A large problem for companies is formulating and enforcing an employee AUP (Acceptable Use Policy). The issue is this – if an employee uses a browser to go to an internet site that compromises your company’s privacy resulting in a loss of business due to a major security breach would that employee be liable for not conforming to the AUP or would the company.
My belief is that the company should be liable under the following circumstances:-
1.Not having an induction programme that goes through the corporate IT AUP
2.Not having adequate defences when the security team is aware of bogus sites and other security risks.
If you do not have an acceptable use policy to help protect the IT privacy of your corporation then www.sans.org has one that is freely available to be used as a basis for the formulation of one.