Employee Privacy: Computer-Use Monitoring Practices and Policies of Selected Companies (27-SEP-02, GAO-02-717). Over the past decade, there has been a technological revolution in the workplace as businesses have increasingly turned to computer technology the primary tool to communicate, conduct research, and store information. Also during this time, concern has grown among private sector employers that their computer resources may be abused by employees--either by accessing offensive material or jeopardizing the security of proprietary information--and may provide an easy entry point into a company's electronic systems by computer trespassers. As a result, companies have developed "computer conduct" policies and implement strategies to monitor their employees' use of e-mail, the Internet, and computer files. Federal and state laws and judicial decisions have generally given private sector companies wide discretion in their monitoring and review of employee computer transmissions. However, some legal experts believe that these laws should be more protective of employee privacy by limiting what aspects of employee computer use employers may monitor and how they may do so. Following the September 11, 2001, terrorist attacks on the United States, policymakers re-examined many privacy issues as they debated the USA PATRIOT Act, which expands the federal government's authority to monitor electronic communications and Internet activities. GAO reviewed 14 private sector companies' monitoring policies and found that all companies reviewed store their employees' electronic transactions: e-mail messages, information on Internet sites visited, and computer file activity. They collect this information to create duplicate or back-up files in case of system disruption; to manage computer resources such as system capacity to handle routine e-mail and Internet traffic; and to hold employees accountable for company policies. Representatives from all of the companies had policies that contained most of the elements experts agreed should be included in company computer-use polices. None of the companies GAO studied had changed any of their employee computer-use policies or monitoring practices after the September 11 attacks. Most companies did, however, report a growing concern about electronic intrusion into their computer systems from outside trespassers or viruses and had increased their vigilance by strengthening their surveillance of incoming electronic transmissions. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-02-717 ACCNO: A05096 TITLE: Employee Privacy: Computer-Use Monitoring Practices and Policies of Selected Companies DATE: 09/27/2002 SUBJECT: Electronic mail Internet Internet privacy Policy evaluation Private sector Private sector practices Right of privacy Computer security Information resources management ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-02-717 Report to the Ranking Minority Member, Subcommittee on 21st Century Competitiveness, Committee on Education and the Workforce, House of Representatives United States General Accounting Office GAO September 2002 EMPLOYEE PRIVACY Computer- Use Monitoring Practices and Policies of Selected Companies GAO- 02- 717 Page i GAO- 02- 717 Employee Privacy Letter 1 Results in Brief 3 Background 4 Private Sector Companies Gathered Information on Employees* Computer Use and Some Read and Reviewed Contents 6 Companies Developed Comprehensive Computer- Use Policies and Informed Their Employees 9 Companies Have Not Changed Their Computer- Use Policies or Monitoring Practices as a Result of the September 11 Terrorist Attacks 13 Appendix I GAO Contacts and Staff Acknowledgments 15 GAO Contacts 15 Staff Acknowledgments 15 Tables Table 1: Key Elements of a Computer- Use Policy 10 Table 2: Company Notification Practices 11 Abbreviations ECPA Electronic Communications Privacy Act of 1986 Contents Page 1 GAO- 02- 717 Employee Privacy September 27, 2002 The Honorable Patsy T. Mink Ranking Minority Member Subcommittee on 21st Century Competitiveness Committee on Education and the Workforce House of Representatives Dear Ms. Mink: Over the past decade, there has been a technological revolution in the workplace as businesses have increasingly turned to computer technology as the primary tool to communicate, conduct research, and store information. As the use of computer technology has increased, so has concern grown among private sector employers that their computer resources may be abused by employees* either by accessing offensive material or jeopardizing the security of proprietary information* and may provide an easy entry point into a company*s electronic systems by computer trespassers. As a result, companies have developed *computer conduct* policies and implemented strategies to monitor their employees* use of e- mail, the Internet, and computer files. National surveys have reported that many companies are engaged in such practices. Federal and state laws and judicial decisions have generally given private sector companies wide discretion in their monitoring and review of employee computer transmissions, including the Internet and e- mail. However, some legal experts believe that these laws should be more protective of employee privacy by limiting what aspects of employee computer use employers may monitor and how they may do so. Private sector practice of monitoring their employees* electronic transactions has raised questions about the appropriate balance between employees* privacy rights in the workplace and companies* rights to protect themselves and their employees by monitoring their employees* electronic transactions. In addition, following the September 11, 2001, terrorist attacks on the United States, policymakers re- examined many United States General Accounting Office Washington, DC 