Misuse of Company Tech

By Cihan Cobanoglu
Web 2.0 tools are becoming increasingly more popular for employee use in the hospitality industry. Several hotel companies, such as Borgata Hotel, Casino and Spa, for example, provide all staff members, whether they are salaried or hourly, with full access to the Internet and to their human resources records and schedules via kiosks in the hotel. Other hotel companies may encourage the use of social networking tools within the company with the goal of increasing collaboration among employees. As much as there is good in letting employees use computers in the workplace for professional reasons, there are several large caveats: cyberloafing, liability concerns and confidentiality.

What is cyberloafing?
Cyberloafing is a term used when staff members surf the Internet, write email, or engage in other non-work related Internet activities on the employer's time. In the current age of connectivity, cyberloafing is of increasing concern, as employees use their employers' electronic resources to interact on social networking sites such as Facebook or MySpace, read blogs, instant message with family and friends, or simply surf the Internet for personal reasons.

At the recent Hospitality Law Conference held in Houston, attorney Steven Gutierrez, partner at Holland & Hart, presented a session on how to manage new electronic mediums, including blogs, instant messaging, etc. According to Gutierrez, 86% of employees use their employers' electronic resources for personal use; 51% of employees surf the Internet for personal reasons at work between one and five hours a week; and 25% of companies have dismissed at least one employee for misuse of Internet access.

Legal liability
What about in the hospitality industry; is this a problem in hotel and restaurant companies? Yes, hotels and restaurants (or any employer) may be held liable for employees' actions, including the use of electronic resources, within workplace time and space. If an employee harasses another employee using the company's intranet or networking forum, the employer may be liable. Continental Airlines was sued in 2000 by an employee for not preventing harassment in its electronic resources. Similarly, employees may be posting sensitive company information to public spaces, such as blogs or social networking sites, or misrepresenting the company. In another court case, Delta Airlines was sued by a former employee because Delta fired her due to content contained in her personal blog.

This issue becomes more important in the era of Payment Card Industry Data Security Standards (PCI DSS), as employees may knowingly or unknowingly put the company at risk. As a personal experience, I once received an email from a hotel manager asking me to write a welcome message for an incoming international guest. The manager forwarded me the reservation request of the guest, which included his full credit card number along with expiration date and credit card verification code (CVC). Even if this hotel is fully PCI compliant, this honest but wrong action by the employee put the company at a significant risk and the hotel company would be liable for the manager's action.

Proactive policies
The first step in protecting the organization is to form an inclusive policy. The policy should inform employees that electronic resources are for business purposes only. It should also state the excepted use of company materials, such as logo, name, and slogans, by employees outside of the work environment. Exceptions should be spelled out very clearly (i.e. family emergencies). The policy should also state that the employer owns the electronic resources, including the data created on or stored in the systems. The second step is to enforce the policy. Unfortunately, many companies have such policies, but they are not fully enforced, and therefore become ineffective. In unionized establishments, these policies should be included in contract agreements.

In these tough economic times, no hospitality company would welcome the complications with confidentiality or productivity. Therefore, I suggest that companies review their existing policies, refresh them, and include them in training materials. It may pay off many times over to be proactive in this regard.