When An Employee Surfs For Internet Kiddie Porn At Work: Avoiding Civil Liability For Employee Cyber-Crime

Saturday, April 1, 2006 - 01:00

The New Jersey Appellate Division has recognized an employer's duty, under certain circumstances, to investigate and stop an employee's unauthorized use of a workplace computer to access child pornography. Some observers have criticized the court's decision, in Doe v. XYZ Corporation , as creating new obligations requiring employers to spend time and money monitoring employees rather than running their businesses. In reality, however, the decision merely reaffirms a fundamental principle of employment law: issuing employee policies - whether regarding Internet or e-mail usage or any other subject - will not protect an employer from liability for workplace torts if those policies are not consistently enforced. The decision should not be viewed as a trap that will inevitably snare well-meaning employers simply trying to carry on their businesses, but as a reminder that implementing and reliably enforcing appropriate policies can effectively shield employers from liability - even if their employees engage in despicable and criminal acts.

The Parties

The defendant-employer in this case, "XYZ Corporation," employed approximately 250 employees at its headquarters, including an accountant identified in the decision only as "Employee." Employee worked at a cubicle without doors that opened into a hallway. The plaintiffs were "Jane" and "Jill Doe," Employee's wife and stepdaughter, respectively.

Employee's Conduct At Work

In 1998 or 1999, XYZ's Information Technology ("IT") personnel discovered that Employee had been visiting pornographic Internet websites at work. They told Employee to stop, but did not inform their supervisors.

In early 2000, Keith Russinoff, Employee's supervisor, discovered that Employee was visiting inappropriate websites. IT reviewed computer logs and identified websites that Employee had visited, including sites dedicated to bestiality and necrophilia. IT reported the findings to Russinoff and Jessica Carroll, XYZ's Director of Network and PC Services, but no further action was taken.

In December 2000, a female co-worker and her manager suspected that Employee was viewing pornography, because he frequently shielded his computer monitor to prevent others from seeing what he was doing. The manager reported the matter to Suzanne Colon, Manager of Financial Reporting, who took no action.

In February 2001, Carroll herself reviewed a list of websites that Employee had visited and concluded that they were pornographic, but did nothing. Subsequently, after a co-worker saw a bikini-clad woman with "very large breasts in a sultry pose" on Employee's monitor and Russinoff saw Employee blocking his screen, Russinoff entered Employee's cubicle when Employee was at lunch, and printed out a partial list of "websites visited," which included the names of obvious porn sites like "Big Fat Monkey Blowjobs" and "Sleazy Dream Main Page," and at least one regarding children: "Teenflirts.org."

After consulting with his superiors, Russinoff told Employee, on March 6, 2001, that there had been reports of his inappropriate use of the computer. Employee agreed to stop but, in early June 2001, Russinoff discovered that Employee had started again. Russinoff did nothing, told no one, and left on a business trip, from which he did not return until after June 21, 2001, when Employee was arrested on child pornography charges.

Employee's Conduct Regarding Jill

For approximately five months before his arrest, Employee had been secretly taking nude and semi-nude photographs and video of his ten-year-old stepdaughter, "Jill." On June 15, 2001, in order to gain access to a child porn website, Employee transmitted Jill's photos from his workplace computer to the site. After photographs of Jill were discovered in a dumpster at XYZ, police searched Employee's work space and computer. Employee's e-mails to pornographic websites and interactions with other individuals regarding child pornography were discovered.

Employee later acknowledged storing child pornography, including nude photos of Jill, on his work computer and admitted downloading more than 1,000 pornographic images during his employment. A search of his desk uncovered 70 downloaded pornographic photos of adult and juvenile females. Child pornography images were also found on his computer, along with evidence that he had visited such websites as "Incest Taboo" and "Young Girls Nude 13 to 17 years old."

XYZ's Ability To Monitor

XYZ had software that would have allowed it to monitor employee activities on the Internet, including identifying websites an employee visited and how long each visit lasted. Its network also maintained log files identifying all websites accessed by a particular employee on any given day.

XYZ's Internet And E-Mail Policy

XYZ's Internet and e-mail policy stated that e-mails were the property of XYZ and were not confidential, and only access to websites "of a business nature" was permitted. Employees were required to report violations of the policy to the Personnel Department.

