EMPLOYEE PRIVACY
Computer-Use
Monitoring Practices
and Policies of
http://www.gao.gov/cgi-bin/getrpt?GAO-02-717
Contents
Letter 1
Results in Brief 3
Background 4
Private
Sector Companies Gathered Information on Employees’ Computer Use and Some Read
and Reviewed Contents 6
Companies
Developed Comprehensive Computer-Use Policies and Informed Their Employees 9
Companies
Have Not Changed Their Computer-Use Policies or Monitoring Practices as a
Result of the September 11 Terrorist Attacks 13
Appendix
I GAO Contacts and Staff Acknowledgments 15
GAO
Contacts 15
Staff
Acknowledgments 15
Tables
Table
1: Key Elements of a Computer-Use Policy 10
Table
2: Company Notification Practices 11
Results in Brief
All 14 companies we reviewed
store their employees’ electronic
transactions: e-mail
messages, information of Internet sites visited, and
computer file activity. These
companies reported they collect this
information to create
duplicate or back-up files in case of system
disruptions; to manage
computer resources such as system capacity to
handle routine e-mail and
Internet traffic; and to hold employees
accountable for company
policies. Eight of these companies reported that
they would read and review
these electronic transactions if they receive
other information that an
individual may have violated company policies.
When such circumstances
arise, these employers can review employees’
electronic transactions to
find if violations of company computer-use
policies such as visits to
sites containing offensive or disruptive material
and improper protection of
proprietary information have occurred. On the
other hand, 6 companies we
contacted routinely analyzed their employees’
transactions to find possible
inappropriate uses of company computer
resources. While all the
companies we contacted have investigated
employees for misuse of
computer resources, company officials told us
that such investigations are
rare and, if violations of company policies are
found, result in a range of
disciplinary actions.
Representatives from all of
the companies we contacted had policies that
contained most of the
elements experts agreed should be included in
company computer-use
policies. For example, all company policies
affirmed their rights to
review employee use of company computer assets,
described appropriate
employee uses of these assets, and detailed
penalties for misuse. We also
found that all companies disseminated
information about these
policies, although in a variety of ways. For
example, 8 companies require
new employees to attend training that
includes the review of
companies’ computer-use policies. Some companies
required employees to
complete on-line training while others used
videotapes. Another company
we reviewed conducted biannual sessions
on appropriate business
conduct, which included appropriate e-mail and
Internet behavior.
We found that none of the
companies we studied had changed any of their
employee computer-use
policies or monitoring practices after the
September 11 terrorist
attacks. Most companies did, however, report a
growing concern about
electronic intrusion into their computer systems
from outside trespassers or
viruses and had increased their vigilance by
strengthening their
surveillance of incoming electronic transmissions.
Most companies had, for
instance, begun to delete certain attachments
from incoming e-mail, and
some block incoming e-mails based on certain
words or phrases in the
subject line or text. This apprehensiveness
concerning possible threats
did not lead company officials to increase
either their suspicion of
employees or the information they collected from
them. But new vigilance
against demonstrated dangers and nuisance is
leading companies to tighten
control over their computer systems.