20548 Page 2 GAO- 02- 717 Employee Privacy similar privacy issues as they debated the USA PATRIOT Act, 1 which expands the federal government*s authority to monitor electronic communications and Internet activities. You asked us to determine from a diverse group of private sector companies (1) to what extent and for what purpose selected private sector employers gather information on employees* use of e- mail, the Internet, and computer files; (2) to what extent these private sector employers notify their employees of their policies on the use and review of e- mail, the Internet, and computer files; and (3) whether these private sector employers have changed their policies and practices on gathering information on employees* use of computer resources as a result of the September terrorist attacks. To gather information to respond to these questions, we reviewed the literature and research on private and public sector monitoring of employees* use of e- mail, the Internet, and computer files. In addition, we interviewed privacy experts from universities, officials and researchers from national business organizations, and officials from the Department of Labor and the National Labor Relations Board. 2 To illustrate private sector policies and practices regarding monitoring, we conducted interviews with officials from 14 Fortune 1,000 private sector companies from five industry categories* financial services, general services, manufacturing, professional services, and wholesale/ retail. Eight of the interviews were by telephone and 6 were site visits. In these discussions, we talked with various company officials, including representatives from their general counsel*s offices, human resource departments, internal audit, and computer security administrators. The data gathered from these 14 companies are for illustrative purposes only and do not represent the monitoring policies and procedures for all private sector companies in the United States. We obtained detailed information on written policies covering the employee use of company computer resources and reviewed the written policies of 8 of these companies. We also obtained comments on a draft of this report from experts on employee rights and the legal aspects of private sector monitoring. Because there are no federal executive agencies with oversight responsibilities in this area, we did not obtain federal agency comments on this report. We conducted our work 1 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, P. L. 107- 56, October 26, 2001. 2 The National Labor Relations Board is an independent federal agency, and one of its principle functions is to prevent and remedy unfair labor practices by either labor unions or private sector employers. Page 3 GAO- 02- 717 Employee Privacy between September 2001 and August 2002 in accordance with generally accepted government auditing standards. All 14 companies we reviewed store their employees* electronic transactions: e- mail messages, information of Internet sites visited, and computer file activity. These companies reported they collect this information to create duplicate or back- up files in case of system disruptions; to manage computer resources such as system capacity to handle routine e- mail and Internet traffic; and to hold employees accountable for company policies. Eight of these companies reported that they would read and review these electronic transactions if they receive other information that an individual may have violated company policies. When such circumstances arise, these employers can review employees* electronic transactions to find if violations of company computer- use policies such as visits to sites containing offensive or disruptive material and improper protection of proprietary information have occurred. On the other hand, 6 companies we contacted routinely analyzed their employees* transactions to find possible inappropriate uses of company computer resources. While all the companies we contacted have investigated employees for misuse of computer resources, company officials told us that such investigations are rare and, if violations of company policies are found, result in a range of disciplinary actions. Representatives from all of the companies we contacted had policies that contained most of the elements experts agreed should be included in company computer- use policies. For example, all company policies affirmed their rights to review employee use of company computer assets, described appropriate employee uses of these assets, and detailed penalties for misuse. We also found that all companies disseminated information about these policies, although in a variety of ways. For example, 8 companies require new employees to attend training that includes the review of companies* computer- use policies. Some companies required employees to complete on- line training while others used videotapes. Another company we reviewed conducted biannual sessions on appropriate business conduct, which included appropriate e- mail and Internet behavior. We found that none of the companies we studied had changed any of their employee computer- use policies or monitoring practices after the September 11 terrorist attacks. Most companies did, however, report a growing concern about electronic intrusion into their computer systems from outside trespassers or viruses and had increased their vigilance by Results in Brief Page 4 GAO- 02- 717 Employee Privacy strengthening their surveillance of incoming electronic transmissions. Most companies had, for instance, begun to delete certain attachments from incoming e- mail, and some block incoming e- mails based on certain words or phrases in the subject line or text. This apprehensiveness concerning possible threats did not lead company officials to increase either their suspicion of