Employers Don't Put Your Heads In the Sand, You May Be Required to Monitor, Investigate and Report Employees Accessing Child Pornography

Posted on December 11, 2009 by Jason C. Gavejian

The New Jersey Appellate Division (Doe v. XYC Corporation) and the Court of Appeals of Wisconsin (Maypark v. Securitas Serv. USA Inc. & Sigler v. Kobinsky) have both examined an employer’s duty to monitor employees conduct while at work, and have reached drastically different results. Additionally, at least seven states—Arkansas, Illinois, Missouri, North Carolina, Oklahoma, South Carolina, and South Dakota—have enacted laws requiring computer technicians or Internet service providers to report child pornography if they encounter it in the scope of their work. 

New Jersey. In Doe v. XYC, the company’s IT department noticed an employee was accessing pornographic web pages while at work. Despite numerous complaints and suspicious usage by the employee, management took no formal action except to instruct the employee to stop visiting inappropriate web pages. Following the employee’s marriage to the Plaintiff, the employee took nude and semi-nude pictures of Plaintiff’s 10-year-old daughter and uploaded the photos to child porn web pages using his work computer. The employee was arrested and charged, and the Plaintiff sued the company, alleging that it knew or should have known of the employee’s conduct and had a duty to report it. The state Appellate Division reversed the trial court’s decision that no duty existed. It held that XYC Corporation knew or should have known the employee was accessing child pornography at work, and further had a duty to investigate and report it. Thus, in New Jersey, where an employer has the right and ability to monitor Internet usage and the employee has no expectation of privacy, employers have a duty to investigate and report the access of child pornography if they know or should have known an employee was doing so. For a detailed analysis of Doe, click here

Wisconsin. In Maypark v. Securitas, the plaintiff sued an employer for allowing a former employee, a security guard, to post photographs of the plaintiff’s employees on an adult website.   An earlier Wisconsin case, Sigler v. Kobinsky, held that a company could not be held liable for alleged negligent supervision leading to an employee's use of a company computer to harass plaintiffs where there is no probability of harm. Specifically, a company had no duty to monitor because it was not reasonably foreseeable that providing employees with unsupervised Internet access would probably result in harm.   Relying on Sigler, the Court in Maypark overturned a $1.4 million negligence verdict against the security company, finding the guard’s action were not foreseeable.

Given the unsettled law on this issue, employers should consider several important factors when it comes to monitoring of employees. The Society for Human Resource Management published an article (*registration required) analyzing this issue. The article provides a number of suggestions, including that of our own Nadine Abrahams, a Jackson Lewis Partner in our Chicago office, who suggests the first step should be setting up a procedure for the immediate reporting of child pornography that has been discovered and the designation of a company representative who should be notified.   Additional steps include:

  • Institution of clear, effective and thorough computer usage and monitoring polices, which also address employee expectation of privacy;
  • Training of employees conducting any monitoring;
  • Prompt investigation of computer usage and allegations of unlawful conduct; and
  • Consultation with legal counsel regarding the duty to report to authorities. 

 

Tags: , , , , , , , , , , , , , , , , , ,

'Tis The Season...For Data Breach

Posted on November 19, 2009 by Jason C. Gavejian

As the holidays approach, more of us will be utilizing work time, and likely work resources, to handle our holiday shopping. Some of us may even post our shopping successes or gift ideas on Facebook or email coupons to friends. Doing so not only results in a loss of employee productivity, but also creates significant risk that personal data will be breached, or employers’ software or hardware compromised. 

A recent survey conducted on behalf of the Information Systems Audit and Control Association (“ISACA”) found that over half of employees surveyed planned to shop online from a work computer this holiday season, spending nearly two full working days (14.4 hours) doing so. With convenience and boredom listed as the biggest motivators, one in 10 planned to spend at least 30 hours shopping online at work. 

The survey also found that those who shop online are more likely to engage in other high-risk behaviors, such as banking online, clicking on links from social networking sites like Facebook, and clicking e-mail links redirecting them to shopping sites. Employees engage in these high-risk behaviors with nearly universal disregard for the safety of the employer’s IT infrastructure. This is highlighted  by the fact that one in 10 Americans who use a mobile work device, such as a Blackberry or iPhone, plan to use it for holiday shopping, notwithstanding the lack of security measures on those devices.

Robert Stroud, international VP of ISACA and VP of IT service management and governance for the service management business unit at CA Inc., in connection with the survey above was quoted as saying,

[I]t’s unrealistic to think that companies can completely stop the use of work computers for online shopping…[W]hat companies can and should do is educate employees about the risks…and remind them of their company’s security policy. This is especially important this year, when the convenience of shopping online may be very appealing to employees whose workloads have doubled or tripled because of downsizing.

The Wall Street Journal recently published an article highlighting employers’ efforts to monitor employees’ usage of company time and resources for personal e-mail exchanges, and suggesting a trend that courts seem to be more protective of employee privacy rights than in years past. The WSJ article raised a number of concerns for employers, including that of our own Jane McFetridge, a Jackson Lewis partner in our Chicago office

Employers are right to expect their employees when they are paid for their time at work are actually working.

What ever a company's policies are concerning managing or monitoring employee communications, now is as good a time as any to revisit those policies and remind employees of their existence. With the use of technology increasing and the position of the courts appearing to shift toward employees, it is becoming more difficult for employers to manage the employee use of their electronic systems. Having and communicating a clear and comprehensive electronic communications policy is critical.

 

Steps an employer can take include having acceptable-use policies, reviewing those policies with employees to educate them about the risks, and familiarizing themselves with state laws governing the monitoring of employee computer usage.  

Tags: , , , , , ,