Archive for Policy

RB | April 8, 2010
No comments

Update Email Policy

A court case coming out of New Jersey could impact most firms’ privacy and security practices according to an article on DarkReading. The New Jersey Supreme Court recently ruled in Stengart v. Loving Care Agency, Inc., 408 N.J.Super. 54, 973 A.2d 390 (Superior Ct., A.D. 2009) that an employer can not read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.

The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” “The policy does not address personal accounts at all,” the decision said. “The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.”

The ruling written by Chief Justice Stuart Rabner in part states that the employee could, ” reasonably expect that emails she exchanged with her attorney on her personal, password-protected, Web-based email account, accessed on a company laptop, would remain private.” Rabner continues that the employee, “Plainly took steps to protect the privacy of those emails and shield them from her employer,”. “She used a personal, password protected email account instead of her company email address and did not save the account’s password on her computer.”

The law firm of Jackson Lewis provides a legal overview of the case on their blog, The Workplace Privacy Data Management and Security Report recommends that employers consider modifying their existing electronic communication policies to include:

  • Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
  • Definitions of the specific technologies and devices to which the policies apply;
  • Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
  • No ambiguities about personal use.

Rb-

I am no lawyer, be sure to consult your attorney about this and all legal issues, in my opinion, this ruling is new law-making. The new laws are currently applicable only in  New Jersey. However, unless the U.S. Supreme Court overturns this new law it will be the starting point for all other ligation. Firms should begin reviewing and updating their technology policies to protect themselves from this new law.

An interpretation of the ruling suggests that employees have to be specifically warned that it is possible to forensically retrieve data from the firms computers. In this ruling, the Court found, “the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read.”

Sounds like another shot in the arm for the content filtering firms.

Category: Legal, Policy, Security | Tags: ,
RB | February 6, 2010
No comments

Taxman Still Coming

Updated 04-13-2010 It is being reported that the U.S. House has scheduled for April 15th consideration of the Taxpayer Assistance Act of 2010—a bill whose major provision would remove cell phones and similar telecommunications devices as listed property, effective for tax year beginning after 2009.

Ways and Mean member John Lewis (D-GA) was expected to introduce the bill. It would include several individual taxpayer assistance measures. As offsets to the bill’s cost of $411 million, it would expand the bad-check penalty to electronic payments and increase information return penalties.

rb-

By 2013 mobile phones will overtake PCs as the most common Web access device worldwide according to Gartner forecasts. The IT research firm says the total number of PCs in use will reach 1.78 billion in 2013. By 2013, the combined installed base of smartphones and browser-equipped enhanced phones will exceed 1.82 billion units and will be greater than the installed base for PCs afterwards.

Despite these projections, the U.S. Internal Revenue Service (IRS) continues to treat mobile phones as a luxury.  According to an article on Mobile Enterprise,  since 1989 IRS regulations have identified the cellphone as “listed property.” A listed property is  an  item obtained for use in a business but designated by the Internal Revenue Code as lending themselves easily to personal use. According to the IRS, “unless the employer has a policy requiring employees to keep records, or the employee does not keep records, the value of the use of the phone will be income to the employee.” The IRS goes on to say, “At a minimum, the employee should keep a record of each call and its business purpose. If calls are itemized on a monthly statement, they should be identifiable as personal or business, and the employee should retain any supporting evidence of the business calls. This information should be submitted to the employer, who must maintain these records to support the exclusion of the phone use from the employee’s wages.” On the other hand, if the phone is employee-owned, the IRS says “the listed property requirements do not apply. Any amounts the employer reimburses the employee for business use of the employee’s own phone may be excludable from wages if the employee accounts for the expense under the accountable plan rules.”