employees or the information they collected from them. But new vigilance against demonstrated dangers and nuisance is leading companies to tighten control over their computer systems. For more than a decade, rapid increases in the use of computer technology, both at work and in the home, have changed the way Americans work and communicate. As of September 2001, 174 million people* 66 percent of the U. S. population* were using computers in their homes, schools, libraries, and work. In the workplace, 65 million of the 115 million employed adults age 25 and over, almost 57 percent, used a computer at work. However, in recent years, while the increase in the percentage of employees using computers has been modest (52 percent in 1998 to 57 percent in 2001), the percentage using the Internet and/ or e- mail at work grew from about 18 percent in 1998 to almost 42 percent in 2001. 3 As the use of these electronic technologies has increased in the workplace, so have employers* concerns about their employees* use of company- owned computing systems* e- mail, the Internet, and computer files* for activities other than company business. Likewise, privacy advocates have raised concerns about the potential for employers to infringe upon employees* right to privacy. In response to these concerns, many employers have developed policies to notify their employees that they monitor use of these systems and to provide guidance to employees about the appropriate uses of the computing technologies. Information on the number of private sector companies that monitor their employees, their monitoring practices, and their effects on employee productivity and morale is very limited. While some of these studies suffer from methodological limitations such as low response rates, taken together they seem to indicate a general trend towards employers* increased monitoring 3 U. S. Department of Commerce, A Nation Online: How Americans Are Expanding Their Use of the Internet, February 2002. Background Page 5 GAO- 02- 717 Employee Privacy of their employees. 4 In addition, software developers have made it easier and inexpensive for businesses to monitor their employees by creating software that can, for example, scan e- mail messages for certain words or phrases and/ or block inappropriate Internet sites. The Electronic Communications Privacy Act (ECPA) of 1986, 5 which is intended to provide individuals with some privacy protection in their electronic communications, has several exceptions that limit its ability to provide protection in the workplace. For example, the act does not prevent access to electronic communications by system providers, which could include employers who provide the necessary electronic equipment or network to their employees. (See, e. g., U. S. v. McLaren, 957 F. Supp. 215 (M. D. Fla. 1997)). Because the ECPA provides only limited protection to private sector employees, some privacy advocates have called for a new law that would specifically address workplace computer privacy and limit the powers and means of employer monitoring. The most recent federal statute affecting privacy in the workplace is the USA PATRIOT Act, 6 which was enacted in the wake of the September 11, 2001, terrorist attacks. This act expands the federal government*s authority to monitor electronic communications and Internet activities, including e- mail. However, no federal executive agency has general oversight responsibilities for private sector employee- monitoring programs. Many states have statutes that are similar to the ECPA, with greater protection in some cases. Additional protection may be provided through state common law, which is based on judicial precedent rather than legislative enactments. Such decisions, however, have generally given employers substantial leeway in monitoring computer use of their employees. While state common law may recognize the right of an individual to take legal action for an offense known generally as *invasion of privacy,* such actions historically have not provided employees with additional protections. Courts have found that employers* monitoring of their employees* electronic transmissions involving e- mail, the Internet, 4 American Management Association, 2001 AMA Survey Workplace Monitoring & Surveillance Summary of Key Findings; The Society for Human Resource Management, 2000 Workplace Privacy Survey; The Privacy Foundation, The Extent of Systematic Monitoring of Employee E- mail and Internet Use, July 2000. 5 P. L. No. 99- 508. 6 P. L. No. 107- 56. Current Law Allows Wide Discretion in Employer Monitoring Page 6 GAO- 02- 717 Employee Privacy and computer file usage on company- owned equipment is not an invasion of privacy. Invasion of privacy claims against an employer generally require employees to demonstrate, among other things, that they had a *reasonable expectation of privacy* in their communications. Courts have consistently held, however, that privacy rights in such communications do not extend to employees using company- owned computer systems, even in situations where employees have password- protected accounts. All 14 companies we contacted routinely collected and stored employee e- mail messages, information on Internet sites visited, and computer file activity. Eight of these companies reported that they only read or reviewed information on employees* electronic transmissions once the company determined that a further investigation of employee conduct was warranted. However, 6 of 14 companies told us that they routinely performed additional analyses on the stored information to determine if employees were misusing company computer resources. For example, these companies routinely searched the e- mail message titles, addresses, or contents for proprietary information or offensive language. In general, we found that the