A significant number of employees in the United States use company-owned computers to access the Internet for personal reasons.
With the recent controversy regarding Pentagon workers using computers to access and in some cases purchase child pornography, as well as reports that several senior employees at the Securities and Exchange Commission spent up to eight hours a day accessing online pornography, there is a renewed interest among employers in how they can regulate workplace Internet access and avoid liability for failing to prevent its more egregious misuses.
Workplace Internet access must be addressed within the framework of two competing legal interests—an employee’s right to privacy and the right of an employer to manage the workplace. Moreover, employers need to consider statutes that protect the privacy interests of employees such as the Electronic Communications Privacy Act while at the same time protecting their own business from claims as varied as hostile environment electronic harassment and copyright infringement.
The need for clear Internet use policies
Because of this balancing of interests, employers should have clearly spelled-out and communicated policies on Internet use that establish what a reasonable expectation of privacy is in the workplace. Prohibited uses need to be specifically articulated, including those that may appear obvious to management.
No matter the employer, an Internet-use policy must provide notice of the employer’s right to monitor and audit an employee’s use of the Internet and make clear that there is no expectation of privacy when an employee accesses the Internet through a company-owned computer issued for business purposes.
A clearly communicated policy that provides notice to employees of what is prohibited conduct can help limit an employer’s potential exposure to co-employee or third-party claims. The employer should secure signed acknowledgments of receipt of its policies from every employee and have those acknowledgments periodically renewed, especially after any updates to the policy.
Depending on the circumstances, an employer may have potential civil liability toward co-workers and third parties for the inappropriate use of a company computer by an employee. For example, a co-worker who uses a particular computer also used by an offending employee may have a hostile environment harassment claim as a result of being exposed to inappropriate content.
The 2nd U.S. Circuit Court of Appeals recognized in Petrosino v. Bell Atlantic that a phone company technician who was exposed to “crude sexual graffiti scrawled by co-workers” had a viable hostile environment claim; and in Williams v. City of Chicago, an Illinois federal judge found that a female police officer who had witnessed her male supervisor viewing pornography on his computer at his desk could sue her employer. Additionally, in various states such as California, employers have an affirmative statutory duty to take prompt corrective and remedial measures to address such conduct.
If an employer does not have an Internet-use policy that it monitors and enforces, employees may be able to claim that the employer failed to protect its workforce and created an unreasonable risk of harm by not taking proactive measures. This would especially be the case when the employer is aware of or has reasonable suspicion of inappropriate Internet use. With the rise of online social networking, an employer may also have a duty to address electronic co-worker harassment occurring in workplace-related forums.
Investigations and the role of law enforcement
The possession and/or receipt of child pornography is a criminal offense (e.g., 18 U.S.C. § 2251, also known as the Child Pornography Prevention Act and most recently as “Masha’s Law”) and is therefore a more serious issue than accessing depictions of adult sexual content. Under certain circumstances, civil liability for such activity may attach to the employer.
An internal complaint that raises specifically articulated concerns regarding an employee’s alleged use or possession of child pornography in the workplace will almost always trigger an employer’s duty to investigate. In Doe v. XYC Corp., an employer who was on notice that an employee was using a workplace computer to access pornography, and possibly child pornography, was found to have an affirmative duty to investigate and take actions to stop such activity.
Investigation of electronic misconduct should be managed carefully and having competent IT professionals assist in the investigation is crucial. These professionals can help you take snapshots of your systems, preserve evidence and determine what traffic was received, when it was received, at what terminal and who may have had access.
Whether an employer should notify law enforcement should be determined on a case-by-case basis. Although the duty to notify has generally been limited to particular workplaces such as those dealing with the care of children, some recent case law, including Doe v. XYC Corp., suggests that employers have an affirmative duty to contact law enforcement once they are aware of misconduct involving child pornography.
Because of Fourth Amendment issues with respect to any police searches and seizures of workplace computer equipment, an Internet use policy should clearly spell out the right of the employer to consent to the search of any company-owned computer and its contents, including any files and information the employee has stored there. In U.S. v. Simons, the 4th Circuit held that a public employee did not have a legitimate expectation of privacy in his Internet use because his employer’s policy clearly stated that his employer could audit, inspect and/or monitor employees’ use of the Internet, including all file transfers, website visits, and e-mail messages, as it deemed appropriate.
Advice to employers
A well-crafted Internet use policy that is clearly communicated to a workforce and actively implemented and enforced can help shield an employer from potential liability and detect such misconduct in the first place. Certain things are essential in developing any Internet-use policy:
• Provide explicit notice that all workplace computers and employer-owned devices are subject to monitoring.
• Clearly advise employees that all electronic communications are subject to the monitoring policy.
• Explain that network and Internet use, including the use of personal passwords and personal e-mail accounts through employer-owned devices, is not considered private and that any such information is considered property of the employer and may be monitored, reviewed, and disclosed at any time without notice to the employee.
• Explain that all employees can and will be disciplined for violations of the policy or improper computer or Internet use; and warn that any illegal activity can and will be reported to law enforcement.
• Make clear that any informal policies or practices that contravene the written policy are not permitted.
Workforce Management Online, October 2010 -- Register Now!