Let’s start with a reminder. The people who use your firm’s computers, which includes portable devices such as smart phones or computer tablets, represent a significant risk not only from things like their falling prey to a phishing scam but also intentional misuse. One effective risk management tool that can help address this concern is a well-written online activity policy that is coupled with education and enforcement.
The establishment of rules regarding personal use that address such issues as personal browsing on the Internet, the use of peer-to-peer file sharing networks, personal email accounts, file downloads, and use of social media are of particular importance. Detail ownership and privacy ramifications so that everyone in the firm is aware that they should have no expectation of privacy while using the firm network or any firm provided portable device. You might also consider developing sexual harassment and discrimination policies so that everyone is aware that these rules are in play while online. Underscore the necessity of maintaining a high level of professionalism perhaps by defining inappropriate behaviors via content rules.
Said policies should be set forth in writing and coupled with signed acknowledgement by everyone who will have access to the computer system to include all attorneys at the firm. The policy should include a statement along the lines of failure to comply with the policy will result in discipline that could include termination.
There are a number of resources available that can assist you in developing an online activity policy. The SANS Security Policy Project posts a number of policy templates online that address a variety of important security concerns, many of which you may not have even thought about. These resource materials are available to the public without cost. Topics addressed include an Acceptable Use Policy, a Dial-in Access Policy, an E-mail Policy, a Password Protection Policy, a Remote Access Policy, and a Wireless Communication Policy among many others. The SANS (SysAdmin, Audit, Network, Security) Institute is a cooperative research and education organization established in 1989. Over the years, the institute’s programs have reached over 165,000 security professionals worldwide.
A second resource worth reviewing is an article written by Michael Downey, an attorney with Hinshaw & Culbertson LLP, entitled “Law Firm Online Activity Policy.”
Finally, for a long list of social media policies that a variety of businesses already have in place you can check out this one for Compliance Building’s Social Media Policies or Social Media Governance’s Social Media Policy Database. I strongly recommend taking a look at all of these excellent resources before taking on the task of developing your own policies. While no online activity policy can ensure a 100% risk free environment, a well-drafted and enforced one can certainly go a long way.