Computer Use Policies – Are Your Company’s Illegal According to the NLRB?

4c00b10767cf8a5c15a4cde1b4c4f0a4_f120The National Labor Relations Board (NLRB) has continued its assault on businesses and their ability to legitimately protect their computer systems and information against unauthorized non-business use by employees.

A few weeks ago, I wrote 3 Important Points on Computer Policies in which I stressed (1) why your company must have them but (2) that such policy must comply with the NLRB’s Purple Communications case. The NLRB has struck again.

On May 3, 2016, an NLRB Administrative Law Judge struck down as overbroad a Computer Use Policy in Ceasars Entertainment Corporation d/b/a Rio All-Suites Hotel and Casino (NLRB Docket Sheet). The policy, titled Use of Company Systems, Equipment, and Resources, was part of the company handbook and stated that computer resources may not be used to do several things that were listed out and is standard in many similar policies. The NLRB decision (Decision) found that prohibitions against the following was illegal:

  • Share confidential information with the general public, including discussing the company, its financial results or prospects, or the performance or value of company stock by using an internet message board to post any message, in whole or in part, or by engaging in an internet or online chatroom
  • Convey or display anything fraudulent, pornographic, abusive, profane, offensive, libelous or slanderous
  • Send chain letters or other forms of non-business information
  • Solicit for personal gain or advancement of personal views
  • Violate rules or policies of the Company

The NLRB found that prohibiting the conduct mentioned above made the policy overbroad and could effectively limit employees’ use of their employer’s email system to engage in Section 7 communications during nonworking time. Because of that, it found the employer has engaged in an unfair labor practice prohibited by the National Labor Relations Act.

Welcome to Wonderland.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Important Points on Computer Use Policies

IMPORTANT POINT #1: YOUR BUSINESS MUST HAVE A COMPUTER USE POLICY IN PLACE

Computer Use Policies (or Acceptable Use Policies, as they are often referred to) are must haves for today’s businesses. Such policies are a foundational component in how a business creates a culture of security with its workforce by establishing expectations on what are and are not permissible ways to use and safeguard the businesses’ digital assets, as well as third parties’ information that it may be holding. Continue reading “3 Important Points on Computer Use Policies”

The #1 Reason NIST Cybersecurity Framework is Becoming the Standard

NIST-logoAn article in eCommerce Times offers a well-reasoned argument for why the NIST (National Institute of Standards and Technology) Cybersecurity Framework is the guiding force in shaping the United States’ federal cybersecurity strategy: NIST Risk-Assessment Framework Shapes Federal Cybersecurity Strategy You should read it — but only after you read the following explanation because it is a lot simpler.  Continue reading “The #1 Reason NIST Cybersecurity Framework is Becoming the Standard”

Managing Cybersecurity Risks for Boards of Directors

Ethical Boardroom Winter 2016In his latest Ethical Boardroom article, Shawn Tuma explains why it is important for board members to have an active role in their company’s cybersecurity preparation and tells them several key steps they can take to do so. Tuma also explains why cybersecurity is as much a legal issue and business issue as it is an IT issue. Continue reading “Managing Cybersecurity Risks for Boards of Directors”

Cybersecurity Legal Year in Review – #DtSR Podcast

Do not miss this podcast discussing key cybersecurity legal events from 2015. Shawn Tuma joined the DtSR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] on the Down the Security Rabbit Hole podcast.

In this episode…

  • Most important cybersecurity-related legal developments of 2015
    • Tectonic Shift that occurred with “standing” in consumer data breach claims
      • Discussion of law prior to Neiman Marcus case, and post-Neiman Marcus
      • Does this now apply to all consumer data breach cases?
      • Immediate impact? Companies now liable?
      • Lesson is in seeing the trend and how incrementalism works
      • Michaels & SuperValu case dismissals in light of Neiman Marcus
  • Regulatory Trends
    • FTC & SEC gave hints in 2014, post-emergence of Target details
    • Wyndham challenged authority – came to fruition in August 2015
    • SEC not far behind – significant case in September 2015
    • Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire
  • Officer & Director Liability
    • 2014 – SEC Comm. fired the warning shot … pointed the finger
    • Shareholder derivative litigation
    • Individual liability of IT / Compliance / Privacy “officers”
  • Anticipated 2016 Legal Trends
    • Regulatory enforcement … which, by the way, is why NIST is becoming default
    • Shareholder Derivative – much more likely than consumer class actions at this time
    • Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they’re in the cross-hairs
    • Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything

Go HERE to listen to the Podcast!