Internet and Email Usage Policy
INTERNET AND EMAIL USAGE POLICY
[Company Name]
Effective Date: [Effective Date]
Policy Owner: [Policy Owner]
1. PURPOSE
This Internet and Email Usage Policy (the "Policy") establishes the rules and expectations governing the use of [Company Name]'s (the "Company") internet, email, and electronic communication systems. The Policy is designed to protect Company assets, safeguard confidential information, maintain productivity, and ensure legal compliance.
2. SCOPE
2.1 Who This Policy Covers. This Policy applies to [Covered Personnel] of the Company.
2.2 Covered Systems. This Policy covers the following systems and resources: [Covered Systems].
3. ACCEPTABLE USE
3.1 Business Use. Company systems are provided primarily for business purposes. All use of Company systems must comply with this Policy and applicable law.
3.2 Personal Use. [Personal Use Policy]
3.3 Prohibited Activities. The following activities are strictly prohibited using Company systems:
a) Accessing, downloading, or distributing illegal, obscene, or pornographic content.
b) Harassing, threatening, or discriminating against any individual.
c) Infringing any copyright, trademark, or other intellectual property right.
d) Sending or forwarding spam, chain letters, or unsolicited bulk email.
e) Disclosing confidential Company information, trade secrets, or customer data without authorization.
f) Installing unauthorized software, plugins, or applications on Company devices.
g) Circumventing Company network security controls or content filters.
h) Using Company systems for personal commercial activity or outside employment.
3.4 Additional Prohibited Activities. The following additional activities are also prohibited: [Prohibited Activities]
4. EMAIL USE
4.1 Professional Communication. All emails sent using Company email accounts represent the Company and must be written professionally and respectfully.
4.2 Confidential Data. [Data Classification]
4.3 Phishing and Malware. Employees must not click on links or open attachments from unknown or suspicious sources. Suspected phishing emails must be reported to IT immediately.
4.4 Auto-Forwarding. Employees must not configure Company email to automatically forward messages to personal email accounts.
4.5 No Expectation of Deletion. Employees should be aware that deleted emails may be recoverable and that emails may be subject to legal hold and discovery in litigation.
5. MONITORING AND PRIVACY
5.1 Monitoring Rights. [Monitoring Scope]
5.2 No Privacy Expectation. [Privacy Expectation]
5.3 Consent. By using Company systems, employees consent to monitoring consistent with this Policy.
6. VIOLATIONS AND DISCIPLINARY ACTION
6.1 Consequences. [Disciplinary Range] Violations that constitute criminal conduct may be referred to law enforcement.
6.2 Reporting. Employees who become aware of violations of this Policy should report them to [Policy Owner] or through the Company's anonymous reporting process.
7. ACKNOWLEDGMENT
All covered personnel are required to acknowledge receipt and understanding of this Policy by [Acknowledgment Method]. Failure to sign the acknowledgment does not exempt any individual from compliance with this Policy.
AUTHORIZED BY:
Signature: _______________________________ Date: _______________
Printed Name: _______________________________
Title: _______________________________
[Company Name]
EMPLOYEE ACKNOWLEDGMENT:
I acknowledge that I have received, read, and understood the Internet and Email Usage Policy of [Company Name] effective [Effective Date].
Signature: _______________________________ Date: _______________
Printed Name: _______________________________
Department: _______________________________
Authorized Company Representative
________________
Signature
Employee
________________
Signature
What Is a Internet and Email Usage Policy?
An Internet and Email Usage Policy in the United States sets out the rules and standards the organisation expects those it covers to follow.
The Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510-2523, generally prohibits the interception and disclosure of electronic communications without consent. However, ECPA's 'business extension' exception (18 U.S.C. § 2510(5)(a)) permits employers to monitor communications over equipment they provide and operate in the ordinary course of business. ECPA's consent exception (18 U.S.C. § 2511(2)(d)) provides an independent legal basis for monitoring where employees have been notified of and consented to monitoring — which a signed Internet and Email Usage Policy accomplishes. Federal courts including the Sixth Circuit in Haun v. Retail Credit Co. and numerous district courts have upheld employer monitoring of employee email and internet activity where a written monitoring policy existed.
The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, creates civil and criminal liability for unauthorized access to computer systems. An Internet and Email Usage Policy that defines the scope of authorized use helps employers establish that former employees who access company systems after termination — or employees who exceed their authorized access — have acted without authorization under the CFAA, as clarified by the Supreme Court in Van Buren v. United States, 593 U.S. 374 (2021).
The National Labor Relations Act (NLRA), 29 U.S.C. § 157, protects employees' Section 7 rights to engage in concerted activity — including discussing wages, working conditions, and workplace issues with coworkers, whether in person or through electronic communications including email and social media. The National Labor Relations Board (NLRB) has held that overly broad email and internet usage policies that could reasonably be interpreted to prohibit protected concerted activity are unlawful. Internet and Email Usage Policies must be carefully drafted to avoid chilling NLRA-protected communications.
When Do You Need a Internet and Email Usage Policy?