companies we studied initiated few investigations of employee computer conduct. Most of the companies that have reviewed information on employees* electronic transmissions and determined that misuse occurred, reported that penalties ranged from counseling and warnings to termination. All 14 companies collected and retained electronic transmission data as part of their normal business operations, primarily as backup files and to manage their computer resources. Backup files can be quickly restored if a computer system failure occurs, and the company*s operations can continue with as little interruption as possible. However, according to company officials, the information on these backup files was also available as a source of data for reviews of individual employee e- mail messages, Internet use, or computer files. Company officials also said that stored data were used to manage their computer resources. For example, officials at one company told us that they collect e- mail and Internet data to track the systems* capacity. Another company*s representatives said they use the collected information for troubleshooting and to correct network problems. The 14 companies collected different information for e- mail, Internet use, and computer files. For e- mail messages, officials from the 14 companies reported they generally collect and store all business and personal Private Sector Companies Gathered Information on Employees* Computer Use and Some Read and Reviewed Contents Companies Routinely Collected and Stored Information on Employee E- mail, the Internet, and Computer Files Page 7 GAO- 02- 717 Employee Privacy incoming and outgoing e- mail messages including attachments, addresses, and the date and time the e- mail was sent or received. For the Internet sites visited, generally the information collected included the web address and the date and time the website was used. For computer file activity, all the contents of the files on their network computer systems were backed- up daily. Officials from the 14 companies reported they retained these data for short periods of time. Nine of these companies said that they generally retained these files for 90 days or less, and one company kept its e- mail data for as little as 3 days. Eight of the companies reported that they would only review the employee electronic transmission data they collected if there was an indication of employee misuse of computer resources and the company initiated an investigation. Generally, investigations were initiated by either a complaint submitted to management by a company employee or a *request for information* by management concerning an employee*s conduct. These initiating requests were usually reviewed by a number of company officials, including representatives from Human Resources, General Counsel, or Computer Security prior to the actual retrieval of employee information. Company officials told us that unless they received a request for data, they would not review any of their employees* electronic transmissions. They added that access to any data collected for an investigation is restricted to a limited number of company officials. Company officials cited several reasons for establishing this reactive approach for reviewing employee electronic transmissions. One company believed it was important to establish an atmosphere of trust and presumed employees would use the system primarily for business purposes. Another company*s officials said that they did not have enough resources to actively monitor their employees* electronic transmissions. Six of the 14 companies we contacted, in addition to collecting and storing information on employee computer use, performed routine analyses on all employee e- mail or Internet data resulting in the review of selected electronic transmissions. These companies reviewed the electronic transmission information for several reasons. Company officials reported that they needed to protect proprietary information and prevent Internet visits to inappropriate sites. For example, 3 companies reviewed e- mail messages using commercial software that searched for keywords. These companies selected the words to be searched, and a computer file of e- mail messages that matched pre- selected key words would be Certain Companies Read and Reviewed Employee Computer Use Information Only as a Part of an Investigation Other Companies Routinely Reviewed Selected E- mail and/ or Internet Data for Inappropriate Use Page 8 GAO- 02- 717 Employee Privacy generated. Company officials routinely reviewed this file to determine if e- mails contained inappropriate material. Other companies reported different strategies to identify employee misuse of computer resources. One company*s computer security office generated a weekly report of the 20 employees who logged on the Internet the most times and listed the sites visited. Officials reviewed this list to determine if inappropriate sites have been visited. A second company reviewed the Internet use of a random sample of 10 to 20 employees each month. This review was intended to identify employees who had visited offensive or inappropriate sites. Employees identified through this process were generally counseled against further misuse. Finally, one company, in 2001, monitored the inappropriate websites employees visited, such as hate, violence, and pornographic, and in 2002, it purchased new software to block these offensive sites. 7 Generally, the companies we reviewed* regardless of whether they routinely reviewed employee computer use or examined individual employee records only to pursue particular complaints* reported that the total number of investigations was very small as a proportion of the number of employees with access to e- mail, the Internet, or computer files. 