We have all seen the steady blurring of the lines between work and nonwork over the past couple of decades. Work at home. Work while traveling or commuting. Work while on vacation. Alongside this intertwining of business and personal time has been an intertwining of work and personal technology. We use the corporate BlackBerry to call home. We use a personal cell phone to join a conference call. We use a VPN to connect to the office on weekends via our home Internet connection. We shop online while lunching at our desks. We keep in touch with friends via Facebook from work, and check out our colleagues and contacts on LinkedIn at home.
In far too many cases, corporate policy hasn’t kept up with what’s actually happening. Infrastructure isn’t free, and allowing employees to use it for non-business purposes has an opportunity cost, if not an actual expense. Let’s look at the emerging issues.
Virtually every employee (at least in the United States) now signs a document acknowledging that he or she has no reasonable expectation of privacy when using business technology. Most employees don’t seem to mind — and most businesses monitor what their employees are doing online to some degree. Where sensitive data is involved, data loss prevention tools look at the traffic into and out of a company (and its external virtual connections) and block content that appears suspicious or fails to pass sophisticated pattern analysis heuristics.
“Reasonable use” language is also common in employee agreements. Yet workers often use business tools for personal activities. Web surfing, e-commerce and contact management amounts to many hours across the workforce. So, what’s the difference between walking to Barnes & Noble at lunchtime to buy a book and visiting Amazon.com while eating at your desk? To the employee, probably none. But there’s a big difference for your company’s infrastructure managers, who are responsible for your network traffic and bandwidth.
Just about every company now has some form of control — via proxy restrictions, black lists and the like — over which sites employees can visit. These systems aren’t perfect and take work to maintain, but they keep the worst of the malware and inappropriate content off your network and corporate hard drives.
Speaking of hard drives, what’s “reasonable use” for personal content? Home videos? Music? Digital books? DVD rips? After all, disks are cheap. But, if every employee has half a terabyte of personal data on his or her PC, that’s a lot of content to handle via the corporate data environment (backup, recovery, optimization, movement).
Which leads us to the last issue: Who’s liable when something bad results from user action or user-acquired content on a corporate device? There is no clear answer today, and I know of more than one general counsel who’s worried about how the courts might treat any particular case.
Should the company have done more to prevent the problem? What’s the cost of evidence gathering? What data-retention policy should apply to user-managed content? The answers to these questions could have a big impact on policies regarding the use of corporate assets for personal activities–and vice versa. Watch this space in 2012 and beyond.
About the Author
John Parkinson is head of the Global Program Management Office at AXIS Capital. He has been a technology executive, strategist, consultant and author for 25 years. Send your comments to [email protected].