July 21, 2006
Organization: Morrison & Foerster LLP
In a case with potential national implications, a New Jersey court recently held in a case of first impression that employers have a legal obligation to investigate an employee’s activities when they know or have reason to know that the employee is using a workplace computer to access child pornography. Doe v. XYC Corporation, 382 N.J. Super. 122 (App. Div. 2005). The court also held that an employer is required to report the employee’s activities to the proper authorities and to take “effective internal action” to stop the employee’s activities. Based on the facts of the case, the court also ruled that “no privacy interest of the employee stands in the way of this duty on the part of the employer.”[fn1]
This ruling may have far-reaching implications for employers because it imposes duties on employers to: (1) ensure that their employees’ illegal work conduct does not cause injury to third parties, and (2) report an employee’s potentially illegal conduct to the proper authorities. The XYC Corporation case may be the beginning of a trend in which other courts adopt a similar analysis in situations involving serious public policy issues such as child pornography or child abuse.[fn2] The case also highlights the risk that third parties can sue employers for the criminal acts of their employees. Although the ruling in the XYC Corporation case is limited to the context of child pornography, it may be expanded in the future to impose liability on employers for their employees’ use of work computers for other criminal activities.
This Commentary will discuss the facts and ruling of the XYC Corporation case. It will also provide employers with practical suggestions for complying with the obligations imposed by the XYC Corporation case.
Factual Background of the XYC Corporation Case
The employee in XYC Corporation was an accountant for XYC Corporation (the “Employer”). The Employer was put on notice a number of times between approximately 1998 and 2001 regarding the employee’s accessing pornographic Internet sites.
The employee’s co-workers reported to management that they observed the employee suddenly minimizing his computer screen in order to hide what had been on his screen and that they were uncomfortable with the employee’s activities. As a result, in February 2001, the Director of Network and PC Services reviewed the websites that the employee had been visiting and concluded that they were pornographic. In March 2001, the employee’s direct supervisor accessed the employee’s computer to find out which websites the employee had visited. The direct supervisor discovered that the employee had visited discussion groups with graphic names and pornographic websites, including one specifically about children – “Teenflirts.org: The Original Non Nude Teen Index.”
The court noted that the Employer’s managers never opened any of the websites the employee accessed to further investigate the websites’ contents. The only actions the Employer took against the employee were in 1998 or 1999 and on March 6, 2001, when the employee was told to stop his inappropriate computer use. The employee said that he would stop. In early June 2001, the employee’s supervisor discovered that the employee started accessing pornographic websites again. However, for reasons not explained in the case, the supervisor did not tell anyone and left on a business trip. He returned after the employee’s arrest on child pornography charges on June 19, 2001.
In connection with the employee’s arrest, the Employer searched the employee’s computer on June 20, 2001. The Employer discovered e-mails that the employee sent to pornographic websites and interactions with others (outside the XYC Corporation) regarding child pornography. The computer contained a folder of seventy downloaded pornographic photographs, including those of young females.
The employee admitted to downloading over 1,000 pornographic images while working for the Employer. The employee also admitted that he stored on his work computer nude photographs of his ten-year-old stepdaughter. The employee had transmitted three of these pictures over the Internet from his work computer to gain access to a child pornography website.
The ten-year-old girl’s mother discovered the transmitted photographs of her daughter, and brought suit against the Employer, claiming that her daughter suffered severe and permanent harm because the Employer negligently failed to report the employee’s unlawful conduct to the police.
The Court’s Ruling
The court imputed knowledge to the Employer that the employee had married a woman with a young child because his stepdaughter had attended company outings and had been at the Employer’s headquarters for “Take Your Daughter To Work Day.” The court also determined that the Employer had actual or constructive notice that the employee was accessing child pornography on his work computer. Therefore, the Employer had a legal duty to act by terminating the employee and/or reporting the employee’s conduct to law enforcement authorities.
In imposing this legal duty on the Employer, the court recognized that both state and federal laws prohibit the possession or viewing of child pornography, and that public policy “favors exposure of crime.” The court also cited the federal law that requires electronic communication service providers to report suspected violations of the federal law that prohibits interstate distribution of child pornography.[fn3]
In its analysis, the court also referred to Section 317 of the Restatement (Second) of Torts, which imposes a duty on a “master” (i.e., employer) under certain circumstances to control its “servant” (i.e., employee), even when the servant is acting outside the scope of his employment, to prevent the servant from “intentionally harming others or from so conducting himself as to create an unreasonable risk of bodily harm to them.” In the XYC Corporation case, the court ruled that the Employer had knowledge that the employee was engaging in activities that posed the threat of harm to others.