8 The number of annual investigations ranged from 5 to 137 and represented less than 1 percent of the total domestic employees at these companies. For example, one company with more than 50,000 domestic employees reported 72 e- mail investigations and 48 Internet investigations in calendar year 2001. We found companies most often investigated the alleged misuse of employee e- mail followed by investigations of Internet use. Not surprisingly, the company that routinely reviewed employee Internet use initiated the most investigations on employee Internet conduct* 90 investigations. Investigations of the content of employees* computer 7 At the time of our review, 8 of the 14 companies had computer software that would block entry into predetermined Internet sites. However, 2 more companies installed blocking software in calendar year 2002. 8 Six of the 14 companies we reviewed could report separately on investigations that centered on inappropriate computer use. The remaining companies could not report employee investigation by specific categories of alleged offenses. All Companies Had Few Investigations and Disciplinary Actions for Inappropriate Use of E- mail, the Internet, and Computer Use Page 9 GAO- 02- 717 Employee Privacy files were the smallest in number, and only one company told us that they had initiated investigations related to them. Only 2 of the 14 companies we interviewed were able to provide data on the types of disciplinary actions taken against employee misuse of computer resources. One company reported that of its 20,000 employees, it terminated 2 employees for inappropriate e- mail use, 2 for Internet misuse, and 1 for computer file violation in 2001. The other company reported that over a 5- year period it had terminated 14 employees for misuse of the Internet. Most of the 14 companies reported various types of actions that could be taken against employees for inappropriate use of computer resources. Four companies told us these actions ranged from informal discussions or formal counseling between the employee and company managers to terminations. Only the most flagrant and repeated violations would result in employee termination. The 14 companies we reviewed all have written policies that included most of the elements recommended in the literature and by experts as critical to a company computer- use policy. There is a general consensus that policies should at least affirm the employer*s right to review employee use of company computer assets, explain how these computer assets should and should not be used, and forewarn employees of penalties for misuse. We also found that all companies disseminated information about these policies through their company handbooks, and 8 discussed their computer- use policies with new employees at the time of hire. In addition, some companies provided annual training to employees on company policies, and others sent employees periodic reminders on appropriate computer conduct. The 14 companies we reviewed had written policies that explained employee responsibilities and company rights regarding the use of company- owned systems. Our discussions with company officials and review of written policies showed that all 14 contain most, if not all, of the policy elements recommended by experts. From our review of the literature and discussions with legal experts, privacy advocates, and business consultants, we identified common elements that should be included in company computer- use policies (see table 1). 9 These experts 9 For examples, see Internet Acceptable- Use Policies, National Legal Research Group, Inc., 2000.; Nancy Flynn, The ePolicy Handbook. AMA Publications, 2001. Companies Developed Computer- Use Policies and Informed Their Employees Companies Generally Included Critical Elements in Their Computer- Use Policy Page 10 GAO- 02- 717 Employee Privacy generally believed that the most important part of a company*s computeruse policy is to inform employees that the tools and information created and accessed from a company*s computer system are the property of the company and that employees should have no *expectation of privacy* on their employers* systems. Courts have consistently upheld companies* monitoring practices where the company has a stated policy that employees have no expectation of privacy on company computer systems. The experts also agreed computer- use policies should achieve other company goals, such as stopping release of sensitive information, prohibiting copyright infringement, and making due effort to ensure that employees do not use company computers to create a hostile work environment for others. Finally, according to experts, employees should clearly understand the consequences for violating company computer policies. For example, one company*s computer- use policy states that *violators [of company Internet/ Intranet use policy] are subject to disciplinary action up to termination of employment and legal action.* Table 1: Key Elements of a Computer- Use Policy Policy element Type of statement Monitoring use of proprietary assets Statements that company computing systems are provided as tools for business and all information created, accessed, or stored using these systems are the property of the company and subject to monitoring, auditing, or review. Establishing no expectation of privacy Statements about the extent or limitations of privacy protections for employee use of e- mail, the Internet, and computer files. Improper employee use Statements that some uses of company computers are inappropriate - including specific notice banning offensive material (e. g., obscenity, sexual content, racial slurs, derogation of people*s personal characteristics), and language relating e- mail and Internet use to general prohibitions of harassment. Allowable employee uses Statements explaining proper or