WHEN A FEW OF HIS employees in the IS department at Sunrise, Fla.-based Ursus Telecom Corp. started trading an episode of the bawdy comedy South Park using Napster, the popular file-sharing application that has both rocked the entertainment industry and thrilled millions of users, the company's vice president of worldwide Internet services took action.
Having read stories of high-profile lawsuits filed against Napster, Chavez decided to avert legal trouble before it came his way: He banned Napster from PCs in the company's offices.
"I figured I'd better nip it in the bud," Chavez said. "I work for a public company. I answer to the board of directors. It's a matter of the public trust."
Fortunately for Chavez, the few employees who were using file-sharing technology didn't react harshly to the Napster ban. In fact, Chavez said his feelings were hurt more than anyone else's -- because nobody had sent him the infamous South Park episode. But for many CIOs, the issue of how to shape and enforce policies dealing with employees' personal use of company technology is no laughing matter. It's a problem that will become increasingly complicated as new technologies arrive, especially on the Internet.
Internet abuse in the workplace is nothing new. As soon as the Web hit corporate America, it raised issues such as declining employee productivity because of Web surfing and the prospect of workers viewing pornography and other objectionable materials online. But the battle to rein in the Web has reached a new ground. Evolving technology is forcing -- and will continue to force -- CIOs to reevaluate the definition of Internet abuse and their role in developing and enforcing policies designed to prevent it.
The latest innovation to give corporations fits is file-sharing applications, which can tie up bandwidth, introduce legal hassles and hinder productivity. But they are only the problem du jour. Tomorrow, it could be something else entirely. CIOs can maintain control no matter what the next day brings by taking several positive and specific steps to ensure that their companies' employee-use policies allow for reasonable personal use of technology without giving employees too much or too little leeway.
To do so, it is vital to merge risk management with empathy for employees -- especially in the case of IT workers who are already in high demand. "If I were heavy-handed, they could walk out the door and have another job the next day," Chavez says. People who spend 15 hours a day in the office will need to take care of some personal business while they're there, whether it's transferring money between accounts or making airline reservations. Allowing that use without condoning abuse is critical.
The Current Hurdle
File-sharing applications are the latest challenge to corporate policies because they intensify the problems of old-fashioned Internet abuse. Although each uses a different architecture, these applications allow users to trade files with each other. Napster, for instance, turns an individual's computer into a mini-server. Users can search for and download files located in the hard drives of other users on the network. At the same time, users expose their files for search and download by other users.
Almost all the material that passes through file-sharing applications is ccopyrighted. Most of the applications help users search for MP3 music files, but some, such as Gnutella, are sophisticated enough to handle the transfer of bigger files such as television shows. The battle over copyright laws and file-sharing applications has led to several lawsuits against Napster, which resulted in a federal court issuing an injunction against the service in July 2000.
With courts shaping and reshaping copyright laws, companies cannot be sure they are totally immune to lawsuits. "You are in virgin territory when you're dealing with things like Napster," says Richard J. Hafets, cochair of the labor and employment practice group at law firm Piper Marbury Rudnick & Wolfe in Baltimore.
Hafets says companies are not very likely to face a legal threat based on employee use of file-sharing applications. For a plaintiff such as a record label, or the recording industry as a whole, to win a case, it would have to prove one of two key points: that an employee who is illegally downloading music is doing so in the employer's interest, or that the employer knew of illegal activity and turned a blind eye to it.
The first situation is both difficult to prove and unlikely to happen. Most use of file-sharing applications revolves around collecting songs and other material for personal use; business use of file-sharing applications is still somewhat undefined. Hafets' second scenario is the one that could get companies into trouble. He says it is not enough for companies to simply have a personal-use policy and not enforce it. If a CIO or other company official knows of illegal use of file-sharing applications, he should take action. Intentional ignorance of such activity will not be an acceptable excuse in the legal battlefield.
"You get much closer to holding the company liable if the company is specifically aware that copyright infringement is taking place and simply does nothing about it," Hafets says. "If you're in an office and you see people on the Internet visiting sites [such as homepages that have file-sharing downloads] that don't appear to be business related, you can't just put your hands over your eyes and your ears and say, 'Hear no evil; see no evil.' [A plaintiff] could say you have an affirmative duty to deny access to these sites."
