Increased employee use of Internet expands liability risk for companies

A recent study shows that 78 percent of all employees access the Internet while at work for entertainment and personal use.

Burstek, a company that provides employee Internet management software, recently released the results of its 2005 Internet Usage Study, which analyzed the Internet activity of more than 10,000 employees.

The study showed over 19 percent of personal use involved websites that posed a potential security threat to the network, and 8 percent involved sites that posed legal liability risks for the employer.

William E. Hannum III, an employment lawyer in Andover, Mass., said employee Internet usage is an area of big concern for employers.

“There’s a simple question of productivity when employees are watching a baseball game or shopping online,” Hannum said. “But there are also pretty serious questions of liability for employers as a result of employees using the Internet to gamble or look at pornography.”

Network security also worries employers.

If a network becomes vulnerable to attack because of an employee’s Internet activity – such as picking up a virus or creating a security breach by using certain websites – there could be potential liability for the employer, Atlanta attorney John P. Hutchins said.

While employers are generally aware of the need for an Internet usage policy, the problem is multi-faceted and many companies are not prepared for all of the possible issues.

“People are not ready to deal with the multiple ways the Internet is being used now – from blogging to instant messaging to downloading pornographic material,” Hutchins explained.

But employers have to be proactive, said employment attorney Shari Claire Lewis, who practices at Rivkin Radler in Uniondale, N.Y.

“Employers must have an Internet usage policy and monitor their employees, depending both on the size of the company and their IT resources,” she said, “because absent some kind of protective legislation or case law, employers may be liable for their employees’ Internet activity.”

Rampant problem

Hutchins, a partner at Troutman Sanders, said he has counseled 25 or more employers over the past three years about employees visiting pornographic websites at work.

“It’s a rampant problem,” he said.

Hannum has also advised multiple clients about employees accessing porn, including one case involving a CFO whose computer screen faced a window.

“At a certain time of day, his screen was reflected in the window, so everyone could see his screen when they were walking by and he didn’t realize it,” Hannum recalled.

In another case, four sales representatives shared an office, each with a desk in a different corner.

“It’s hard to believe, but the only male in the room surfed porn and didn’t care what the three women thought,” he said.

In both of those instances, the employer could have been vulnerable to a sexual harassment suit, Hannum noted, with the employee’s Internet use as evidence of a hostile work environment.

Another potential source of employer liability is threatening material.

Hannum had a client approached by the Secret Service.

“It turned out that an employee was using the Internet to send threatening e-mails to the Vice President and Secretary of State,” he recalled.

And Hutchins gave the example of an employee engaged in a domestic dispute with an ex-wife who sent an e-mail threatening to beat her up.

“If something actually happened to that woman, she might have a claim that the employer should have known about it and didn’t do anything to stop it,” he said.

Employee blogs can also be a cause for concern. Employees might make statements about the company’s financial performance that could be construed as insider trading or forward-looking statements, Hutchins said.

Alternatively, employees might defame the company or its management, discuss sensitive corporate personnel issues or disclose business information such as trade secrets.

What employers can do

According to Lewis, only 30 percent of employers have Internet usage policies.

“The first thing I always tell employers is they must have an e-mail and Internet use policy in which they reserve the right to monitor their employees,” she said.

Jackson Lewis partner Brett M. Anders, who practices in Morristown, N.J., suggested employers go one step further and have employees sign a consent form acknowledging they are aware of the policy.

“Some companies install software so that every time a user goes to log on to the Internet, a warning screen appears that tells employees the company reserves the right to monitor their use, and by clicking ‘OK,’ they consent to that monitoring,” he noted.

Anders said he always advises his clients to monitor their employees’ Internet usage. “It’s always better to be proactive.”

Hannum noted there are different types of software that can block certain websites altogether, or monitor and record which websites an employee visits.

Blocking websites may not be the best idea, however, since there may be legitimate work-related reasons to visit sites deemed questionable by the software, he noted.

And monitoring software can create problems for an employer, as the reports are long and tedious to read, and, depending on the size of the company, monitoring can be incredibly time-consuming, Hannum said.

But whatever policy a company puts in place, the essential thing is enforcement.

Hutchins emphasized that if an employer discovers employees have violated a policy, disciplinary action must be taken.

