Computer-Use Monitoring Practices and Policies of Selected Companies
GAO-02-717, Sep 27, 2002
- Accessible Text:
Over the past decade, there has been a technological revolution in the workplace as businesses have increasingly turned to computer technology the primary tool to communicate, conduct research, and store information. Also during this time, concern has grown among private sector employers that their computer resources may be abused by employees--either by accessing offensive material or jeopardizing the security of proprietary information--and may provide an easy entry point into a company's electronic systems by computer trespassers. As a result, companies have developed "computer conduct" policies and implement strategies to monitor their employees' use of e-mail, the Internet, and computer files. Federal and state laws and judicial decisions have generally given private sector companies wide discretion in their monitoring and review of employee computer transmissions. However, some legal experts believe that these laws should be more protective of employee privacy by limiting what aspects of employee computer use employers may monitor and how they may do so. Following the September 11, 2001, terrorist attacks on the United States, policymakers re-examined many privacy issues as they debated the USA PATRIOT Act, which expands the federal government's authority to monitor electronic communications and Internet activities. GAO reviewed 14 private sector companies' monitoring policies and found that all companies reviewed store their employees' electronic transactions: e-mail messages, information on Internet sites visited, and computer file activity. They collect this information to create duplicate or back-up files in case of system disruption; to manage computer resources such as system capacity to handle routine e-mail and Internet traffic; and to hold employees accountable for company policies. Representatives from all of the companies had policies that contained most of the elements experts agreed should be included in company computer-use polices. None of the companies GAO studied had changed any of their employee computer-use policies or monitoring practices after the September 11 attacks. Most companies did, however, report a growing concern about electronic intrusion into their computer systems from outside trespassers or viruses and had increased their vigilance by strengthening their surveillance of incoming electronic transmissions.