Unfortunately, for a growing number of organizations, getting sued is becoming commonplace. The lawsuits to which we refer are not based on claims of faulty products or damage to the environment, but on the organization’s technology policies. Yep—the very policies that are supposed to protect your company could become the cause of legal action against it.
Three policies usually lie at the heart of these types of suits:
- Bring Your Own Device (BYOD) Policy, which describes rules regarding employees using their personal devices while at work.
The reasons for such suits? There are basically three. First, suits are filed because the company in question is accused of violating the terms of its own policies. Second, suits often result because a company’s policies contain “loopholes’ that expose the organization to unforeseen liabilities. The third—and less common—basis for a policy-based claim against a company is that its policies are either too vague, or too complex for the average user to understand.
In each case, having adequately-written policies and following them to the letter is the best defence against claims being successful. But that might be easier said than done.
Google, Facebook, and Twitter were all targets of a 2014 lawsuit brought by French consumer group, UFC-Que Choisir. The suit claimed that the social network giants each had privacy policies that were too complex for the average user to understand, and that they contained links to pages written in English, which could not be understood by many French users of the services.
These two examples are not the only cases worth noting. A multitude of suites have ensued against companies large and small across the U.S. The two cases cited do, however, reveal something very telling: even mammoth companies with staff attorneys are not immune to legal action if their policies fail to measure up. Further, online policies must not only protect a company from legal action domestically, but also in every country in which it conducts business.
And website visitors are not be only ones suing over digital policies—or the lack thereof.
BYOD lawsuits have already worked their way through the courts, creating new precedents for how companies must administer their own BYOD programs.
Based on news accounts, lawsuits over digital policy issues are on the rise. Unless your organization has neither a website nor employees, the issue of digital policies should concern you.
While it is beyond the scope of this article to describe how to properly write digital policies, we have some suggestions worth considering as you evaluate your own digital policies.
Fire Your Lawyer
Actually, we don’t mean fire them completely, just don’t allow them to counsel you on development of your digital policies, unless he or she has specific education in relevant laws. As the saying goes, “you don’t know what you don’t know,” and an attorney not trained in civil and criminal implications of digital media simply is not qualified to advise you on these matters.
Just as you would not hire a real estate attorney to defend you in against a capital murder charge, you don’t need a general practitioner to write your digital policies. Qualifying education may include nothing more than having attended seminars on Internet law and employment-related digital media issues, but they must have expertise in this area.
Even though you should hire a qualified attorney to assist you with developing your policies, the remaining sections of this article will help you to become a better-informed client.
Don’t Let Your Attorney Make Promises You Can’t Keep
One of the biggest mistakes companies—and their attorneys—make is to promise a level of information security that is unrealistic to achieve. Do not guarantee, or imply, that your site visitors or employee personal information (for BYOD programs) will remain confidential. You do not, and cannot, have 100% control over that information, so do not imply that you do. Your policies should explain that you take “reasonable care” to safeguard such information, but you should have a disclaimer stating that you will not be held liable if information shared with you becomes available to others. This does NOT exempt you from a successful suit if you intentionally give or sell your email list; it does offer you some protection if a breach occurs after you have taken reasonable care to prevent it.
Make sure you communicate with your attorney. By making sure they understand your operation precisely, you can work together to identify areas where you may have risk exposure so that you can work on those.
Keep Your Digital Technology Policies Updated
Your business needs, and methods of conducting business, change regularly. You must be diligent to ensure that affected policies are updated in a timely manner (preferably before the change) to reflect these changes.
It is not enough to state on your website that you reserve the right to change your policies without notice. Laws are being written that speak to this issue, and which may require you to notify each person from whom you have collected information.
Don’t Forget Mobile
The minimum sections of information your policy must contain include the following:
- Information Collected: What information will your website and apps collect? From whom? When?
- Method of Information Collection: How is user information collected? By cookies (yes, they count)? By user registration? By Google Analytics or other tracking service?
