Troubling Legal Twist The Interplay of Unlawful Employee Internet Use and Workplace Torts

As employers continue to provide Internet and e-mail access to larger proportions of their employees, human resource managers are forced to deal with an increasing array of employee relations issues arising from worker misuse of electronic forms of communications. A recent case in New Jersey, Doe v. XYC Corp., alerts employers to a new and troubling legal concern: the application of workplace torts to illegal employee Internet use.

    These torts include negligent retention, defamation and malicious prosecution. Exposure to these workplace torts arises when an employer is faced with information that an employee may be violating the law by misusing his or her Internet access at work or engaging in other illegal workplace activities over the Internet. For example, if an employer fails to take appropriate corrective action to protect the potential victims of such usage, including reporting the employee to the police, the employer may now be subject to liability for negligently retaining the employee, according to the holding in Doe v. XYC. Conversely, if the employer accuses the employee of violating the law or reports the matter to law enforcement, it might be exposed to liability for defamation and malicious prosecution.

    This article summarizes the manner in which those legal risks can arise—and ways to avoid or minimize them.

Doe v. XYC Corp.
    New Jersey-based XYC Corp. had an Internet policy that is fairly common: It provided that employees were permitted to “access [Internet] sites which are of a business nature only.” The policy also provided that an “employee who discovers a violation of this policy shall notify [human resources]” and that an “employee who violates this policy or uses the [company’s] electronic mail or Internet systems for improper purposes shall be subject to discipline, up to and including discharge.”

    A network administrator in XYC’s IT department noticed that an employee’s computer log reports indicated visits to pornographic Web sites. The network administrator directed the employee to cease the activity but did not inform senior management. About a year later, the employee’s immediate supervisor independently noticed that the employee was visiting inappropriate Web sites and asked the network administrator for a report. The IT employee reviewed the employee’s Internet logs for two days and found that he was visiting Web sites with pornographic names including “bestiality” and “necrophilia.” The network administrator advised XYC’s director of network and PC services, who chose not to take any action, believing that company policy prohibited monitoring of Internet usage.

    In late 2000, a co-worker reported to her manager that the employee was shielding his computer monitor from view and quickly minimizing windows in a suspicious manner. The manager raised the matter with her superior, but no action was taken. In March 2001, the employee’s immediate supervisor accessed the employee’s computer, clicked on “Web sites visited” and noticed that many Web site names were pornographic in nature, including one that specifically mentioned children. The supervisor met with the employee and directed him to cease this activity. Although the employee evidently complied for a short time, within a few months he resumed his conduct. Thereafter, the employee was arrested on child pornography charges, but not because of any action taken by the company.

    The police learned that five months prior to his arrest, the employee had taken pornographic videos and photographs at home of his stepdaughter “Jill” and was transmitting the images over the Internet from his workplace computer. A search warrant of the employee’s computer also showed that the employee had downloaded and stored on his workplace computer a wide array of child pornography.

    The employee’s wife sued XYC on her own behalf and on behalf of her 10-year-old daughter, Jill. She alleged that her husband’s use of the workplace computer to access, upload and download child pornography, including pornographic pictures of Jill, and XYC’s actions and omissions, caused injury to her and her daughter.

    The lower court dismissed the case, but the New Jersey Appellate Division reversed. The court held that when an employer is on notice that one of its employees is using a workplace computer to access pornography and possibly child pornography, it not only has a duty to investigate the employee’s activities but also a duty to take prompt and effective action to stop any such unauthorized activity and to report the activity to law enforcement authorities.

    While the appellate court never mentioned the types of legal claims raised by the plaintiffs, it based its decision on “Restatement of Torts,” a body of law followed by virtually all states, as well as a 24-year-old case in New Jersey that established the tort of negligent retention. While the Doe v. XYC case has received a great deal of publicity, little notice has been taken that it is a workplace tort case.