acceptable uses of the company systems, including whether or not personal use is permitted. Protecting sensitive company information Statements providing instructions for handling proprietary information on company systems. Disciplinary action Statements that there are penalties and disciplinary actions for violations of company usage policy. Employee acknowledgement of policy A statement requiring that employees demonstrate they understand the company policy and acknowledge their responsibility to adhere to the policy. Source: GAO*s analysis of recommended computer- use policies. While the experts we interviewed recommended that employers include the above elements so that employees can be informed and acknowledge that they have no expectation of privacy on company- owned systems, some experts recommended additional steps that would help to protect employee privacy. For example, one expert recommended that employee groups participate in the formulation and review of monitoring policies; and another expert recommended that employees have access to any Page 11 GAO- 02- 717 Employee Privacy information collected on their electronic transmissions. Furthermore, other experts recommended an alternate policy framework that would preclude employers* review of employee electronic transmissions except when they have a reasonable independent indication of inappropriate use. From our review of company computer- use policies, including interviews with private sector officials and reviews of written policies, we determined that all 14 companies generally addressed most of the seven key elements of a computer- use policy (see table 2). Table 2: Company Notification Practices Employer policies of 14 companies Key elements of computer- use policy Specifically addressed Generally addressed Not addressed 1. Monitoring use of proprietary assets 9 50 2. Establishing no expectation of privacy 7 70 3. Improper employee use 7 a 7 0 4. Allowable employee uses 14 0 0 5. Protecting sensitive company information 14 0 0 6. Disciplinary action 14 0 0 7. Employee acknowledgement of policy 12 0 2 a Seven companies specifically identified harassment as an improper use of their computers. Source: Company interviews and computer- use policies. While we determined that these 14 companies* computer- use policies generally addressed the key elements, 10 we found that there was variation in the specificity in policy statements. For example, one company*s policy statement regarding *Monitoring Use of Proprietary Assets* stated, *[ company] reserves the right to access and monitor the contents of any system resource utilized at its facilities.* Another company*s policy stated, *the information and communications processed through your account are subject to review, monitoring, and recording at any time without notice or permission.* An official from another company, which only collected and stored employee computer use information and did not routinely review electronic transmissions, told us his company informed employees of its capacity to monitor its property with the more general statement that *data is collected and the company reserves the right to review this data.* Only one company reported that its policy did not include language 10 We obtained and reviewed from eight companies the written policies that covered the employees* use of company computer resources. The other six companies declined to provide us with their written policies but were willing to discuss them. Page 12 GAO- 02- 717 Employee Privacy specifically informing employees that their computer use was subject to review by other people in the company. Representatives from this company told us that their policy does, however, include a statement that employee messages could be accessed and that the company could not ensure their confidentiality. Under *Establishing No Expectation of Privacy* some companies directly inform employees that they should under no circumstances expect privacy. For example, one policy stated, *All users should understand that there is no right or reasonable expectation of privacy in any e- mail messages on the company*s system.* Somewhat less explicit, another policy stated, *Our personal privacy is not protected on these systems, and we shouldn*t expect it to be.* Some companies generally implied the principle of *no expectation of privacy* with statements like, *[ company] reserves the right to audit, access, and inspect electronic communications and data stored or transmitted on its Computer Resources.* Finally, the employers we reviewed also addressed improper uses of computer resources. All company representatives had policies that notified employees about improper uses; and the eight written policies we reviewed contained specific prohibitions on the use of company resources to create or transmit offensive material. Moreover, seven of these policies included some form of the word *harass* under their discussion of prohibited or inappropriate uses of corporate systems, and some also included a form of the word *discriminate.* No two policies addressed this issue in exactly the same terms, but representative statements prohibited behaviors such as *viewing or communicating materials of an obscene, hateful, discriminatory or harassing nature*; *any messages or data that* defames, abuses, harasses or violates the legal rights of others*; and *Accessing, downloading, or posting material that is inappropriate, fraudulent, harassing, embarrassing, profane, obscene, intimidating, defamatory, unethical, abusive, indecent or otherwise unlawful.