A US Internet and Email Usage Policy is needed by any employer — from a small business to a Fortune 500 corporation — that provides employees with access to company-owned computer systems, email infrastructure, or internet connectivity as part of their work.
Technology companies, financial services firms, healthcare organisations, and law firms whose employees handle sensitive customer data, protected health information (PHI) under HIPAA, or confidential client information require an Internet and Email Usage Policy to establish the legal basis for monitoring, to define data handling obligations, and to provide a written framework for disciplining employees who misuse company systems. A written policy signed by employees is the first line of defense in IT security incidents, HIPAA breach investigations, and data theft claims against former employees.
Employers seeking to enforce the Computer Fraud and Abuse Act (18 U.S.C. § 1030) against employees or former employees who accessed company systems without authorization — to steal confidential data, sabotage systems, or conduct competitive intelligence — benefit from an Internet and Email Usage Policy that clearly defines the scope of authorized access. Following Van Buren v. United States (2021), the CFAA's 'exceeds authorized access' prong requires the employer to have established what access was authorized, which a written policy accomplishes.
Organisations with remote workers and bring-your-own-device (BYOD) programmes need an Internet and Email Usage Policy that addresses the use of personal devices for company email access, the required security configurations (MDM enrollment, screen lock, remote wipe capability), and the boundaries between personal and company data on personal devices.
Publicly traded companies subject to Securities and Exchange Commission Regulation FD (Fair Disclosure) and Sarbanes-Oxley Act (SOX) document retention requirements need an Internet and Email Usage Policy that addresses the prohibition on disclosing material non-public information through email or social media, and the obligation to retain business emails for the periods required by SEC Rule 17a-4 and the SOX records retention rules.
In states with additional monitoring requirements — Connecticut General Statutes § 31-48d requires advance written notice to employees before monitoring; Delaware Code Title 19 § 705 requires advance notice of electronic monitoring — the Internet and Email Usage Policy serves as the written notice required by state law.
What to Include in Your Internet and Email Usage Policy
A legally effective US Internet and Email Usage Policy must address the following essential provisions to comply with the ECPA consent exception, avoid NLRA violations, protect company data, and create enforceable disciplinary standards.
The scope and applicability section must define which systems and employees the policy covers — all company-owned computers, servers, networks, email systems, mobile devices, and any personal devices used to access company systems. The policy should state that it applies to all employees, contractors, and temporary workers with access to company technology resources.
The monitoring notification is the most legally critical provision. To establish the ECPA consent exception, the policy must clearly state: that the employer has the right to monitor, access, review, audit, and disclose all electronic communications, files, and internet activity transmitted over or stored on company systems; that employees have no expectation of privacy in their use of company systems; and that by using company systems, employees consent to monitoring. This consent language must be acknowledged in writing by each employee.
The acceptable use section must define permitted uses — including work-related communications, research, and de minimis personal use during non-work time — and the prohibited use categories: illegal content, harassment or discrimination, unauthorized software installation, circumventing security controls, disclosing confidential company information, and any use that violates company policy or applicable law.
The email security requirements must specify that employees must not share email passwords, must not use personal email for company business, must report suspected phishing emails to IT immediately, must not auto-forward company email to personal accounts, and must apply encryption when transmitting sensitive information. The policy should reference the company's data classification standards to help employees identify what constitutes sensitive information.
The social media clause must address NLRA Section 7 rights carefully. The policy may prohibit disclosing confidential company information, making false or defamatory statements about the company, and using company logos or trademarks on personal social media without authorization — but must not prohibit employees from discussing wages, working conditions, or other terms of employment with coworkers, as such restrictions would violate NLRA Section 7.
The records retention clause should explain that all emails sent or received on company systems are company property and subject to the company's records retention schedule, legal hold obligations in anticipated litigation, and discovery obligations in legal proceedings. Employees must not delete emails subject to a legal hold.
The consequences of violation section must describe the range of disciplinary actions — verbal warning, written warning, suspension, termination — for different categories of violations, reserving the right to refer serious violations (data theft, harassment, criminal conduct) to law enforcement. The policy should state that the list of disciplinary actions is illustrative and that management retains discretion to impose appropriate discipline based on the circumstances.
Sources & Citations
Statutory citations link to official government sources.
- 593 U.S. 374 (2021)US – Justia
- 18 U.S.C. §§ 2510US – Cornell LII
- 18 U.S.C. § 2510US – Cornell LII
- 18 U.S.C. § 2511US – Cornell LII
- 18 U.S.C. § 1030US – Cornell LII
- 29 U.S.C. § 157US – Cornell LII
- HIPAAUS – Cornell LII
- Sarbanes-Oxley ActUS – Cornell LII
- SOXUS – Cornell LII
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Internet and Email Usage Policy (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/policies/internet-and-email-usage-policy
"Internet and Email Usage Policy (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/policies/internet-and-email-usage-policy.