Workplace torts implicated by Doe v. XYC Corp.
    Negligent retention. The court in Doe v. XYC Corp. focused first on the employer’s failure to properly investigate the employee’s illegal Internet usage. But merely conducting a proper investigation is not enough. An employer must then take prompt and effective action based on the information it gathers. As noted above, the New Jersey court held that if the investigation reveals that the employee is using a workplace computer to access pornography and possibly child pornography, it must take action to stop the activity and report the matter to the police. Failure to do so may expose the employer to liability for negligent retention to those who may be injured by the employee’s illegal conduct.

    As a matter of law, an employer has a duty to protect its employees, customers, clients and others from injuries caused by employees whom the employer knows, or should know, pose a risk of harm to others. In Doe v. XYC Corp., the court held that this duty required the employer to report the matter to law enforcement authorities because the viewing of child pornography “has been deemed by the state and federal lawmakers to constitute a threat to ‘others’ … being the children who are forced to engage in or are unwittingly made the subject of pornographic activities.” The court did not state that the employer had to terminate the employee if the investigation revealed that the employee had been violating the law. The court’s holding makes clear, however, that retention of the employee exposed XYC Corp. to potential liability if a jury concluded that termination would have led to a cessation of the illegal activities (or a reduction in its frequency).

    But what if the results of the investigation are inconclusive or are disputed by the employee? The answer to that question implicates two other workplace torts: defamation and malicious prosecution.

    Defamation. An employer that accuses an employee of engaging in Internet conduct that would violate a law runs the risk of a lawsuit for the tort of defamation. There are two types of defamation: libel (written) and slander (spoken). Any communication that tends to harm the reputation of another is defamatory. Accusations that an individual has engaged in criminal conduct are defamatory per se. An employer is generally liable for defamatory statements published or communicated by an employee to another person unless the statement is true or is protected by a “qualified” privilege. An employer is generally entitled to a qualified privilege if it makes a false defamatory statement about an employee but did so with a good-faith belief in the truth of the statement. The qualified privilege can be lost, however, if such a statement is made without conducting a reasonable investigation.

    Employers faced with less than conclusive information about an employee’s illegal activity can usually avoid claims for defamation by stating that the employer has information that the employee may have engaged in the suspected conduct. Employers can also state that they are conducting an investigation as to whether the employee in question has engaged in the suspected activities. But by jumping to conclusions and making statements that the employee in question engaged in illegal activity before a reasonably thorough investigation has been conducted or in the face of conflicting information about the employee’s culpability, an employer runs the risk of being sued for defamation. It also runs the risk of yet another workplace tort, malicious prosecution, if the employer reports the employee to the police.

    Malicious Prosecution. The holding in Doe v. XYC Corp. can give employers the false impression that employers are not only duty-bound to report suspected criminal activity to the police but also are protected if they do so. Under the law of malicious prosecution, however, an employer may be liable for damages to the employee if it initiates legal proceedings without probable cause. Thus, employers seeking to avoid potential liability to third parties caused by an employee’s illegal Internet activity by reporting the matter to the police may unwittingly expose themselves to lawsuits for malicious prosecution if they lack probable cause for doing so.

    Human resources managers and company officers confronted by these type of Catch-22 dilemmas may have to undertake what is sometimes called a “pick your plaintiff” analysis: Would we rather be sued by the potential victim of the employee’s suspected criminal conduct or by our own employee who we think may be violating the law?

Lessons From Doe v. XYC Corp.
    There are other ways to avoid or minimize workplace tort liability arising from illegal Internet usage by employees. First and foremost, like XYC Corp., employers should have appropriate Internet usage policies in place. Unlike XYC Corp., however, employers should also:

• Conduct training for members of management and the IT department to recognize possible illegal Internet usage and implement procedures to follow when confronted with information suggesting that a violation of the policy has occurred.
• Take prompt and effective remedial action that may include closely monitoring the employee’s future usage of the Internet, removing the employee’s access to the Internet while at work and even terminating the employee for suspected violation of company policies.
• Report the employee to law enforcement authorities in appropriate circumstances.

    All of the above should be accomplished without needlessly exposing the employer to claims for defamation and malicious prosecution.

Workforce Management Online, September 2006 — Register Now!