Workplace strategies for protecting confidential and proprietary property. Includes: Tracking and other IT surveillance tools, Telework/remote systems access policies and practices, Employee use of YOUR Information Technology Resources, Social Media, The Law, or ‘Getting “Dooced”’, etc.

1. Workplace Strategies for Protecting
Confidential and Proprietary Property
Presented by: Catherine Coulter
catherine.coulter@fmc‐law.com
1

2. Tracking and other IT surveillance tools
2

3. Most of our guidance comes from the
decisions of labour arbitrators in the
unionized environment and various
Privacy Commissioners across the country
3

4. Most cases involving
employee surveillance
relate to trying to ensure
employee productivity,
rather than protecting and
preserving company
confidential information
4

5. Types of Surveillance:
(i) GPS (global positioning systems);
(ii) video surveillance;
(iii) keystroke monitoring; and
(iv) RFIDs (radio frequency identification
devices)
5

6. Video Surveillance
Video surveillance is generally not permitted for the purpose
of ensuring employee productivity or supervising
employees; however it may be permitted if the employer
can show a bona fide safety or security justification
6

7. GPS
GPS is generally permitted for safety management and asset
management (eg. Tracking stolen company vehicles) but
again, like video surveillance, is not permitted for
productivity management
7

8. Keystroke Monitoring
Keystroke monitoring may be permitted to manage
productivity but labour arbitrators have stated that other
means of monitoring productivity should be used if at all
possible
8

9. Surveillance may be permitted if:
(i) employees are given advance written notice of the
surveillance;
(ii) there is no less intrusive means of protecting the
company’s property; and
(iii) the surveillance is reasonable in scope
9

10. WHAT TO DO IF YOU DECIDE TO
IMPLEMENT EMPLOYEE SURVEILLANCE:
• Employees should be given notice on a frequent and
recurring basis in terms of how they’re being monitored
• Computer pop‐up warnings are a great way to implement
frequent reminders
• If you have a workplace computer use policy, check to make
sure it’s up‐to‐date and thorough; if you don’t have a
computer use policy, what are you waiting for?
10

11. Telework/remote systems access policies
and practices
11

12. WHAT TO DO ?
• make sure that your employees and contractors ALWAYS sign
properly drafted and enforceable Confidentiality Agreements
• if your employees have a computer at home, help them to
ensure that it is password enabled, email encrypted and
firewalled
• insist that your clients do their work through your company’s
internal network, or no amount of firewalls in the world will help
• Also insist on passwords and other security devices that your
employees may use
12

13. • if your employees have hard copies of company confidential
information at home, make sure that it’s a requirement that
it be kept filed in a locked filing cabinet except when being
used
• ensure that your employees (and their families) understand
that the offsite work area is for work purposes only
• when projects come to an end, employees should be
contractually responsible to return documentation to the
office for proper storage
13

14. • develop policies relating to the protection of confidential
information in a telework setting, and train your employees on
related security issues
• conduct periodic background checks to make sure that your
employees are actually following proper procedures
14

15. Employee use of YOUR Information
Technology Resources
15

16. Employee Use of Company IT Resources
Remind your employees in writing that:
‐ You own the equipment and systems, and they’re just using it
‐ The equipment and systems that they’re using are supplied for business
purposes
‐ You have the ability to monitor their computer use and they should expect
to have no expectation of privacy when using company‐owned equipment
and systems
‐ Freedom of expression is NOT unlimited, even off‐site and off‐hours
‐ They have a duty of good faith which operates 24/7 and post‐employment
‐ They can be terminated with cause for breaches of their duty of good faith,
their employment contracts and the company’s policies
16

17. Important Tools For Protecting Your
Workplace & Technology
‐ Employment Agreements (non‐disparagement provisions;
agreement to be bound by company policies)
‐ Confidentiality Agreement (acknowledgement of continuing
duties post‐employment)
‐ Intellectual Property Agreement (acknowledgement of
assignment of IP to company; waiver of moral rights)
‐ Creation of various policies (Computer Use Policy; Facebook &
Blogging Policy; Harassment Policy; Privacy Policy
17