The court emphasized that the Employer possessed and could have implemented software to monitor the employee’s Internet activities. In addition, the Employer maintained website log files by date and could have easily determined which websites the employee visited on any given day. The Employer also implemented and distributed to employees a policy that recognized the Employer’s right to monitor employee website activity and e-mails. The policy made it clear that e-mails were not confidential. The court also suggested that the policy’s reporting requirement was intended to trigger an investigation to determine if, according to the policy, the offending employee needed to be disciplined. The court held that the Employer failed to effectively implement the procedures set forth in its own policies, to the detriment of the employee’s stepdaughter.
The court also determined that, based in part on the Employer’s policy, the employee had no legitimate expectation of privacy that would prevent the Employer from accessing his computer to determine if he was using it to view pornography. The policy permitted the Employer to access all e-mails sent over its system “as deemed necessary by and in the sole discretion of the [Employer].” In addition, the employee’s computer was in a cubicle located on a wall that had no doors and opened into a hallway.
Finally, the court rejected the Employer’s argument that it owed no duty to the employee’s stepdaughter. The court noted that employers have a duty to prevent their employees from harming others, such as committing a crime. When an employer has knowledge that an employee is engaging in activities that pose a threat of harm to others, the employer has a “duty to report [the] [e]mployee’s activities to the proper authorities and to take effective internal action to stop those activities, whether by termination or some less drastic remedy.”
Lessons from the XYC Corporation Case
The Employer’s failure to act in XYC Corporation is unusual.[fn4] It was put on notice multiple times that the employee was accessing pornographic websites on his work computer. Given the disturbing facts and the number of times management was put on notice, it is not surprising that the court ruled that the Employer had a duty to investigate and take action. In a sexual harassment case, for example, an employer likely would be found liable if it were put on notice of the harassment a number of times but conducted only limited investigations and did not take effective action.
The unusual aspect of the XYC Corporation case is that the Employer’s failure to effectively investigate the employee’s activities resulted in liability for injuries to a third party, not just a co-worker of the employee. Another notable aspect is the court’s imposition of a duty on employers to report an employee’s conduct to law enforcement authorities in addition to taking appropriate steps to stop the harmful conduct.
The court was not clear regarding when an employer’s duty to investigate is triggered. Therefore, once an employer has any information that an employee has used a work computer to view or e-mail pornography, it should take immediate action to determine whether the employee violated a child pornography or other law and, if so, report it to the proper authorities.
The XYC Corporation case emphasizes how important it is for employers to have an effective electronic media and services policy that addresses the use of work computers, the use of the company’s e-mail system, and access to the Internet using the employer’s network systems. At a minimum, such a policy should:
- inform employees that they should have no expectation of privacy when using the company’s e-mail system or when accessing the Internet using the company’s network systems;
- put a user of the company’s electronic media and services on notice that private, non-business-related activities are done at the employees’ own risk and are subject to monitoring; and
- clearly state that a password is not an indicator of personal privacy.
Once a policy is implemented, an employer should conduct training and inform employees of monitoring and its purposes.
The XYC Corporation case demonstrates that having an electronic media and services policy is not enough. Employers must implement and enforce this policy as well. For example, when an employer suspects or becomes aware of an employee’s misuse of the Internet or e-mail system, the employer should undertake a prompt and thorough investigation. If the investigation reveals inappropriate Internet and/or e-mail use, the employer should take effective remedial action. Depending on the circumstances, this may include terminating the employee’s employment and/or reporting the employee’s conduct to the appropriate authorities.
Last, employers should conduct regular audits to ensure that their policies are in compliance with applicable law and are being followed by employees. Multi-national employers should keep in mind that many countries outside of the United States prohibit or strictly regulate employee monitoring. Such laws also typically prohibit employers from disclosing information about an employee’s use of the Internet or e-mail.
2 In fact, the California Supreme Court has held that three school districts were potentially liable to a thirteen-year-old girl who had been sexually molested by a former employee. See Randi W. v. Muroc Joint Unified School Dist., 14 Cal. 4th 1066 (1997). The former employers had unconditionally praised the former employee in their letters of recommendation, even though they knew of charges or complaints of his prior sexual misconduct with students.
3 Employers that provide an internal e-mail system to employees (as opposed to the public) are not considered “electronic communication service providers” under this law. See, e.g., Andersen Consulting LLP v. UOP, 991 F. Supp. 1041 (N.D. Ill. 2001).
4 According to a recent survey, in the past twelve months, nearly one-third of U.S. companies (31.6 percent) have terminated an employee and more than half of U.S. employers (52 percent) have disciplined an employee for violating e-mail policies. Outbound Email and Content Security in Today’s Enterprise, 2006 (commissioned by Proofpoint, Inc.).