Acceptable-Use Policies:
Human Defenses
Michael Swart, Steven, Daniel
Connor
Learning Objectives

Acceptable-use policy as a security and
legal necessity.
 Balancing safety with piracy concerns.
 User accountability and responsibilities.
 Corporate accountability and
responsibilities.
 Characteristics of an effective AUP.
What is an AUP?

An Acceptable Use Policy is a company
policy that defines (or should define)
acceptable and unacceptable use of all
components of the company’s information,
computer networks, and communication
systems.
An AUP should…

clearly specify the company’s standards for
onsite access and remote access to corporate
networks and secure use of company
usernames, passwords, and computer
accounts.
Introduction



An AUP helps the organization fulfill its “duty of care” to
provide employees with a non-hostile working
environment.
In general, a duty of care simply means that a company or
person can’t create unreasonable risk of harm to others.
A non-hostile environment is one where employees are
free from actions that are offensive…
–
–
–
–
Morally
Ethnically
Racially
Religiously
Why do we need AUPs?

Illustrated by 2 court cases:
– California DMV vs Allstate Insurance
– MCI Worldcom vs two employees
Allstate Insurance Co Employees
Illegally Access Confidential
Information

In February 2003, the California DMV cut
off Allstate’s access to digital driving
records.
 A customer’s confidential address had been
released which resulted in a written threat.
 Investigations found 131 violations of
confidentiality rules.
Lawsuits Pending

The DMV director said he would ask the
state attorney general’s office to seek fines
against Allstate.
 A civil lawsuit would be filed outlining the
specific instances of improper behavior.
 Accessing DMV information under false
pretenses carries up to a $100,000 fine for
each violation.
MCI Worldcom’s AUP Leads
to early Dismissal of Lawsuit

Lawsuit was created by two employees that
had received four emails of racial jokes.
 They claimed that the company had been
negligent by allowing the corporate email
system to be used for harassment.
 Also that the defendant retaliated against
them for using the jokes in the suit.
Outcome

The court dismissed the plaintiff's claim of
negligence against MCIWorldcom.
 Three reasons:
– Had an established email acceptable-use policy
that expressly prohibited discriminatory email.
– Had acted consistently in enforcing the policy
against the employee who sent email.
– Took remedial action to enforce its written
email policy.
The Discipline and Diligence
Defense Tier

Inform employees of their responsibility
and rules within the company.
 Rarely are these policies are updated
 Huge investments are taking place but are
ineffective unless commitment is made
from the employees.
 Discipline and Diligence break old habits
with training, reminders, and enforcement.
Dual Functions of the AUP

(1) Prevent misuses from occurring.
– Help prevent security breaches by
 Informing employees of what they can and cannot
do.
 Clarify expectations about personal use of company
equipment, privacy, and user responsibilty.
 Warning employees of monitoring.
 Outline the consequences of non compliance.
Employee abuse increases




Employees are more likely to abuse privileges when
acceptable use has not been clearly outlined and enforced.
According to the courts, if a company does not take action
to prevent a hostile work environment, then it is guilty of
promoting it.
According to surveys by the ePolicy Institute, the AMA,
and US News and World Report, 63 percent of US
companies monitor employee internet activities.
Employees’ email and Internet records are being used
against companies during the discovery process of lawsuits
thus prevention is more critical.
Dual Functions (cont)

(2) Legal Protection
– A uniformly enforced AUP is supporting
evidence that the organization exercised its
legal duty to safeguard employees.
– Companies have learned that email policy is
useless in court.
– There are two legal doctrines relevant to
employer liability.
Legal Theories and Employer
Liability Issues

Respondeat Superior Doctrine and Liability.
 Negligent Supervision and Duty of Care.
Respondeat Superior and
Liability

Respondeat Superior- a doctrine that holds
employers liable for misconduct of their
employees that occurs within the scope of
their employment.
 Scope of their employment- conduct that
occurs substantially within the authorized
time and space limits of the job.
Continue: Respondeat
Superior and Liability

On November 23, 2001 the U.S and 29
other countries signed the Convention on
Cybercrime.
 Seeks to ensure that when a company fails
to supervise employees and when a
computer crime is committed the company's
held liable with it knowing, consent, or
approval of that crime.
Negligent Supervision and
Duty of Care

Employer is also liable for the damages that result
from negligent supervision of employees.
 This may extend to actions outside the scope of
employment.
 Under the doctrine of duty of care, directors, and
officers have a fiduciary obligation to use
reasonable care to protect their company's
business operation.
Continue: Negligent
Supervision and Duty of Care

Business can no longer rely on force majeure
(“force of nature” or beyond human control”) to
prevent hackers because these attacks have
happened enough to become forseeable.
 In the case of a security breach the the corporate
officers and directors can have a lawsuit filed
claiming they did not ensure adequate protection.
Characteristics of Effective
AUP’s

Comprehensive Scope- must apply to
everyone working and to all devices such as
desktops, laptops, cell phones.
 Clear Language- must be concise and
explain all unique aspects of the firm or
business.
 Adaptive Content- must be able to have
constant revision due to new technology.
Continue: Characteristics

Extension to Other Company Policiesprotects the intellectual property and
prohibition of harassment in physical and
virtual environment.
– Virtual environment- where business is being
conducted outside of the firm.

Enforcement Provisions-must be maintained
and enforced consistently or could be seen
as discrimination.
Continue: Characteristics

Consent- Acceptance and adoption of AUP should
not be passive.
– Require signed agreement.
– Implied consent- usually on computers or machines that
states using the equipments means you agree to all the
rules and regulations.

Accountability-constant researching cases to
ensure the environment of workers is safe for them
and other around them and that they are all treated
equally.
AUP Template

Chapter 6 provides an Acceptable Use
Policy Template that can be used to review
a current AUP or form a basis for a new
AUP.
 Changing technology and legislation mean
that AUPs can become outdated quickly and
require at least an annual review.
Template (cont)

There is no one perfect template for an
Acceptable Use Policy.
 To compose a relevant and feasible AUP,
managers must assess:
–
–
–
–
IT resources
Infrastructure
Culture
Business needs
Template Policy Key Objectives

Protect company against computer crime,
viruses, hackers, cyber pranks.
 Maintain a non-hostile workplace.
 Prevent sexual, racial, discrimination,
copyright infringement, and software piracy.
 Maintain a productive workplace use of
company IT resources.
Provisions and Prohibitions

Users are not allowed to:
–
–
–
–

Forward or save email chains.
Email use for discussion forms.
Use for personal gain.
Dishonor copyright laws.
Users should:
– Check email daily.
– Scan all new files being opened.
– All files sent or received are company files and not to
be printed/or leave firms physical environment.
– Only let authorized users use certain IT resources.
Compliance

The company may choose to monitor or review all
use of its IT resources, including but not limited
to:
– Email sent and received.
– Internet usage.
– Computer files, documents, and faxes created , stored,
deleted, or distributed.
– Any files that contain images, text, video, or audio for
content-installed software for licensing.

All computer activities create audit trails!
 No user can view another persons email with out
permission.
Compliance Continued

Users are to report any violation of the AUP to
(specific persons, titles).
 All users assume full liability of IT resources.
 Users release the company from any and all
liabilities or claims releasing to the company’s IT
resources.
 The policy may be amended or revised as
necessary by the company.
Summary

Employers who have an effective, wellpublicized AUP that is enforced with proper
monitoring and violation procedures have a
better chance of escaping liability and
damages resulting from employee abuse.
 Those who do not are risking liability
because employers have the burden of
proving an affirmative defense in court.