18. Best Practices Computer Use Policy
A best practices company computer use policy will always include the
following information:
‐ When the policy applies (to everyone, every time that they use the
company’s equipment and systems)
‐ Permitted uses & prohibited uses
‐ Consequences of improper use
‐ No expectation of privacy
‐ Compliance with licenses, laws and policies
‐ Where applicable, expectations regarding Open Source software
‐ Expectations of confidentiality and professional behaviour
‐ Non‐disparagement
‐ Ownership of intellectual property
18

19. Social Media
19

20. Why Do You Need A Facebook Policy?
‐ Facebook has an 85% market share of 4‐year universities (your target audience for new
employees)
‐ The average amount of time spent by people on Facebook each day is over 23 minutes
‐ The fastest growing demographic of Facebook users is ages 25 and up
‐ Facebook operates in more than 75 languages, has over 550 million members, hosts over 15
billion photos on its site and people upload over 100 million more photos to Facebook each
day
‐ Every minute of every day, over 1,700,000 actions are performed on Facebook, from
comments, to messages, to adding photos, to status updates, to wall posts, etc.
‐ 2 million websites across the internet are integrated with Facebook and 10,000 more websites
integrate with it each day
‐ As Time Magazine said in its December 27, 2010 issue “Facebook has a richer, more intimate
hoard of information about its citizens than any nation has every had”
‐ However, Social Networking Sites can: (i) waste time at work; (ii) result in the disclosure of
company confidential information; (iii) damage an organization’s reputation; (iv) assist
employees who want to take part in “virtual harassment”; and (v) lead to breaches of
privacy legislation
20

21. Why Not Ban Facebook At Work?
For all of the potential risks of allowing Facebook use at work,
there are also good reasons to permit its use:
‐ Facebook is a fact of life for most younger employees, and
your organization may appear out of date and out of touch
without it
‐ Facebook can permit your employees and your organization to
network for business purposes, marketing and fundraising
‐ Facebook can assist HR with employee background checks
‐ Facebook can assist management with intelligence gathering
(ie. online ‘town hall’ meetings)
21

22. What About Blogging?
‐ As with Facebook, blogging can be an effective and
inexpensive means of company advertising
‐ Blogging can also provide a unique perspective on what it’s like
to work for a particular company, and can assist with recruiting
‐ As with Facebook and other social media sites however, it is
often unmonitored and uncensored. That can lead to a range
of blogging from opinion to well‐meaning rambling to
intentional harm
‐ As with Facebook and other social media sites, it can also lead
to misuse of company confidential information
22

23. What To Do?
Options Include The Following:
‐ Outright ban against social media and blogging in the workplace
‐ Prohibit access to social media and blogging at work, and place restrictions
on what employees can say outside of work when it comes to workplace
issues and people
‐ Prohibit access to social media and blogging at work but place no
restrictions on what employees can say outside of work when it comes to
workplace issues and people
‐ Permit social media to those who need it for their jobs (eg. HR; sales) and
place restrictions on it to everyone else
‐ No restrictions at all
23

24. What Should Your Social Media Policy
Look Like?
‐ It should contain a clear statement that employees should not engage in: (i)
disclosure of company confidential information; (ii) workplace gossip; (iii)
posting offensive or discriminatory language or graphics; (iv) disparaging
coworkers, management, the company, vendors, suppliers or customers
‐ It should make clear to employees that their use will be monitored by the
company and that it may intervene in certain circumstances (eg.
disparagement, discrimination, misuse of confidential information)
‐ It should require workplace bloggers to identify themselves by name and
not under a pseudonym
‐ It should require bloggers to make it clear that the views which they
express are theirs alone and are not necessarily the views of the company
24

25. What Should Your Social Media Policy
Look Like, con’t.
‐ It should require bloggers to tell the truth
‐ It should require employees to ensure that their activities will not interfere
with their work commitments
‐ It should require employees to confirm that their activities may be
suspended for a period of time if required (eg. In the event of a black‐out
period during a pending corporate transaction)
‐ It should require employees to confirm their understanding that a breach
of the policy may lead to the termination of their employment on a with
cause basis
‐ It should require staff who use social media for work purposes to use a
stand‐alone work dedicated account
25

