Any organization that offers members access to the Internet or an intranet (including universities, schools, government entities, and businesses) needs an acceptable use policy (AUP) to outline the rules and expectations for use of its network. (Download free samples of other essential contracts a tech company needs.) Tech entrepreneurs and freelancers may find themselves dealing with acceptable use policies in a number of capacities:
- As the technical writer responsible for creating the actual AUP document.
- As the consultant charged with identifying critical elements to be included in the policy.
- As the growing business that finds it needs an acceptable use policy for its employees.
Regardless of your role in creating or implementing an acceptable use policy, be sure to pay attention to these three considerations to make sure your policy passes legal muster and helps reduce the associated organization's legal liability.
What Is an Acceptable Use Policy?
Also called fair use policies, acceptable use policies are documents that outline how members of a network can and cannot use the Internet or intranet provided by the sponsoring organization. Most often, it includes specific rules (e.g., no pornography), outlines consequences users who break the rules can expect (e.g., warnings and suspense of access), and details an organization's overall philosophy for granting access (e.g., Internet use is a privilege that can be revoked rather than a right).
Broadly speaking, acceptable use policies are kind of "house rules" documents for Internet access.
Legal Considerations in an Acceptable Use Policy
One important goal of an AUP is to ensure that it complies with relevant laws so that, in the event of a violation, the organization has solid legal footing for enforcing penalties outlined in the policy. IT professionals charged with drafting or consulting on the creation of an acceptable use policy should consider…
- State data security laws, and whether the AUP is in compliance.
- Federal data privacy and security laws, including HIPAA requirements and HITECH provisions, if the client operates in the healthcare sector. (For data privacy considerations specific to clients in the legal sector, read "Data Security in the Cloud: Concerns for IT Firms with Legal Clients.")
- Jurisdiction. A statement of where the AUP applies and can be enforced may help the organization in the event of policy violations.
- Responsibility of network users. In addition to adhering to "netiquette" rules outlined by the AUP, network users must also adhere to state and federal laws that regulate behavior online.
An acceptable use policy that demonstrates careful adherence to relevant legislation regarding use of a network has a better chance of being upheld in court. This, in turn, means that any IT professionals involved in the creation of the policy (including technical writers and consultants) will be less likely to face a professional liability suit over drafting an unenforceable AUP.
Data Security Provisions in an Acceptable Use Policy
Data security is a key concern for any organization offering Internet or intranet access. One way organizations can improve data security is to outline expected user behavior and identify penalties for users who compromise data security (e.g., by downloading files that contain viruses).
An acceptable use policy may address the issue of data security in several ways, including…
- Outlining personal responsibilities that network users have (e.g., updating passwords regularly).
- Identifying ways a network can and cannot be used (e.g., prohibiting the sending of email messages that link to sites with viruses).
- Restricting access to certain websites (this might be elaborated in a separate access control policy).
Liability Considerations in an Acceptable Use Policy
One central reason AUPs are important for organizations that offer Internet access is to limit liability in the event of a data breach, hacking incident, or other incident of cyber crime, perpetrated by a network member or outsider.
To help minimize that liability, an acceptable use policy should include disclaimers that remove an organization's responsibility for data breaches, theft of information, and misuse of the Internet by network members. While these disclaimers alone may not always hold up in court, they can help bolster an organization's defense in the event of an Errors & Omissions claim filed against it.
One final note: while an AUP can help reduce liability, it may not eliminate liability entirely. IT contractors and consultants charged with creating or writing an acceptable use policy should make sure their clients understand this. That way, if a client is ultimately found liable for something it thought its AUP protected it from, the client won't come after you, the IT contractor, for damages.