* Experts recommend that policies include such specific prohibitions in order to limit a company*s liability for workplace lawsuits, and they stress the importance of ensuring that employees understand the company*s definitions of inappropriate use. Both the literature we reviewed and experts we interviewed agreed that establishing company policies on employee computer use is incomplete without strategies to disseminate the information. Experts pointed out that informing employees about these policies not only established the limits of employee expectations about privacy but also allowed them the Companies Informed Employees of Their Policies in a Variety of Ways Page 13 GAO- 02- 717 Employee Privacy opportunity to conform their behavior to the circumstances of having limited privacy. Among the 14 companies we contacted, we found multiple and active ways to inform and remind employees about the policies concerning the use of computer systems. Officials at 8 of the companies we reviewed said that at the time of hire, new employees receive training on company policies for using the computer systems. Officials from 5 companies told us they required all employees to participate in an annual review of their computer- use policies, either through an Intranet- based training or over e- mail. Other training techniques company officials described to us included business conduct reviews every 2 years, weekly e- mail reminders of their policies, and a series of videotapes that explain policies to employees. In addition to training programs, 10 companies have daily messages referring to the corporate policies that employees must acknowledge before they are allowed to log in to the systems. None of the companies* representatives we interviewed said that they had changed any of their computer- use polices or practices as a result of the terrorist attacks on September 11, 2001. Officials from four companies reported that after September 11th, they had been asked by law enforcement agencies to provide information about their employees* and customers* use of their e- mail systems and other sources and that they had complied with these requests. But none of the employers we interviewed had increased the amount or type of information they gathered on employees* use of e- mail, the Internet, or computer files. However, representatives from 10 companies did report increased concern for the security of their computer systems from outside trespassers or viruses entering their systems through e- mail or from imported computer files. Seven company representatives mentioned the Code Red Worm* which appeared around July 2001* and the Nimda virus* entering computer networks on September 18, 2001* as particular examples of the most serious kind of threat they faced and said these events had motivated them to strengthen the virus protection of their systems. Ten of the companies we reviewed told us that they have procedures to screen incoming e- mail messages for viruses, for example, by deleting file attachments with an *exe* extension 11 from all incoming e- mail messages. In early 2002, one company began and another was preparing to use software that searches title lines of incoming e- mail and deletes messages with sex- themed 11 Many viruses are contained in *exe* (executable) file attachments to e- mail messages and enter the computer system when the executable file is opened. Companies Have Not Changed Their Computer- Use Policies or Monitoring Practices as a Result of the September 11 Terrorist Attacks Page 14 GAO- 02- 717 Employee Privacy language, simply because the volume of unsolicited e- mail had begun to overwhelm their systems. Such actions reflect the widespread belief among the company officials we interviewed that the worst nuisance and most likely threat to company computer systems comes from outside trespassers with a capacity to paralyze a company*s Internet infrastructure or disrupt business, rather than the company*s own employees. We are sending copies of this report to the Secretary of Labor and other interested parties. We will also make copies available to others upon request. In addition, the report will be available at no charge on GAO*s Web site at http:// www. gao. gov. Please contact me on (202) 512- 7215 if you or your staff have any questions about this report. Key contributors to this report are listed in appendix I. Sincerely yours, Robert E. Robertson Director, Education, Workforce and Income Security Issues Appendix I: GAO Contacts and Staff Acknowledgments Page 15 GAO- 02- 717 Employee Privacy David D. Bellis, (415) 904- 2272 Richard L. Harada, (206) 287- 4841 In addition to the individuals named above, Nancy R. Purvine, Eric A. Wenner, Shana Wallace, and Julian P. Klazkin made key contributions to this report. Appendix I: GAO Contacts and Staff Acknowledgments GAO Contacts Staff Acknowledgments (130070) The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO*s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO*s Web site (www. gao. gov) contains abstracts and fulltext files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as *Today*s Reports,* on its Web site daily. The list contains links to the full- text document files. To have GAO e- mail this list to you every afternoon, go to www. gao. gov and select *Subscribe to daily E- mail alert for newly released products* under the GAO Reports heading. The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U. S. General Accounting Office 441 G Street NW, Room LM Washington, D. C. 20548 To order by Phone: Voice: (202) 512- 6000 TDD: (202) 512- 2537 Fax: (202) 512- 6061 Contact: Web site: www. gao. gov/ fraudnet/ fraudnet. htm E- mail: fraudnet@ gao. gov Automated answering system: (800) 424- 5454 or (202) 512- 7470 Jeff Nelligan, managing director, NelliganJ@ gao. gov (202) 512- 4800 U. S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D. C. 20548 GAO*s Mission Obtaining Copies of GAO Reports and Testimony Order by Mail or Phone To Report Fraud, Waste, and Abuse in Federal Programs Public Affairs *** End of document. ***