For some corporations, even flirting with the copyright issues surrounding file-sharing applications is too risky. Chavez found banning the technology outright easier and safer than working with lawyers and human resources professionals to develop a safe policy for employee usage of that particular technology.
For others, however, allowing IS employees to toy with the latest innovation is worth any potential legal risk. Ron Pollard, CIO of Specialized Bicycle in Morgan Hill, Calif., said he likes the technology behind file sharing and encourages his employees to explore it.
"Napster is really great technology," he says. "[IT workers] should be out there looking at how technology works."
Lawsuits are only one example of the problems that can be caused by personal abuse of office technology. Another more technical demon can raise its head: overworked bandwidth. File-sharing apps in particular are notorious bandwidth hogs -- one MP3 can mea-sure 5MBs alone. When users download multiple songs at once and simultaneously have multiple songs uploaded from their libraries, bandwidth can become scarce. And it's not just file-sharing applications that can cause problems. IT executives have also battled applications such as interactive games and downloadable tax-preparation programs.
Bandwwidth shortages can give a CIO a false sense of how much bandwidth his organization needs, which ultimately can affect the bottom line. Justin Kirsch, senior vice president and CIO at Security National Servicing Corp., a loan-servicing company in Sacramento, Calif., says his company upgraded from T1 lines to a T3 connection with the thought that it needed more bandwidth to handle B2B transactions. "We've made decisions to buy more Internet bandwidth thinking that our business was using that bandwidth," he says. "In reality, [we had] employees downloading music all day long." Security National now uses software that blocks sites and applications that are bandwidth hogs and carefully enforces personal-use policies that restrict bandwidth-intensive applications.
Another red flag signaling heavy use of high-bandwidth applications that could be more immediately damaging is a slow website. An overload of internal traffic can, depending on the configuration of a company's network, cause an external website to crawl. Eventually, bandwidth problems become tech-support issues. The more users are bothered by slow connections, the more they will call on already overtaxed IT staffers to help solve problems. An outbreak of slow PCs, a result of hard drives crammed with downloaded files, and slow network access should alert CIOs that it might be time to investigate the use of file-sharing applications.
Although it has not happened yet, a real nightmare might be on the way: virus-bearing MP3 files traded from user to user. Viruses have wreaked havoc recently via e-mail, but an infected file uploaded and downloaded all over the world -- and inside a company's walls -- could bring a company's infrastructure to its knees. "Anytime you have data flying around and you may not necessarily know from whence it came, you introduce risk," says Steve Vonder Haar, senior Internet consultant at The Yankee Group, a Boston-based analyst company. "When are we going to have the first example of an MP3 file that spawns something that infects your computer? You would be a fool to think that that day is not coming."
Steps For Avoiding Trouble
Potential legal problems and technology issues are not the only challenges lurking within file-sharing downloads and other new and forthcoming applications. Old-fashioned Internet-abuse concerns such as employee productivity are also potential hazards. But CIOs can follow a few simple rules in developing and enforcing fair personal-use policies.
Be aware of technology trends. File-sharing applications are the current troublemakers; there will be more to come. CIOs "" constantly need to be on the lookout for the next wave. Reading about the next big thing in personal technology and chatting with employees about what is popular are easy ways to keep up with trends. "We come up against new things all the time, and we just evaluate them and see [whether they are acceptable for employee use]," says Randy Reece, CTO at The Axean Group in Orinda, Calif., which offers consulting on information management and training. "The technology is changing all the time."
At OMX in Cleveland, parent company of office-supply retailer Office Max, Senior Vice President and CIO Robert Peterson has IS staff members who are dedicated to exploring new technologies. While Peterson's employees are primarily looking for technologies that will ultimately boost Office Max's bottom line or cut costs, they also keep troublesome personal-use scenarios in mind. Therefore, the search for new and beneficial technologies always includes an investigation of what problems those technologies could cause inside the company.
"The priority is...what can we do to help our business," Peterson says. "Wee then get the appropriate people involved to say what ramifications [new technology] will have across the organization." Peterson helps develop corporate IT policy based on his employees' evaluation of new technologies.