@misc{formslegal-internet-and-email-usage-policy,
author = {{Forms Legal}},
title = {Internet and Email Usage Policy (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/policies/internet-and-email-usage-policy}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}Frequently Asked Questions
Yes, US employers have broad legal authority to monitor employee internet and email activity conducted on company-owned devices and networks. Under federal law, the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2511, generally prohibits the interception of electronic communications, but it contains a critical exception for employers who monitor communications on systems they own and operate for legitimate business purposes. The ECPA's 'business extension' exception and the consent exception (where employees are informed in advance and consent to monitoring) provide two independent legal bases for workplace monitoring. Courts have consistently held that employees have a diminished expectation of privacy when using employer-provided systems. Under the Fourth Amendment, public-sector employees have some constitutional privacy protections, but even those protections are limited when the employer has implemented a clear written policy notifying employees of monitoring. State laws add additional layers: Connecticut, Delaware, and a handful of other states require employers to provide specific advance notice before monitoring. A complete written internet and email usage policy, distributed to all employees and acknowledged in writing, is the most effective way to establish the legal basis for monitoring and to defeat employee claims of privacy expectation.
A well-drafted internet and email usage policy should explicitly prohibit the following categories of misuse. Accessing, downloading, or distributing illegal content, including content that infringes copyright, constitutes harassment, or is obscene or pornographic. Using company systems for unauthorized commercial activity, including operating a personal business. Accessing gambling, gaming, or entertainment streaming sites during work hours. Sending or forwarding chain letters, spam, or unsolicited commercial messages. Disclosing confidential company information, trade secrets, or personally identifiable information of customers or employees via personal email or social media. Installing unauthorized software, extensions, or applications on company devices. Circumventing security controls, including using personal VPNs or proxy services to bypass content filters. Making defamatory, harassing, or discriminatory statements about the company, its employees, or customers in any electronic communication. Downloading or transferring large volumes of data that may indicate data exfiltration. The policy should also clearly state what is permissible, including de minimis personal use during break times, to reduce ambiguity and avoid over-restriction that erodes employee morale.
Email is one of the most common vectors for data breaches, phishing attacks, and accidental disclosure of confidential information. A thorough email usage policy should address the following security-related issues. Employees must not share passwords to email accounts with anyone, including IT staff (password resets should go through a formal process). Employees must not use personal email accounts to send, receive, or store company confidential information, client data, or personally identifiable information (PII). Before emailing sensitive files externally, employees should confirm the recipient's identity and use encryption where available. Employees must be trained to recognize and report phishing emails rather than clicking on links or attachments from unknown senders. Auto-forwarding company email to personal accounts must be prohibited. The policy should also address how long employees may retain emails (consistent with the company's records retention policy) and that emails may be subpoenaed in litigation, so employees should write professional emails as if they could be read by a judge or jury.
The disciplinary consequences section of an internet and email usage policy should be specific but preserve flexibility for management judgment. The policy should state that violations may result in a range of consequences depending on the nature and severity of the violation, from verbal warning for minor or first-time offenses to written warning, suspension, demotion, or termination for serious or repeated violations. For violations that constitute criminal conduct — such as accessing child sexual abuse material, committing wire fraud, or theft of trade secrets — the company should reserve the right to refer the matter to law enforcement without prior notice to the employee. The policy should also address the handling of devices belonging to departing employees: the company's right to conduct a forensic review of company devices before or after employment ends, and the process for returning company data stored on personal devices. In unionized workplaces, disciplinary procedures may be subject to collective bargaining agreement requirements, and management should consult labor counsel before imposing discipline that could be challenged as a grievance.
Many companies combine internet usage and social media into a single policy, while others maintain a separate social media policy. Either approach is valid as long as the policies together cover all relevant platforms and use cases. If internet usage and social media are addressed in the same document, the policy should address: use of personal social media accounts on company time (typically restricted to break times only), the prohibition on posting confidential business information on any social media platform, the prohibition on making defamatory or harassing statements about the company or colleagues, and disclaimers that must be added when employees discuss company-related topics from personal accounts (such as 'views are my own'). The National Labor Relations Act (NLRA) limits employers' ability to discipline employees for social media posts that constitute 'concerted activity' — meaning posts by two or more employees about wages, working conditions, or other terms of employment. The NLRB has issued guidance making clear that overly broad social media policies that could chill employees' Section 7 rights are unlawful, and companies should have counsel review their policies to confirm compliance.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Remote Work Policy
Establish clear expectations for remote and hybrid employees with a comprehensive Remote Work Policy for US employers. This template covers eligibility, work hours, communication standards, equipment and expense reimbursement, data security, performance expectations, and the right to revoke remote work privileges. Compliant with FLSA overtime rules, state wage and hour laws, and OSHA home office safety guidance.
Workplace Harassment Policy
Protect your workforce and limit employer liability with a comprehensive Workplace Harassment Policy for US employers. This template addresses prohibited conduct, reporting procedures, investigation protocols, confidentiality, anti-retaliation protections, and disciplinary consequences. Compliant with Title VII of the Civil Rights Act, the EEOC Harassment Guidance, and state-specific requirements in California (FEHA), New York, and other jurisdictions.
Employee Handbook
Create a comprehensive workplace policy guide with this US Employee Handbook. Covers at-will employment, anti-discrimination policies, leave entitlements, code of conduct, benefits overview, disciplinary procedures, and technology use in compliance with federal and state employment law.