Acceptable-Use Policies:Acceptable-Use Policies:Human DefensesHuman Defenses

Michael Swart, Steven, Daniel Connor

Acceptable-use policy as a security and legal necessity.

Balancing safety with piracy concerns.User accountability and responsibilities.Corporate accountability and

responsibilities.Characteristics of an effective AUP.

Learning Objectives

What is an AUP?What is an AUP?

An Acceptable Use Policy is a company policy that defines (or should define) acceptable and unacceptable use of all components of the company’s information, computer networks, and communication systems.

clearly specify the company’s standards for onsite access and remote access to corporate networks and secure use of company usernames, passwords, and computer accounts.

An AUP should…An AUP should…

IntroductionIntroduction

An AUP helps the organization fulfill its “duty of care” to provide employees with a non-hostile working environment.

In general, a duty of care simply means that a company or person can’t create unreasonable risk of harm to others.

A non-hostile environment is one where employees are free from actions that are offensive…– Morally– Ethnically– Racially – Religiously

Why do we need AUPs?Why do we need AUPs?

Illustrated by 2 court cases:– California DMV vs Allstate Insurance– MCI Worldcom vs two employees

Allstate Insurance Co Employees Allstate Insurance Co Employees Illegally Access Confidential Illegally Access Confidential

InformationInformationIn February 2003, the California DMV cut

off Allstate’s access to digital driving records.

A customer’s confidential address had been released which resulted in a written threat.

Investigations found 131 violations of confidentiality rules.

Lawsuits PendingLawsuits Pending

The DMV director said he would ask the state attorney general’s office to seek fines against Allstate.

A civil lawsuit would be filed outlining the specific instances of improper behavior.

Accessing DMV information under false pretenses carries up to a $100,000 fine for each violation.

MCI Worldcom’s AUP Leads MCI Worldcom’s AUP Leads to early Dismissal of Lawsuitto early Dismissal of Lawsuit

Lawsuit was created by two employees that had received four emails of racial jokes.

They claimed that the company had been negligent by allowing the corporate email system to be used for harassment.

Also that the defendant retaliated against them for using the jokes in the suit.

OutcomeOutcome

The court dismissed the plaintiff's claim of negligence against MCIWorldcom.

Three reasons:– Had an established email acceptable-use policy

that expressly prohibited discriminatory email.– Had acted consistently in enforcing the policy

against the employee who sent email.– Took remedial action to enforce its written

email policy.

The Discipline and Diligence The Discipline and Diligence Defense TierDefense Tier

Inform employees of their responsibility and rules within the company.

Rarely are these policies are updatedHuge investments are taking place but are

ineffective unless commitment is made from the employees.

Discipline and Diligence break old habits with training, reminders, and enforcement.

Dual Functions of the AUPDual Functions of the AUP

(1) Prevent misuses from occurring.– Help prevent security breaches by

Informing employees of what they can and cannot do.

Clarify expectations about personal use of company equipment, privacy, and user responsibilty.

Warning employees of monitoring. Outline the consequences of non compliance.

Employee abuse increasesEmployee abuse increases

Employees are more likely to abuse privileges when acceptable use has not been clearly outlined and enforced.

According to the courts, if a company does not take action to prevent a hostile work environment, then it is guilty of promoting it.

According to surveys by the ePolicy Institute, the AMA, and US News and World Report, 63 percent of US companies monitor employee internet activities.

Employees’ email and Internet records are being used against companies during the discovery process of lawsuits thus prevention is more critical.

Dual Functions (cont)Dual Functions (cont)

(2) Legal Protection– A uniformly enforced AUP is supporting

evidence that the organization exercised its legal duty to safeguard employees.

– Companies have learned that email policy is useless in court.

– There are two legal doctrines relevant to employer liability.

Legal Theories and Employer Legal Theories and Employer Liability IssuesLiability Issues

Respondeat Superior Doctrine and Liability.Negligent Supervision and Duty of Care.

