employment tribunal.

But simple employee monitoring counts for all but a preventative remedy and employers should continue to search for new methods. For example, initiatives such as corporate blogger “buddies” should be introduced, so that material can be reviewed before it is posted.

What areas should the IT manager prioritise?

Companies must assess the necessity of employee access to online communication tools against the security risks they pose. Organisations of all types must protect themselves from the liability of their employees’ inappropriate use of online applications.

In addition to written policy, businesses need to implement security products to monitor inbound and outbound messages, in whatever form. Because of the rapid growth of social networking, employers should watch out for cases that emerge during the next few years.

In the meantime, clear and detailed acceptable use policies should be drafted and publicised in the workplace. Further, such policies should be enforced as the courts will look to see what happens“in practice”.

Further preventative action may be more effective than dealing with an employee who has already breached a company’s communications policy. However, implementing such preventative measures is in itself a challenge.

Employers might, therefore, consider banning social networking sites altogether. However, banning Asda employees from using such sites in the workplace would not have prevented workers portraying the company in a bad light during their spare time.

In addition, workforce resentment at such draconian action might prove to outweigh the benefit of any arbitrary action.

John Skelton is senior associate at law firm Pinsent Masons