Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

New IT Risk: Not Monitoring Computer Use

Martinek Paul J. | August 8, 2006

Most savvy corporations already have strict policies about what employees can and cannot do at their workplace computers, but the stakes for not enforcing those policies and properly investigating misuse are rising.

In one recent case from New Jersey, a company was sued by the victim of child pornography that a worker had on his work computer. A judge initially threw out the suit, but an appeals court reinstated it—holding in a groundbreaking decision that an employer may have a duty to prevent a crime from being committed against a third party.

Seth Borden, an employment lawyer with Kreitzman Mortensen & Borden, tells Compliance Week that the New Jersey case “provides somewhat of a blueprint. It’s almost a cautionary tale for employers … If you determine that you have an employee using an employer’s network or email for inappropriate or unlawful purposes, you need to immediately and effectively take corrective action.”


Lewis

Thomas Lewis, a litigator with Stark & Stark, says that while situations where employees are downloading kiddie porn at work are presumably rare, the theory of liability in the New Jersey case has broader implications.

“Assume someone is running a [side] business out of his basement. He gets into the office and starts responding to emails about that business—emails that have nothing to do with the employer. If the employer knows or has reason to know that the employee is transacting business from a company computer, does that potentially put the company on the hook?” Lewis asks.

Eric Welter, an employment lawyer in Herndon, Va., notes that employers typically have not been held liable for this type of personal conduct and that the rules about what they should (or must) do also may not be clear. “The tricky thing for employers is that they’re not always on notice of what exactly is going on. And, when they are, how far do they have to go to investigate something?” he asks.

Warning Signs Ignored?

The New Jersey case, known as Doe v. XYC Corp. to protect the identity of the minor, involved an accountant who worked in a small cubicle. In 1998 and 1999, someone in the IT department noticed that the employee had been visiting pornographic websites. The employee was told to stop, but the company conducted only a limited investigation and supervisors weren’t notified.

In 2000, a co-worker allegedly told her manager that the employee was acting strangely by shielding his computer screen so that others could not see what he was doing. An investigation again revealed that the employee was visiting pornographic sites. The employee was warned about his activities and the conduct appeared to stop for several months. But, in early June 2001, the employee’s supervisor noted that the activity seemed to have started again.

On June 21, 2001, the employee was arrested on child pornography charges, six days after transmitting photos of a young girl from his work computer. A subsequent investigation found considerable child pornography stored on the machine.

BY THE NUMBERS


A recent survey by the American Management Association shows that more companies are starting to crack down on workers who engage in non-work-related activities at the office.


Nearly all companies in the survey had policies in place regarding personal use of email (84 percent) and Internet (81 percent), with a growing number of companies also targeting use of personal instant messages (42 percent), operation of personal websites on company time (34 percent), and operation of personal blogs while at the office (20 percent).


And, according to the AMA survey, companies are letting their employees know that they’re serious about enforcing such policies. Fully 26 percent reported that they had fired a worker for misusing the Internet, with another 25 percent saying they’d done the same for someone using email inappropriately. And 6 percent said that they’d terminated someone for misusing company phones.


Manny Avramidis, an AMA spokesman, says that the issue usually isn’t failure to have a policy (most companies do) but failure to make it known and to ensure it is obeyed. “It’s the employer’s responsibility to make sure that the employee knows what’s expected,” says Avramidis, who notes that younger employees can be a particular challenge.


“The older generation, if you will, the only blur they have with their personal and work time would be the number of hours they work,” he says. “With the newer generation, they feel that at any time it’s OK to do their own thing. They simply don’t understand why they can’t go online to purchase something. They’re so used to technology at their disposal all the time.”


Although larger companies have long used many tools to monitor employees, smaller companies are catching up, Avramidis notes. “The mid- to smaller-size firms are seeing this becoming less and less expensive to do this stuff, and they are starting to do this as well.”

—Paul J. Martinek


The girl’s mother sued the company, which had a policy giving it the right to monitor employees’ computer activities. The suit claimed that the company was negligent because it could easily have found the child pornography if it had done an appropriate investigation, and should have reported the criminal activity to authorities.

A trial judge rejected the suit, finding that the company had no duty to investigate the private communications of its employees. But an appellate court reversed, saying the evidence supported the idea that the company “had knowledge that the employee was engaging in activities that posed the threat of harm to others.”

‘Creating Shockwaves’



Sattiraju

What’s significant about the case, according to Ravi Sattiraju of the law firm Reed Smith, is that the court “said the employer owed a duty to a third party … They’ve broadened the foreseeability in terms of who could [potentially sue]. That’s something employers should be concerned about if this reasoning is adopted and expanded.”

The “chilling” message for employers, Lewis says, “is to always be aware of what employees are doing with their computers. You cannot keep your eyes closed and hope that nothing bad happens. If something bad does happen, even if has nothing to do with the office, the company could be on the hook.”

Patricia Graham, a lawyer with Herrick, Feinstein, says that the New Jersey ruling suggests that employers must be as aggressive in investigating other areas of misconduct as they are when they become aware of sexual harassment allegations. “Sex harassment is an area where companies know they have an obligation to be monitoring what their employees are doing—but it’s not just sexually based issues they have to be aware of,” she says. “It’s not so much that an employer has to be Big Brother monitoring everything all the time. But, when the employer has notice and does nothing, that’s a problem. The employer may have a duty to investigate and fix the problem if it really is a problem.”

Borden says the part of the New Jersey decision that is “creating shockwaves among employers” involves the responsibility companies may have to drop a dime to police under some circumstances. “If [a work computer] is being used for unlawful purposes, beyond just inappropriate uses, the company’s duty to take prompt and effective action [may include] a duty to report to the appropriate authorities,” he says.


Meer

Jon Meer, a partner with DLA Piper Rudnick, notes that because of liability issues, as well as concerns about productivity and loss of trade secrets, some companies today even limit employee use of their own cell phones, laptops and other equipment in the workplace.

“Many companies say if employees are going to bring personal cell phones into the office, they might be subject to having to produce records of the calls that were made and the calls that were received,” Meer says. The message to employers from the New Jersey case, he explains, “is that companies should have a written policy in place in which employees acknowledge that the company can monitor use of the computer, voicemail and any electronic device brought into the workplace—cell phones, text messages, pagers—even if there would never be an argument that somebody outside the workplace would have been harmed.”


Grey

Companies need to be vigilant in this area because they can expect the law to “continue to expand in favor of employees,” says Veronica Gray, a partner with Nossaman Guthner Knox & Elliott. But she adds that “a lot of this is common sense … I would tell companies to do the right thing, to be fair. It’s a question of people finding the time and taking the time to do it. You need to come up with the policies and procedures, disseminate them, and enforce them.”