by: Hayes Hunt and Jonathan Cavalier
However, not all situations are created equally, not all crimes are treated the same, and exceptions exist that may require employers to report the criminal actions of their employees. Consider the following scenario:
Scenario: An employee uses his personally-owned iPad for work purposes. He uses the iPad for work when he travels and takes work home with him on it. The employee brings his iPad in to have the employer’s IT personnel fix a problem with his email accounts. While performing maintenance, the IT department discovers child pornography on the device. Should the employer report the employee to the authorities? Must the company report the employee and, if so, to whom?
This is perhaps one of the more difficult situations that an employer can face. Unfortunately, with the proliferation of technology and the intermingling of employer- and employee-owned technology, this situation arises more frequently than anyone would care to admit. When it does, the employer is often confronted with a problem of balancing the need (and desire) to report such an employee to the authorities with the potential exposure resulting from the employee’s potential privacy rights.
Recent changes to federal law have made the answer to this problem clear: the employer must report the employee. 18 U.S.C. § 2258A requires any provider of an “electronic communications service” or “remote computing service” to report information about the employee, including identity, email and/or IP address, or any other identifying information to the National Center for Missing and Exploited Children. An “electronic communications service” is defined by the law to include “any service which provides to users the ability to send or receive wire or electronic communications.” In other words, any business which provides its employees with email is subject to the law, and penalties for violations are harsh. Many states have passed similar laws requiring similar reports.
Given the gravity of the conduct involved, few employers will hesitate to report an employee found to be in possession of child pornography on employer-owed computing equipment. However, the situation can become muddied if the device in question belongs to the employee. For instance, an employee may use a personally-owned smart phone or laptop for business purposes, and may avail himself of the employer’s IT department when in need of technical support. How can an employer ensure compliance with the law without exposure to liability for invasion of privacy?
However, with the proliferation of personal technology, many of these policies are limited to company-owned computers and, therefore, do not go far enough. These policies should be extended to cover employee-owned technology used by the employee on the job. In short, if an employee wishes to use his personal cell phone, laptop or tablet computer for work purposes, he may do so, but he must waive any privacy right to the contents of the device and consent to searches of the device without future notice. At a minimum, employers should require consent to search and waiver of privacy for any devices used by the employee that are serviced by the employer’s IT department. At most, employers may wish to ban use of employee-owned technology on the job entirely.
Published in The Legal Intelligencer on 4/18/12.