3 key elements of an acceptable use policy
An acceptable use policy outlines what people can and can’t do on an organization’s internet connection. It can help protect your business and your clients from data breaches, cyberattacks, and other liabilities.
What is an acceptable use policy?
Also called a fair use policy, an acceptable use policy (AUP) is a list of rules people must follow to use the internet at a business or organization.
An acceptable use policy usually:
- Includes specific rules, such as no video pirating
- Outlines consequences for breaking the rules, such as warnings or suspension of access
- Details an organization's philosophy for granting access (for example, internet use is a privilege that can be revoked, rather than a right)
Why is an acceptable use policy important?
An organization can protect itself from some cyber liabilities with an AUP that clearly communicates its expectations regarding the online behavior of its employees. If an employee's AUP violation results in a lawsuit, liability may be shifted from the organization to the employee. But only if the AUP includes several key elements.
Say, for example, that an AUP prohibits downloads from a list of websites with high malware threats. An employee violates that policy and accidentally downloads malware that causes a data breach at the organization.
The affected parties take legal action against the organization, which defends itself by pointing out that its AUP specifically prohibits downloads from the site that caused the breach.
How to write an acceptable use policy
Your tech business may deal with AUPs in several ways. It may need to:
- Write an AUP for its office network
- Write an AUP for a client’s network
- Provide guidance for a client writing an AUP for its network
Regardless of your role in creating or implementing an AUP, these three key elements ensure your policy has the legal clout to reduce liability.
1. Make sure it’s all legal
Your AUP needs to comply with all relevant laws so that, in the event of a violation, the organization has solid legal footing to enforce the penalties outlined in the policy.
As you draft or consult on an AUP, be sure to consider:
- State data security laws, and whether the AUP is in compliance
- Federal data privacy and security laws, including HIPAA requirements and HITECH provisions, if the client operates in the healthcare sector
- Jurisdiction (A statement of where the AUP applies and can be enforced may help the organization in the event of policy violations.)
- Laws regulating online behavior, since network users must comply with state and federal regulations in addition to AUP "netiquette" rules
An acceptable use policy that strictly adheres to legislative requirements for network use has a better chance of being upheld in court.
This, in turn, means that any information technology professionals involved in the creation of the policy (including technical writers and consultants) will be less likely to face an errors and omissions (E&O) suit over drafting an unenforceable AUP.
2. Use the policy to promote data security practices
Cybersecurity is a key concern for any organization. One way organizations can improve data security is to outline expected user behavior and identify penalties for users who perform risky actions, such as downloading suspicious files. An acceptable use policy may address the issue of data protection in several ways, including:
- Outlining the personal responsibilities of network users (e.g., updating passwords regularly)
- Identifying ways a network can and cannot be used (e.g., prohibiting the sending of email messages that link to sites with viruses)
- Restricting access to certain websites (this might be expanded in a separate access control policy)
3. Address cyber liability in the policy
An AUP can limit an organization’s liability in the event of a data breach, hacking incident, or other cybercrime. To help minimize cyber liability, an acceptable use policy should include disclaimers that remove an organization's responsibility for data breaches, theft of information, and misuse of the internet by people using the network.
While these disclaimers alone may not always hold up in court, they can help bolster an organization's defense in the event of an errors and omissions claim filed against it.
The limits of acceptable use policies
While an AUP can help reduce an organization’s liability, it can’t eliminate cyber liability entirely.
Tech businesses that build AUPs for clients should make sure their clients understand their legal limits. When clients understand that AUPs don’t eliminate all liabilities, they won't come after your tech business for errors and omissions damages if their AUP fails to protect them.
Get free quotes and compare policies with TechInsurance
Cyber liability insurance and errors and omissions insurance picks up where an acceptable use policy leaves off. Compare business insurance quotes with TechInsurance by filling out one easy online application. Start an application today to find the right policy at the most affordable price for your business.