26. The Law, or ‘Getting “Dooced”’
26

27. The Law
• As held by the Honourable Mr. Justice Blair of the Ontario Court of Appeal
in the case of Barrick Gold Corporation v. Jorge Lopehandia and Chile
MInteral Fields Canada Ltd.:
“The internet represents a communications revolution. It makes
instantaneous global communication available cheaply to anyone with a
computer and an Internet connection. It enables individuals, institutions,
and companies to communicate with a potentially vast global audience. It
is a medium which does not respect geographical boundaries.
Concomitant with the utopian possibility of creating virtual communities,
enabling aspects of identity to be explored, and heralding a new and global
age of free speech and democracy, the internet is also potentially a
medium of virtually limitless international defamation.”
27

28. Getting “Dooced”
• www.dooce.com was Heather Armstrong’s blog
‐ She was terminated from her job for writing about her
workplace on her blog. Getting “dooced” has become
synonymous with getting terminated due to something that
you’ve written on your website
28

29. Delta Airlines
• Ellen Simonetti, a flight attendant, posted suggestive photos of
herself in her work uniform on a company aircraft on her blog,
which was called “Diary of a Flight Attendant”
• Once Delta found out about her blog, she was immediately
suspended. A month later, she was “dooced”.
29

30. Manitoba Health Services
• Jeremy Wright, a Systems Administrator for Manitoba Health
Services, alleged that he was terminated from his job for
posting the following on his blog:
– Getting to surf the web for 3 hours while being paid: Priceless
– Getting to blog for 3 hours while being paid: Priceless
– Sitting around doing nothing for 3 hours while being paid: Priceless
– Installing Windows 2000 Server on a P2 300: Bloody Freaking Priceless
The Employer took the position that the employee had been
terminated for divulging company secrets.
30

31. West Coast Mazda v. UFCW
In this case, two employees posted offensive comments about
managers on Facebook after hours on their home computers.
They were ultimately dismissed.
The B.C. Labour Relations Board upheld the terminations as
their comments amounted to insubordination and a hostile
work environment. One of the factors which mitigated against
them was that they were key union organizers and had a
significant degree of influence over other employees.
31

32. Other Considerations
32

33. On‐Line Recruiting
Whether you plan to cyber‐recruit or to recruit the good old‐
fashioned way, the rules and issues remain the same:
‐ Ensure the information is up‐to‐date and accurate (remember
that the on‐line world can be inherently unreliable)
‐ Consider human rights and remember that knowing certain
things that you shouldn’t otherwise know (eg. the potential
employee’s race or religion) can be risky
‐ Consider privacy requirements and remember that you need
to have systems in place for the collection, use, disclosure,
storing and destroying of personal information
33

34. Best Practices For On‐Line Recruiting
‐ Let the potential employee know that you plan to check them
out on‐line; obtaining written consent on the application form
can be helpful
‐ Don’t search on‐line until after the interview process
‐ 0nly search publicly available information
‐ Be cautious about what you retain and keep the information
secure. Destroy it 2 years after the hiring decision is made, or
sooner if it’s no longer needed for defensive purposes
34

35. Open Source Software
The basic principles of Open Source Software include:
‐ Free redistribution
‐ Must allow modifications
‐ A single license to all users
Potential problems:
‐ Bugs/unreliability
‐ No support
‐ No guarantee of updates
‐ Liability for intellectual property infringement (due to the fact
that the potential for infringing code is significant)
35

36. Open Source Software
‐ Considering the needs of your workplace and industry, you
also need to weigh the value of using open source software
against the risks associated with not using it
‐ is open source software an issue for your company?
‐ do you need it?
‐ do you know if, when and where your employees are
using it?
‐ how might your IP rights be compromised?
36

37. Presented by: Catherine Coulter
catherine.coulter@fmc‐law.com

38. The preceding presentation contains examples of the kinds of
issues companies looking to protect confidential information
could face. If you are faced with one of these issues, please
retain professional assistance as each situation is unique.