Respondeat Superior and Respondeat Superior and LiabilityLiability

Respondeat Superior- a doctrine that holds employers liable for misconduct of their employees that occurs within the scope of their employment.

Scope of their employment- conduct that occurs substantially within the authorized time and space limits of the job.

Continue: Respondeat Continue: Respondeat Superior and LiabilitySuperior and Liability

On November 23, 2001 the U.S and 29 other countries signed the Convention on Cybercrime.

Seeks to ensure that when a company fails to supervise employees and when a computer crime is committed the company's held liable with it knowing, consent, or approval of that crime.

Negligent Supervision and Negligent Supervision and Duty of CareDuty of Care

Employer is also liable for the damages that result from negligent supervision of employees.

This may extend to actions outside the scope of employment.

Under the doctrine of duty of care, directors, and officers have a fiduciary obligation to use reasonable care to protect their company's business operation.

Continue: Negligent Continue: Negligent Supervision and Duty of CareSupervision and Duty of Care

Business can no longer rely on force majeure (“force of nature” or beyond human control”) to prevent hackers because these attacks have happened enough to become forseeable.

In the case of a security breach the the corporate officers and directors can have a lawsuit filed claiming they did not ensure adequate protection.

Characteristics of Effective Characteristics of Effective AUP’sAUP’s

Comprehensive Scope- must apply to everyone working and to all devices such as desktops, laptops, cell phones.

Clear Language- must be concise and explain all unique aspects of the firm or business.

Adaptive Content- must be able to have constant revision due to new technology.

Continue: CharacteristicsContinue: Characteristics

Extension to Other Company Policies- protects the intellectual property and prohibition of harassment in physical and virtual environment.– Virtual environment- where business is being

conducted outside of the firm.Enforcement Provisions-must be

maintained and enforced consistently or could be seen as discrimination.

Continue: CharacteristicsContinue: Characteristics

Consent- Acceptance and adoption of AUP should not be passive.– Require signed agreement.– Implied consent- usually on computers or machines that

states using the equipments means you agree to all the rules and regulations.

Accountability-constant researching cases to ensure the environment of workers is safe for them and other around them and that they are all treated equally.

AUP TemplateAUP Template

Chapter 6 provides an Acceptable Use Policy Template that can be used to review a current AUP or form a basis for a new AUP.

Changing technology and legislation mean that AUPs can become outdated quickly and require at least an annual review.

Template (cont)Template (cont)

There is no one perfect template for an Acceptable Use Policy.

To compose a relevant and feasible AUP, managers must assess:– IT resources– Infrastructure– Culture– Business needs

Template Policy Key ObjectivesTemplate Policy Key Objectives

Protect company against computer crime, viruses, hackers, cyber pranks.

Maintain a non-hostile workplace.Prevent sexual, racial, discrimination,

copyright infringement, and software piracy.

Maintain a productive workplace use of company IT resources.

Provisions and ProhibitionsProvisions and Prohibitions

Users are not allowed to:– Forward or save email chains.– Email use for discussion forms.– Use for personal gain.– Dishonor copyright laws.

Users should:– Check email daily.– Scan all new files being opened.– All files sent or received are company files and not to be

printed/or leave firms physical environment.– Only let authorized users use certain IT resources.

ComplianceCompliance

The company may choose to monitor or review all use of its IT resources, including but not limited to:– Email sent and received.– Internet usage.– Computer files, documents, and faxes created , stored,

deleted, or distributed.– Any files that contain images, text, video, or audio for

content-installed software for licensing. All computer activities create audit trails! No user can view another persons email with out

permission.

Compliance ContinuedCompliance Continued

Users are to report any violation of the AUP to (specific persons, titles).

All users assume full liability of IT resources. Users release the company from any and all

liabilities or claims releasing to the company’s IT resources.

The policy may be amended or revised as necessary by the company.

SummarySummary

Employers who have an effective, well-publicized AUP that is enforced with proper monitoring and violation procedures have a better chance of escaping liability and damages resulting from employee abuse.

Those who do not are risking liability because employers have the burden of proving an affirmative defense in court.