Employer Liable for not Stopping Computer Porn

March 10, 2006

Excerpted from New Mexico Employment Law Letter, written by attorneys at Tinnin Law Firm, A Professional Corporation

Newspaper headlines continually remind us of the tragic fact that child pornography persists and is often transmitted through computers in the workplace. If an employer hasn't adopted measures to ensure employees aren't using workplace computers for such illicit purposes, ti will certainly want to do so now in light of a recent ruling from a New Jersey state court. While the decision only affects New Jersey, it may signal things to come.

The New Jersey court ruled that an employer that knows or should know that an employee is using a workplace computer to access child pornography has a legal duty to investigate the employee's activities and to take prompt and effective action to stop him lest it result in harm to innocent children — harm for which the employer can be liable. Let's review the facts of the case to see how one company may soon find itself paying damages to a girl for not having done enough to stop her stepfather's use of company e-mail to send pornographic photos of her.

HR Executive Special Report: Managing Your Workplace in an Electronic Age

Employee's work history
The unidentified employee in the case worked in a cubicle office as an accountant for XYC Corporation. In 1998 or 1999, two IT employees at the company noted in their review of computer log reports that the employee had visited pornographic sites. They told him to stop the activity but didn't inform any supervisors.

In early 2000, the employee's immediate supervisor had the employee's  Internet use tracked for a day or two. A list of the websites he visited indicated he was accessing pornographic sites, but management didn't actually view the websites and failed to take any action because of concern about whether it could permissibly monitor Internet activity. In December 2000, a second supervisor surmised that the employee was viewing pornography based on the manner in which he shielded his computer screen from view, but no action followed.

In March 2001, the employee's immediate supervisor went to the employee's cubicle when he was out to lunch and checked the list of websites he had visited. He had visited several pornographic sites, including one titled "Teenflirts.org: The Original Non Nude Teen Index." The supervisor didn't view any of the sites. After talking with his superiors about his findings, he met with the employee on March 6 and told him to stop using company computers to view pornography.

The employee appeared to stop his activities, but in early June, his supervisor saw that he had started again. The supervisor told no one, however, and left on a business trip, not returning until after the employee's arrest on child pornography charges on June 21.

Basic Training for Supervisors - easy-to-read training guides, including electronic issues in the workplace

Employee's abuse of stepdaughter
The employee had married in October 2000. During the five months before his arrest, he secretly videotaped and photographed his 10-year-old stepdaughter at their home in nude and seminude positions. He had brought his stepdaughter to work and to company outings, so supervisors were aware that he had married a woman with a child.

On June 15, 2001, the employee used his workplace computer to transmit three photographs of his stepdaughter to a child porn site. He later acknowledged that he stored child pornography, including nude photos of his stepdaughter, on his workplace computer. He was arrested on June 21 following a search two days earlier of his workspace and work computer that found numerous images of child pornography.

HR Executive Special Report: Employee Privacy Challenges & Solutions

Company's monitoring capabilities and authorization
The company possessed and could have implemented computer software that would have permitted it to monitor where employees go on the Internet and for how long they visit a site. Its computer network also maintained log files that identified all websites accessed by date. By entering a simple code, officials could have isolated all the websites the employee visited during a given period and could have opened them. Finally, his websites could have been monitored simply by looking directly on his computer as his immediate supervisor did in March 2001.

The company had recognized its right to monitor employees' website activity and e-mails by distributing a policy to all employees that specifically stated that all e-mails sent or received were company property and weren't confidential. In the policy, it reserved the "right to review, audit, access and disclose all messages created, received, or sent over the e-mail system as deemed necessary by and at the sole discretion of [the company]." As for the Internet, the policy stated that employees were permitted only to access sites of a business nature.

Company sued for failing to stop activity
The employee's wife sued the company for negligence on behalf of her daughter. Her lawsuit, as later refined by the appeals court, alleged that (1) the company knew or should have known that the employee was using its property to interact with child pornography sites, (2) given the nature of the offense, it had a duty to report to proper authorities the crime being committed on its property during work time, (3) it breached that duty, and (4) as a result of that breach of duty, her daughter was injured by the employee's transmission of nude images of her from his work computer on June 15, 2001. The trial court dismissed the case before trial in the company's favor.

Appeals court revives case and imposes duty to take action
The appeals court reversed the trial court's decision, determining that the company can be liable. First, it clearly had the ability to monitor the employee's use of the Internet on his office computer. Second, it had the right to monitor his other computer activity. Its computer-use policy advised employees that computer use would be monitored, so he had no legitimate expectation of privacy that would prevent it from accessing his computer to determine if he was viewing pornography.

Third, the company knew or should have known, based on the firsthand information of supervisory personnel, that the employee was using his office computer to access child pornography. Fourth, and most critical, given its actual or constructive knowledge that he was viewing child pornography on his work computer, it had a duty to prevent him from continuing his activities. That duty required it to report his activities to the proper authorities and to take effective internal action to stop those activities, whether by firing him or some less-drastic action.

The fifth and final piece of the analysis is whether the company's failure to take action (i.e., the breach of its duty) was the cause of harm to the employee's stepdaughter. That, in turn, entails two subquestions — one on causation and one on damages — both of which will have to be decided by a jury.

The subquestion on causation for the jury will be whether the company's breach of duty resulted in the action causing harm — the transmission of the nude images on June 15, 2001. In other words, had it acted to stop the employee when it should have, would the transmission of nude images have been averted?

The subquestion on damages for the jury will be what harm (psychological, medical, or otherwise) the stepdaughter and her mother endured as a result of the June 15 Internet transmission. In negligence cases, plaintiffs can recover only for the harm that's caused by a defendant's breach of duty. Doe v. XYC Corp., No. A-2909-04T2 (N.J. Super. Ct. App. Div., Dec. 27, 2005).

Significance for employers
The legal duty to act imposed by this court reinforces employers need to both monitor computer use and take prompt and effective action when misuse is discovered. To successfully rebut any privacy complaints lodged by employees, an employer must — as the company did in this case — adopt, distribute, and consistently enforce a written policy regulating computer use. It should restrict personal use of the Internet and e-mail and advise employees that all computer systems and all communications and stored information transmitted, received, or contained in the systems are the company's property and are to be used solely for authorized purposes.

When defining "authorized" use of computer systems, employers must decide whether to prohibit all personal use or permit some appropriate personal use. Many employers choose the latter given the reality that most employees will use the Internet and e-mail for some personal reasons. Regardless of what direction you choose, you should include in your policy a nonexclusive list of what you consider unauthorized and inappropriate uses of computer systems.

To be effective, an employer's policy must be distributed. Have your employees sign acknowledgments that they have received and read and understand the policy (if the policy is contained in your handbook, have them sign such acknowledgments regarding the handbook). And finally, enforce your policy consistently.

Audit your company's Internet and e-mail policies with the Employment Practices Self-Audit Workbook

Copyright © 2006 M. Lee Smith Publishers LLC. This article is an excerpt from NEW MEXICO EMPLOYMENT LAW LETTER. New Mexico Employment Law Letter is published to provide information of general interest and not to provide legal advice regarding any specific situation. Questions and inquiries directed to specific applications of the information contained in the newsletter should be addressed to an attorney.

: