by: Hayes Hunt and Jonathan Cavalier
Over the past decade, many European countries have passed laws mandating that individuals and employers report criminal conduct. In the United States, however, individuals are typically not required to report criminal conduct that they have observed. Likewise, employers have no general duty to report criminal conduct by their employees. Often, this lack of an affirmative duty or any other incentive to report criminal conduct will lead an employer to simply look the other way, rather than risk disrupting workflow, losing a valuable employee, bringing negative publicity on the company or facing liability for invasion of privacy or defamation.
However, not all situations are created equally, not all crimes are treated the same, and exceptions exist that may require employers to report the criminal actions of their employees. Consider the following scenario:
Scenario: An employee uses his personally-owned iPad for work purposes. He uses the iPad for work when he travels and takes work home with him on it. The employee brings his iPad in to have the employer’s IT personnel fix a problem with his email accounts. While performing maintenance, the IT department discovers child pornography on the device. Should the employer report the employee to the authorities? Must the company report the employee and, if so, to whom?
This is perhaps one of the more difficult situations that an employer can face. Unfortunately, with the proliferation of technology and the intermingling of employer- and employee-owned technology, this situation arises more frequently than anyone would care to admit. When it does, the employer is often confronted with a problem of balancing the need (and desire) to report such an employee to the authorities with the potential exposure resulting from the employee’s potential privacy rights.
Recent changes to federal law have made the answer to this problem clear: the employer must report the employee. 18 U.S.C. § 2258A requires any provider of an “electronic communications service” or “remote computing service” to report information about the employee, including identity, email and/or IP address, or any other identifying information to the National Center for Missing and Exploited Children. An “electronic communications service” is defined by the law to include “any service which provides to users the ability to send or receive wire or electronic communications.” In other words, any business which provides its employees with email is subject to the law, and penalties for violations are harsh. Many states have passed similar laws requiring similar reports.
In addition to these reporting requirements, at least one employer has been found liable in a civil lawsuit for failing to report child pornography found on a work computer. In the New Jersey case of Doe v. XYC Corp., an employee was, among other things, visiting child pornography sites while at work and sending photos of his 10-year-old step-daughter to one of those websites. He was later arrested for his conduct. The mother of the 10-year old then sued XYC, alleging that the company knew, based on logs generated by the computer and complaints from other workers, that the employee was accessing child pornography at work. While he was reprimanded by the employer, his conduct was never investigated or reported. In reversing summary judgment in XYC’s favor, the Appellate Division of the New Jersey Superior Court held that “an employer who is on notice that one of its employees is using a workplace computer to access pornography, possibly child pornography, has a duty to investigate the employee’s activities and take prompt and effective action to stop the unauthorized activity, lest it result in harm to innocent third parties . . . No privacy interest of the employee stands in the way of this duty on the part of the employer.”
Given the gravity of the conduct involved, few employers will hesitate to report an employee found to be in possession of child pornography on employer-owed computing equipment. However, the situation can become muddied if the device in question belongs to the employee. For instance, an employee may use a personally-owned smart phone or laptop for business purposes, and may avail himself of the employer’s IT department when in need of technical support. How can an employer ensure compliance with the law without exposure to liability for invasion of privacy?
The key to avoiding this conflict is to have clear policies on the use of electronic devices in the workplace. An employer should include in its company handbook clear language notifying the employee that (a) any employer-issued equipment remains the property of the employer; (b) that the employee has no right of privacy in anything he does on that equipment; and (c) that the employer may access and search the equipment at any time and without notice. Ideally, employees will be reminded of their lack of a privacy interest each time they log on to their computers.
However, with the proliferation of personal technology, many of these policies are limited to company-owned computers and, therefore, do not go far enough. These policies should be extended to cover employee-owned technology used by the employee on the job. In short, if an employee wishes to use his personal cell phone, laptop or tablet computer for work purposes, he may do so, but he must waive any privacy right to the contents of the device and consent to searches of the device without future notice. At a minimum, employers should require consent to search and waiver of privacy for any devices used by the employee that are serviced by the employer’s IT department. At most, employers may wish to ban use of employee-owned technology on the job entirely.
Published in The Legal Intelligencer on 4/18/12.