- Storage of Information: How is the information you collect stored? Is the information encrypted in storage or transport? How do you secure it?
- Sharing Information: With whom do you, or will you, share user information? Under what conditions? With law enforcement displaying a valid warrant? Say so. If your company is sold, will user data be sold also? Better say so. You can get sued, even if you no longer own the company.
- Right to Know: How can users find out what data you have collected from them? California and other places require you to provide this information. How can users request that you delete their information and how will they be notified that you did so?
- Contact Details: How can users contact you with questions or concerns? How do they file a complaint? A physical mailing address is required in some locations.
As a minimum, your ToU policy must address the following issues:
- Introduction: Under the intro, you will identify your company, state its business objectives, and define any special terms or abbreviations you will use elsewhere.
- Site Content: Under this section, you will explain the nature of content that you make available on your site and through your apps.
- Third Party Content: You must specify what third-party content might be found on your site.
- Your Use of the Site: For what specific purpose may someone visit your website or use your apps? Under what conditions can they be blocked from having access?
- Use by Children: California and other areas have strict laws governing what information you can collect from a child. Your attorney must be well-familiar with these laws and must know how to advise you on how to comply.
- Links to Other Sites: Disclaim responsibility for users who link to third party sites from your site or app..
- User Comments and Submissions: How are user comments submitted? What type of submissions do you allow? If file uploads, specify what type of files and indicate who owns user-submitted files and comments.
- Fundraising Information: Do you use your site for fundraising? Explain in detail how it works, how donations are made, and what security is in place.
- Disclaimers: A good attorney will write solid disclaimers that will protect you from most claims. Make sure your disclaimers make it clear that, among other things, you are not responsible for lost, misused, or shared user data.
- Indemnification: What damages will you pay for, how much, and until what point in time? Obviously, your attorney will know more about this one than you do.
- Termination: By accessing your site or apps, the user is entering into a legal agreement. Under what conditions can that agreement be cancelled, and by which party?
- Applicable Jurisdiction: If you are sued, or if you choose to sue for violation of your policies, in which state and county will the case be adjudicated?
- Miscellaneous: There are always issues unique to your operation, and which may not fit in any of the other sections of this or any other policy. Those items go here.
- Trademarks: How may your trademarks be used, if at all?
- Copyright notice: This is where you give official notice of what elements and content contained in your site or app belongs to you. You also explain, here, how someone can request permission to use those items, and what you will do if they use them without permission.
If your organization has employees, you have a BYOD program—whether you know it or not. With the prevalence of mobile devices, no employer can assume their employees are not using their personal devices for company purposes. One employee calling oneclient on their personal cell phone can get you sued, if the employee ever demands that you reimburse them for the call and you refuse.
In light of the fact that your employees, at one time or another, will use their personal devices at work, or for work-related purposes after hours, you must control that behavior. You do so with a BYOD policy that specifies what you will allow and what you will not allow, in terms of employees’ personal devices.
Thought not a complete list, you should cover at least the following issues in your BYOD policy:
- Specify what devices you will permit employees to use on the job.
- Develop a strict security policy for all business and personal digital devices.
- Explain clearly who owns work-related software, applications, and data stored on employees’ devices.
- List specifically what software and apps you will permit, and which must not be permitted.
- Require all employees to read and sign an acknowledgement form indicating their understanding of and agreement to the BYOD policy.
- Develop clear plans on how to secure company software, apps, and data when an employee leaves the company.
A employers’ rights and responsibilities regarding BYOD programs is definitely an issue in flux, and courts are regularly making decisions that affect how you must administer your program.
We have provided you with some things to consider as you develop or upgrade your digital technology policies. This information can help you work more efficiently with your attorney, but is in no way sufficient for use in developing policies on your own. And forget about copying policies from the web and changing them to suit your own needs—you can get sued doing that, too.
In the Digital Age, everything happens faster, including lawsuits. If we have made you aware of the need to have good technology policies, and to have a knowledgeable attorney to create them for you, perhaps we have spared you from receiving any.