In one of the first cases to deal with the viewing of child pornography at work, a New Jersey Court ruled that a company could be liable for damages suffered by innocent third parties. This case, Doe v. XYC Corp., (N.J. Super. Ct. Dec. 27, 2005), could provide the basis for a new area of employment litigation that would hold Employers responsible for the damages to victims of crimes committed by employees while using the Employer’s electronic resources. At a minimum, the case provides an important reminder that an Employer who is put on notice that its employees are utilizing the Employer’s electronic resources for nonbusiness purposes should take steps to ensure that the use does not include accessing pornography, or worse.

This case arose in 1999, when XYC Corporation’s IT department was reviewing computer log reports and noticed that the employee repeatedly had accessed child pornography websites from his company computer in violation of company policy. Without checking the content of the web pages or notifying the employee's supervisor, the IT department merely instructed the employee to stop viewing pornographic websites.

In early 2000, the employee's manager, concerned that the employee was viewing pornography at work, asked the IT Department to track the employee's Internet usage. The IT Department again, without viewing the content of the web pages, confirmed that the employee was still visiting pornographic websites and again directly admonished the employee for violating company policy.

In December 2000, a female co-worker complained that the employee was acting suspiciously around his computer. Specifically, she complained the employee was shielding his computer screen and quickly minimizing the screen when she walked by. These complaints were relayed to upper management, however no action was taken. A few months later the employee’s manager accessed his computer and clicked on the "websites visited" page. The manager confirmed the employee was visiting pornographic websites (based on the names of the web pages), but did not open any of the pages. The manager instructed the employee to stop visiting inappropriate websites.

In June 2001, the employee was arrested for possession of child pornography. The employee admitted to downloading over 1,000 pornographic images while at work. In addition, it was later discovered that the employee had taken nude and semi-nude photographs of his 10-year old step daughter and uploaded them to a child pornography website. The child's mother filed the lawsuit against the Employer, alleging it knew or should have known the employee was using the company's computer to view and transmit child pornography and that it should have taken appropriate action to stop such conduct, including reporting it to the authorities.

The court found that XYC, "through its supervisory/management personnel, was on notice that the employee was viewing pornography on his computer and, indeed, that this included child pornography." Since possession of child pornography is a felony, the court ruled XYC had a duty to investigate further, to report the employee's activities to the appropriate law enforcement authorities, and to take effective internal action to stop those activities.

The court rejected XYC's assertion that its respect for the employee's privacy rights justified its failure to investigate further. The court relied heavily on XYC's electronic resources policy, which stated that all e-mail created using the company's computer system were XYC's property, that they were not private, and that XYC reserved the right to review, audit and access the e-mail. The court also noted that the policy restricted Internet access to business purposes only and required employees to report improper uses of the Internet to the personnel department. Further, the court found that the employee had no privacy interest in his e-mail and Internet activity because his cubicle did not have a door and was openly visible from a hallway.

The court rejected XYC's argument that the company could not be held responsible for the employee's viewing of child pornography because that conduct was outside the scope of his employment. The court invoked the rule that an Employer can be held responsible for damages caused by an employee's criminal conduct when the employee engages in the conduct on the Employer's premises while using the Employer's equipment, and the Employer has the ability to control the conduct and knows or should know that there is a reason for exercising such control.

Only after the employee was arrested on child pornography charges did the Employer terminate him. Much too little, much too late, ruled the court, especially considering the following facts.

The employee’s supervisor and the IT director were aware that the employee used a company computer to visit sexually explicit websites. Even co-workers complained about the employee's improper computer use.

An investigation into these complaints uncovered that he visited child porn sites. The company told him to stop, but he didn't. He eventually downloaded more than 1,000 pornographic images on his work computer, and sent three nude or semi-nude photos of his 10-year-old stepdaughter to a child porn site from his work computer.

The company's Internet usage policy explicitly stated that employees were permitted to "access sites which are of a business nature only," and reserved the right to inspect computers. Curiously, a top IT executive warned a supervisor against monitoring the employee's computer use, believing company policy prohibited such monitoring.

When an Employer has actual or imputed knowledge that an employee is engaging in illegal activity on his/her work computer, the company has a duty to act, either by terminating the employee and/or reporting his/her activities to law enforcement authorities.

Read broadly, the court’s decision could hold Employers responsible for damages arising from the criminal conduct of their employees.

While this case does not expressly impose on Employers a duty to monitor employees' e-mail and Internet traffic, it suggests Employers who monitor e-mail and Internet use must review, and when necessary act upon information obtained through the monitoring program. In the XYC case, the court determined that it was reasonable to impose a duty on XYC to investigate further and stop the employee's activities based in part on the company's possession of monitoring software that was capable of tracking the employee's e-mail and Internet use. Similarly, the court criticized XYC for not checking websites visited when the URLs stored in computer logs and the browser's memory suggested they were pornographic and when co-workers complained. Employers cannot defend against a negligence claim similar to that asserted in the XYC case by arguing that they could not have uncovered unlawful activity because they do not actively use their monitoring capabilities.

For any questions regarding Internet Use at Work, please contact Jack Lipovac of HR-OneSource’s at 515-221-1718.