A company that takes action could have a defense if it is sued, Hutchins explained. If a company can establish that it regularly monitors and routinely enforces the terms of its network policy, it will help to establish a pattern of behavior.

Where companies get into trouble is the uneven application of a policy, said Hutchins.

“An employee who was fired based on violating the policy could sue and argue that they were singled out if no one else had ever been disciplined before,” he explained.

* * *

New Jersey case worries lawyers

Already facing concerns about lost productivity and possible network security risks, employers are reeling from a recent decision by a New Jersey appellate court.
In that case, the court reversed summary judgment for an employer, holding that because the employer had notice that one of its employees was using a workplace computer to access pornography – including possibly child pornography – it had a duty to investigate and take action to stop the employee. (Doe v. XYC Corp., 887 A.2d 1156 (2005).)

Brett M. Anders, a partner at the employment firm Jackson Lewis in Morristown, N.J, said the ruling presents serious challenges for employers.

“Prior to the Doe case, if an employer monitored employees, there was some concern about accessing am employee’s personal e-mail or Internet use and invading an employee’s privacy rights,” he explained. “But now, with the potential for liability, employers will need to go further to satisfy themselves that their employees aren’t doing anything to cause harm to others.”

The decision was the first to impose a duty on employers to investigate illegal Internet usage by employees and protect third parties, said Shari Claire Lewis, an employment lawyer at Rivkin Radler in Uniondale, N.Y.

“It’s the equivalent to saying that employers need to monitor the books their employees are reading at lunch,” she said.

Charles A. Sullivan, who teaches employment law at Seton Hall University, said the decision is bad for employers – but also bad for employees.

“To the extent that employers take this decision seriously, it would require them to have and enforce appropriate use policies, and under fear of liability, check out every employee’s computer to see if there is any hint of something that might be illegal,” he said, decreasing employee privacy in the process.

While he acknowledged that the facts of the case make it an extreme example, Sullivan expressed concern that employers will begin increasingly monitoring their employees.

“My fear is that employers will feel compelled to read all employee e-mails or track their Internet history,” he said.

Duty to report

In Doe, a manager notified the employer that an employee had been visiting pornographic sites, but no action was taken. Some time later several co-workers complained that the employee was viewing pornography on his computer, but again, no action was taken. The following year, after a co-worker again complained, a manager checked the employee’s computer and discovered that he had visited various porn sites, including several that specifically spoke about children.

The employee was told to discontinue these activities, but several months later a manager saw the employee was again using his office computer to access pornographic sites.

The employee was subsequently arrested on child pornography charges, including allegations that he had transmitted nude pictures of his 10-year-old stepdaughter over his office computer to a child porn site. The employee later pled guilty to criminal charges relating to child pornography.

His wife – who divorced him – sued the employer for failing to investigate and report the employee’s viewing of child pornography.

A trial judge granted summary judgment for the defendant, but the appellate court reversed.

“[The d]efendant had a duty to report employee’s activities to the proper authorities and to take effective internal action to stop those activities…. The defendant was under a duty to exercise reasonable care to stop employee’s activities, specifically his viewing of child pornography,” the court said.

Unanswered questions

Kevin Kovacs, who represented the wife, said the parties have reached a confidential settlement in the case.

Kovacs, of Bedminster, N.J., said employment attorneys are overreacting to the decision, which limits the duty to investigate to child pornography.

But for Anders, the case leaves many unanswered questions.

“The facts of the case make it an easy decision – if you find child pornography, report the employee,” he said. But what do to in less egregious situations remains unclear.
“What if an employer finds out that an employee has been illegally downloading music and violating copyright law?” he wondered. “Does the employee have a duty to report that person to the police?”

Or what if an employee is gambling illegally, either by placing bets through a bookie or acting as a bookie and using company property to do so?

“Gambling is certainly harmful and using the company property follows the theory in Doe,” Anders said. “It’s a tough question.”

Lewis said that courts will not require employers to monitor their employees 24-7.
“But if you have 500 employees, maybe a random review of 50 would be appropriate to monitor what’s being done on the system, and what sites have been visited,” she said. “It will come down to what is reasonable for a given employer.”

Questions or comments can be directed to the writer at: [email protected]