Mention new technologies by name when updating policies. Hafets says continual monitoring of technologies combined with a corresponding evolution of policy is a good idea. CIOs should both search for the next big thing and be ready to address it specifically in revised corporate policies. That approach not only sets specific limits for employees, it also helps avoid legal problems when dealing with new applications, whether a company is banning them or simply restricting them to proper, legal use. "Companies are going to need to review and update their policies as technology continues to change," he says. "As long as your policies are broad enough to cover all forms of communication, you'll probably be OK."
Communicate. This simple concept that no one has quite mastered is the key to keeping employees happy while maintaining an appropriate level of control over their ability to use applications for personal purposes. Chavez says he made his employees active participants in every step of the process that eventually led to the Napster ban. Similarly, Nagaraja Srivatsan, vice president of the Digital Vision Labs at integrator SeraNova, in Edison, N.J., says reminding employees of the ramifications of improper use of technology -- from legal problems that could sink stock options to total system failures -- is an effective way of making employees feel that they are vital to the company's overall success, even if they have to make sacrifices.
At Ford Motor Co. in Dearborn, Mich., which has 110,000 users on its network, Rajan Nagarajan, director for enterprise process and IT integration, also stresses the importance of consistent and open communication. Ford conducts training sessions for all employees that cover the company's personal-use policy and frequently disseminates information about the company's mission and how it relates to each employee. "We fundamentally believe that if you expose everybody to the same information, they'll all come to the same understanding," he says. "People are conscious of how this is related to the company. We want them to feel as part of the company, you're part of the bottom line, and that's the message."
Kirsch says, however, that CIOs should not hesitate to remind problem employees that they are working on company time -- and technology. "I take this general principle: If we bought it, we own it; we control it," he says. "If you're using our equipment to do something, we control it."
Back up your policies with action. Simple communication and trust will not always be enough to handle every situation. "People for whatever reason just can't seem to help themselves," Kirsch says. Luckily, a warning is usually enough to put a rogue employee back on the straight and narrow. The timing and circumstances of that warning can be critical, however. Kirsch suggests using peer pressure. "When a rumor starts that somebody's [using technology inappropriately], you send out a reminder notice of policies or procedures to the whole company or department," he says. "That sends a strong signal."
Sometimes, the situation warrants more serious action. CIOs, in cooperation with a company's legal department and HR staff, should not hesitate to fire employees who consistently break rules and put the company at risk. But jumping the gun can also be dangerous. Employees will sometimes wrongfully accuse each other of misusing technology; a CIO should not recommend termination until he is sure that an employee has committed an offense.
"You have to be cautious to not just look at it in black and white," says Kirsch, whose company has fired employees who abused technology. Simply checking for a user's ID and password in usage logs is not enough to prove guilt, he says. IDs and passwords can leak to other employees. More substantial evidence, such as a confession or observation of abuse by an executive, is preferable when considering termination.
Hafets agrees that, from a legal perspective, companies must enforce policies consistently. Firing an employee might sometimes be necessary, and a CIO who has a hand in that kind of decision needs to make sure that he is willing to let go of anyone else who commits a similar offense. "If the employer has a policy and wants to get the message out to the workforce that it is serious about its policy, termination is a way to do that," he says. "Consistency is going to be important."
Play an active role in developing and enforcing policies. If misuse of technology is causing problems in an organization, the CIO must be on the front lines, monitoring usage and re-minding employees of policies. Act as a member of the executive board, not just as head of the IS department. Both Chavez and Nagarajan say the IS departments at their respective companies determine the policies that govern appropriate use of technology. Kirsch says he wrote his company's policies himself. Other departments come into play in extreme situations such as terminations, but the CIO has the first word on appropriate use of technology.
The issue of employees' personal use of company technology did not begin with the Internet, and it won't end with the influx of file-sharing applications. But actively participating in the evolution of personal-use policies will continue to be a must, since the next kids ready to stir up trouble on the corporate block are lurking around the corner. "You're going to [solve problems], and then you're going to have breathing room, and then you're going to do it again," Srivatsan says. "It's going to be a cyclical process."
This story, "How Personal Is the Personal Computer?" was originally published by CIO.