The Lawsuit

Jill's mother sued XYZ on her daughter's behalf for breaching its duty to report the crimes that Employee was committing on its computer. She initially argued that XYZ was liable for harm that Jill suffered as a result of Employee's clandestinely photographing - and thereby "molesting" - her at home, but subsequently claimed instead that XYZ was liable for harm Jill suffered as a result of Employee's transmission of her nude and semi-nude photos via the Internet. The trial court granted XYZ's summary judgment motion.

The Appellate Division

On appeal, the Appellate Division considered several issues. First, the court determined that XYZ had the software and technology to monitor Employee's use of the Internet on his office computer.

Second, the court determined that XYZ had the right to monitor Employee's Internet activities. It held that, in light of XYZ's Internet and e-mail policy, and the fact that Employee's computer screen was visible from the hallway, Employee "had no legitimate expectation of privacy that would prevent his employer from accessing his computer to determine if he was using it to view adult or child pornography."

Third, the court determined that XYZ knew or should have known that Employee was using its computer to access child pornography. The court explained that, pursuant to XYZ's policy, Employee's improper use of the Internet was reported and should have triggered an investigation, which would have revealed "the full scope of Employee's activities." Accordingly, the court imputed to XYZ knowledge that "Employee was viewing pornography on his computer and, indeed, that this included child pornography."

Fourth, the court concluded that XYZ had a duty to act, either by terminating his employment or notifying law enforcement, to prevent Employee from continuing his activities. The court found that Employee was using XYZ's property to engage in criminal conduct, XYZ knew that it had the ability to control Employee, and knew or should have known of the necessity of doing so. Therefore, XYZ had "a duty to exercise reasonable care to stop Employee's activities, specifically his viewing of child pornography."

Finally, the court considered whether XYZ's failure to act proximately caused harm to Jill. It held that a jury could reasonably find that, had XYZ conducted a prompt investigation, it would have discovered and stopped Employee before his June 15, 2001 transmission of Jill's photos. The court explained, however, that there was insufficient evidence in the record to establish that Jill suffered damages as a result of the transmission. Therefore, the court remanded the case to the trial court to address this issue.

Guidance For Employers

It is imperative that employers implement policies governing the workplace use of the Internet and e-mail. The Doe decision has not altered the law in this regard. As set forth in prior case law and discussed briefly in Doe , it is clear that such policies should continue to provide, among other things, that: (1) all electronic communications are the property of the employer; (2) employees must not use the Internet or e-mail for conduct that is illegal (e.g., gambling) or inappropriate (e.g., transmitting offensive, harassing, or derogatory images or information); and (3) the employer reserves the right to monitor all Internet activity and e-mail communications and, therefore, employees should have no expectation that any such information will be private.

Criticism that Doe imposes a new obligation on employers to closely scrutinize their employees' Internet and e-mail use for signs of misconduct is misplaced, because the decision imposes no such obligation. Instead, the decision reaffirms a crucial, broadly-applicable lesson with significance far beyond the area of Internet and e-mail usage. Specifically, in addition to simply issuing policies, employers must consistently enforce those policies pursuant to carefully established, standard protocols and procedures .

This lesson applies equally to policies on discrimination, harassment, Sarbanes-Oxley whistle blowing, and other areas. In Doe , XYZ prohibited improper Internet and e-mail use and required employees to report violations to the Personnel Department. According to the court, one "can reasonably assume that such reporting was not simply intended as an idle gesture but was intended to trigger an investigation so that it could be determined if, according to the policy, the offending employee needed to be disciplined."

Therefore, if XYZ had followed its policy, upon receiving notice that Employee was using the Internet for improper purposes, it would have investigated. An investigation would have revealed the extent of his misconduct and XYZ could have taken reasonable steps to stop it. Under the Doe court's analysis, an employer that learns of an employee's misuse of the Internet or e-mail, investigates, and then takes reasonable steps to stop the misconduct, should effectively avoid liability.

In Doe , however, when Employee's violations were reported, XYZ essentially did nothing, and the consequences - a criminal investigation replete with search warrants, civil litigation, and being implicated in the Internet transmission of child pornography - were huge. Similarly harsh results often arise when employers fail to enforce their employee policies. Lawsuits are frequently filed, for example, when employers with anti-discrimination or anti-harassment policies ignore the complaints of a victim, or when employers with whistle blowing policies fail to investigate reports of wrongdoing or permit retaliation. As XYZ has now learned, not enforcing a policy may be as risky as not having one at all.

Linda B. Katz is a Member of the Firm's Employment and Labor Practice Group and William R. Horwitz is a Senior Associate with the group.

Please email the authors at lkatz@sillscummis.com or whorwitz@sillscummis.com with questions about this article.