An employee reports to his supervisor that a coworker is viewing pornographic websites during the workday on his company computer and that some of the sites involve child pornography. What is the company's responsibility, if any, to investigate the employee's Internet use? Must the company discipline the employee or inform law enforcement authorities of such activity? Can the company become liable to third persons harmed by such activities?
With the prevalence of employee Internet access at work, those types of vexing questions have now reached the courts. A recent New Jersey case provides the first judicial decision on this hot-button topic.
Doe v. XYC Corp.
In Doe v. XYC Corporation,1 a New Jersey intermediate appellate court recently held that an employer on notice that one of its employees is using a workplace computer to access pornography and possibly child pornography not only has a duty to investigate the employee's activities but also has a duty to take prompt and effective action to stop any such unauthorized activity and report the activity to law enforcement authorities.
XYC's Internet policy was fairly common. It provided that employees were permitted to "access sites which are of a business nature only," that an "employee who discovers a violation of this policy shall notify [Human Resources]," and that an "employee who violates this policy or uses the [company's] electronic mail or Internet systems for improper purposes shall be subject to discipline, up to and including discharge."
The facts in Doe are as follows: A Network Administrator in XYC's IT Department noticed that an employee's computer log reports indicated visits to pornographic websites. The Network Administrator directed the employee to cease the activity but did not inform senior management. Approximately one year later, the employee's immediate supervisor independently noticed that the employee was visiting inappropriate websites and asked the Network Administrator for a report. The IT employee reviewed the employee's Internet logs for two days and found that he was visiting websites with pornographic names including "bestiality" and "necrophilia." The Network Administrator advised XYC's Director of Network and PC Services, who chose not to take any action, believing that company policy prohibited monitoring of Internet usage.
In late 2000, a coworker reported to her manager that the employee was shielding his computer monitor from view and quickly minimizing windows in a suspicious manner. The manager raised the matter with her superior, but no action was taken. In March 2001, the employee's immediate supervisor accessed the employee's computer, clicked on "websites visited" and noticed that many website names were pornographic in nature including one that specifically mentioned children. The supervisor met with the employee and directed him to cease this activity. Although the employee evidently complied for a short time, within a few months he resumed his conduct. Thereafter, the employee was arrested on child pornography charges, but not because of any action taken by the company.
The police learned that five months prior to his arrest, the employee had taken pornographic videos and photographs at home of his stepdaughter "Jill" and was transmitting the images over the Internet from his workplace computer. A search warrant of the employee's computer also showed that the employee had downloaded and stored on his workplace computer additional child pornography.
The employee's wife sued XYC on her own behalf and on behalf of her 10-year-old daughter Jill, alleging that her husband's use of the workplace computer to access, upload, and download child pornography, including pornographic pictures of Jill, and XYC's actions and omissions, caused injury to her and her daughter. XYC filed a motion for summary judgment, which was granted. On appeal, the New Jersey Appellate Division reversed.
In reversing, the Doe court first found that the employer had the ability to monitor Internet use because XYC possessed WebTrends, a common Internet monitoring program, and could also access the employee's Internet logs and website history. Next, the court concluded that the company's right to monitor workplace Internet usage "trumped" the employee's privacy interest.2
The court then addressed the issue of what XYC knew or should have known about the employee's Internet usage. The court held that because the company was "on notice" of the employee's activities, XYC had a duty to investigate further. Had it done so, the court held, it would have learned that the employee was using his work computer to view child pornography. The court therefore imputed such knowledge to XYC.
The most significant issue addressed in Doe was whether an employer, with actual or imputed knowledge that an employee engaged in illegal activity on his workplace computer, has a legal duty to prevent the employee from continuing his unlawful Internet use. The court held that such a duty exists as a matter of law.3
The Doe court stated that XYC was under a duty to exercise reasonable care to stop the employee's viewing of child pornography, a criminal offense which, by its very nature, the court observed, "has been deemed by the state and federal lawmakers to constitute a threat to 'others' being the children who are forced to engage in or are unwittingly made the subject of pornographic activities."
The final issue addressed in Doe was proximate cause. The court remanded this question to the lower court to determine whether an appropriate investigation by XYC would have led to the cessation of the employee's illegal activities. The court acknowledged that although the employee could have used a computer elsewhere to engage in his activities, including a computer at home or a library, that fact did not negate proximate cause but rather presented a contested issue of fact.
Lessons From Doe
Doe v. XYC illustrates what can go wrong when an employer either turns a blind eye to inappropriate workplace conduct or is paralyzed in deciding what to do, given the unpleasant choices and unpleasant topic involved. With the range of illicit activities that can be conducted over the Internet including gambling, viewing of child pornography, and engaging in harassing and threatening communications, employers are being increasingly exposed to potential liability. What lessons can companies and their counsel learn from Doe?