After proposing in June 2009 to tax up to  one quarter of an employee’s use of a work cellphone, the IRS has since decided to let Congress handle the matter.  IRS Commissioner Doug Shulman announced on January 8, 2010,  the IRS is now taking a “wait-and-see” attitude that leaves its current regulations in place until Congress passes new legislation. Shulman said on the C-Span’s “Newsmaker” program: “We’re quite hopeful Congress is going to act on this. In the meantime, we’re not doing anything special or moving forward with any initiatives. Our hope is that there will be legislation to clean this up.” Senator John Kerry (D-MA) sponsored the Modernize Our Bookkeeping In the Law for Employees – Mobile Cell Phone Act of 2009, (S. 144/H.R. 690) to remove mobile devices from the listed property rule to exempt them from the tax. The House approved the bill during the last Congress, but is still in committee in the current session.
The Cellular Telecommunications & Internet Association (CTIA) trade association welcomed the news. In a Jan. 11, 2010, prepared statement CTIA President Steve Largent said, “The existing rule is an anachronism and it can’t be saved simply by giving it a facelift. That’s why we are focused on continuing to secure congressional support for the Mobile Cell Phone Act , which enjoys broad bipartisan support on both sides of the Capitol. It is our hope that Congress act soon to help employers and employees alike by repealing this absurd, outdated rule.” According to CTIA,  employees are still required to maintain logs detailing their business use on a mobile device. The IRS expects individuals to record the following items , according to the CTIA:
  1. the amount of such expense or other item
  2. the time and place of the use of the property
  3. the business purpose of the expense, and
  4. the business relationship to the taxpayer of the persons using the property.
The results of  the stalled legislation have been predictable, the article cites the example of Rocky Mount, VA, which stopped issuing cellphones to employees. Town employees whose job requires 24×7 availability via cell phone are required to purchase their own phone and will be given a flat stipend for using the phone for work purposes. If employees do not keep careful records, despite paying for their own cellphones for business purposes they may not be able to claim the service as a business deduction.  The article notes that “For a for-profit business, the designation of an item as ‘listed property’ has implications for depreciation deductions taken by the business and the computation of net income.”
To comply with existing tax rules, Thompson’s Employer’s Guide to Fringe Benefits Rules says employers must  satisfy the onerous substantiation requirements by requiring annotated monthly statements from employees to support deductions and employee income exclusions or they must treat the value of the benefits as wages for Federal employment tax purposes and report this value as wages on Forms W-2.

For practical reasons, Thompson says, some employers opt to reimburse employees for cell phone purchases on an after-tax basis to negate the employer’s ownership of the phones and the requisite fixed asset tracking that follows. Employers should also provide reimbursements of service and usage fees on an after-tax basis unless they collect annotated documentation from employees to substantiate the reimbursements. Employers should either collect all monthly statements from employees or, at a minimum, require employees to maintain those records to effectively respond if the IRS inquires into the claims.

What should a firm do if they provide employees with cellphones?

  1. Assess your existing policies for corporate-issued smartphones, and require employees to keep records of each call and its business purpose.
  2. Regularly audit smartphone records and require employees to reimburse the company for all personal use.
  3. Consider whether an individual-liable model for the cellphone users in your enterprise would work.
  4. Get involved and contract your Senator or Representative and tell them to update the IRS code.
Category: Legal, Policy | Tags: , ,
RB | January 2, 2010
No comments

Personal Laptops at Work?

CIO.com is reporting on a recent survey by Gartner which claims that 10% of a firms notebook computers are employee owned.  The research firm says that companies are starting to let employees use privately owned notebook computers for work purposes, according to a  survey of 500 IT managers in the U.S., U.K. and Germany and the IT managers said they expect that percentage to creep higher next year.

Gartner says that some employees like the trend because it means they can have more-powerful notebooks and newer designs than their companies’ IT departments provide. The survey found that 47% of workplaces have banned employee-owned PCs, 43% have policies that allow the use of employee-owned PCs for work-related purposes, and 10% have no policy on the matter.

Gartner believes this trend is popular with employers because of cost. When employees bring their own hardware to work, and the employer doesn’t pay for it or maintain it.

rb-

Who was Gartner interviewing? What firm that is regulated ( SOX, PCI, HIPPA, etc.) would allow unknown  devices on their internal network. This trend needlessly exposes the company to malware and data theft risks. We encourage our clients to go in the opposite direction. We talk to them write and enforce policies to ban personal devices like USB drives and iPods for the data theft risk. We also suggest they get control of their remote access and private email on the corporate network.

This really seems to be a lax policy in this age of cyber-crime because privately-owned hardware could open the door for a hacker. What do you think?


Category: Policy, Security | Tags: ,
  Recent Entries »

Switch to our mobile site