Appropriate Internet Policies: XYC already had the most significant preventative tool in place - its policy limiting Internet use to business purposes, obligating employees to report violations of the policy, and providing a right to discipline employees for misuse. Significantly, the court found this policy was sufficient to defeat any expectation of privacy in the employee's Internet use.4 Even if a company has an Internet usage policy allowing personal use of the Internet during breaks or non-working time, it is advisable after Doe to include a blanket prohibition against any Internet use that violates the law or the legal rights of others, harms another person or entity or creates a risk of bodily harm to others, or violates any other company policy or guideline (such as the company's workplace harassment, insider trading, or anti-kickback prohibitions).5
Supervisory and IT Department Training: As the eyes and ears of the company, and through whom liability is often established, supervisors must not only be familiar with the company's policies, but also should be trained to immediately report suspected violations of improper Internet or e-mail usage up the chain of command. Likewise, IT personnel alone should not decide whether to investigate and what if any action should be taken in response to violations or suspected violations of the company's Internet and e-mail policies. This was one of several mistakes made by XYC. The IT department should promptly notify corporate inside counsel and the HR department of any suspected violations of the Internet and e-mail policies.
The Need to Investigate: Another lesson to be learned from Doe is that conducting a reasonably thorough investigation may be warranted. It appears that XYC management did not wish to look at the actual content on the websites, but only the website names listed on the employee's website activities log. Such reluctance may be understandable, but in view of the Doe court's finding of imputed knowledge, a compelling argument can be made that failure to conduct a thorough investigation deprives an employer of the very information that might be imputed to it anyway by a court of law.6
Prompt and Effective Remedial Action: Although XYC initially directed the employee to stop viewing pornographic websites, the admonition was hardly effective and he resumed his activities for an extended period without company intervention. A second warning merely resulted in only a brief hiatus in his actions. "Prompt" and "effective" are terms that can only be measured in context, but common sense would suggest that mere verbal warnings might be insufficient. Furthermore, once some form of disciplinary or remedial action is taken, employers are wise to follow up periodically and repeatedly to ensure that the prohibited conduct truly ceased. In this case, at a bare minimum, continued monitoring of the employee's Internet activity was warranted.
Deciding Whether to Report the Employee to the Authorities: Employers are understandably reluctant to report their employees' suspected criminal activity to law enforcement authorities. Similarly, employers are justifiably concerned that they will be subjected to lawsuits for malicious prosecution, defamation, and other types of claims for filing such reports.
The court in Doe held that in view of the public policy favoring "exposure of crime," the company had a duty to both take effective internal action and "report the Employee's activities to the proper authorities." Although it is unclear whether this holding would apply to all types of employee Internet activities that violate the law, Doe may give employers the answer to the tough question of whether they need to report suspected criminal activity to law enforcement authorities - especially if the suspected conduct cannot adequately be stopped by mere discipline or termination of employment.7 This holding may therefore provide an employer with an additional defense to a claim by an employee suspected of criminal conduct based on the employer's action in reporting the employee to law enforcement authorities.
In light of Doe, when faced with suspected illegal use of the Internet by an employee, an employer should take a proactive approach, even if it may ultimately lead to reporting the matter to the police. As a result of the potential for liability to third parties who may be harmed by the illegal conduct, as well as the potential for claims by the suspected employee, a prudent employer should confer with its inside corporate counsel when deciding whether and how to conduct an investigation, whether the employee's use of the Internet violates a criminal law, what prompt and effective action the employer should take, and whether there is a duty to report the matter to law enforcement authorities. 1 328 N.J. Super. 122, 887 A.2d 1156 (App. Div. Dec. 27, 2005).
2 In so holding, the court distinguished between monitoring an employee's Internet usage and monitoring private electronic communications of employees. It noted that the Supreme Court of New Jersey previously held that while employers had a duty to take effective measures to stop co-employee harassment in the workplace, the Court held that employers do not have a duty to monitor their employees' private electronic communications. Blakey v. Continental Airlines, 164 N.J. 38, 61 (2000).
3 In reaching this profound holding, the court did not merely rely on some arcane or unique New Jersey authority; rather, it found legal authority for this ruling in the Restatement (Second) of Torts, most particularly 317.
4 Employee privacy rights vary by jurisdiction. In New Jersey, employees of private employers have a limited right to privacy under the State Constitution, whereas in New York, no such privacy rights exist in private employment.
5 The company's e-mail policy should contain similar prohibitions. After Doe, another sensible prohibition would include a ban on viewing any pornographic websites.
6 Conducting investigations of suspected workplace misconduct poses legal risks if not conducted in a defamation-proof manner. See R. Reibstein, "Defamation-Proof Your Workplace," HR Advisor, July/August 2005.
7 While child pornography is plainly illegal, reprehensible, and harms children who are being exploited, other types of illegal Internet activity may not cause injury to others or pose an unreasonable risk of bodily harm. In such circumstances, an employer might argue that it has no duty under 317 of the Restatement to report such activity to the police. See note 3 above.
Richard J. Reibstein is a Partner in the Employment Services Department of WolfBlock and heads the firm's labor and employment law practice in New York City. Russell E. Adler is an Associate in WolfBlock's Employment Services Department in New York City. Both are admitted and practice in New York and New Jersey.