National Law Journal
July 28, 2003
Copyright 2003 ALM Properties, Inc. All Rights Reserved.
SECTION: NEWS; Vol. 25; No. 97; Pg. P20
HEADLINE: Internet poses many issues for H.R. professionals
Human resources concerns include handling private data, maintaining security.
BYLINE: By Jonathan Bick; Jonathan Bick is of counsel to Roseland, N.J.'s Brach, Eichler, Rosenberg, Silver, Bernstein, Hammer & Gladstone and is an adjunct professor of Internet law at Pace University and Rutgers schools of law. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000].
American lawyer media news service
Internet law has developed in lockstep with the Internet, and both penetrate every aspect of a human resources professional's function. From handling employee data to accommodating disabled Internet users, to preventing security breaches that an employee's juvenile family members might cause from a computer in the home that is also used for work purposes, numerous new legal difficulties await the unprepared human resources professional. The following are some of the chief concerns.
Communicating employee data over the Internet is akin to broadcasting it. While laws vary from state to state, most states make employers liable for preventing dissemination of employee data. This means that when sending employee data via the Internet, precautions-beyond the standard precautions taken when sending e-mail-must be taken.
Generally, employees will give employers confidential information as a condition of employment. Most states require employers to treat that data in such a way that it remains confidential, and sending such data via the Internet may result in a violation of state law. Companies should prepare, post and execute an Internet communication policy.
Bad privacy agreements are Federal Trade Commission [FTC] violations. Internet privacy laws are important because the FTC and state attorneys general are regularly investigating Internet privacy matters. Human resources professionals need to know that the connection between their companies' privacy policies and privacy actions is the real Internet legal concern. Privacy difficulties arise when privacy notices say one thing and business staff does another.
Businesspeople need to know that bad privacy agreements are deceptive trade practices. Internet law requires consistent privacy notices and privacy operating procedures.
Thus, companies should ensure that all employees' actions mimic their companies' Internet policies.
Internet sites must accommodate disabled Internet users. Disabled people have as much of a right to independent access to the Internet as to shopping centers; the Internet is now deemed a public accommodation. Recently, America Online settled a lawsuit with the National Federation of the Blind, with AOL agreeing to make its site accessible to blind people. National Federation of the Blind v. America Online Inc., No. 99CV12303 [D. Mass.].
The Americans With Disabilities Act [ADA] applies to the Internet. Blind people use a device the size of a PC printer called a screen reader, which converts Internet screens that are screen-reader enabled into Braille or reads the screen out loud.
An attorney aware of Internet ADA issues will generally recommend sufficient technical content change to achieve substantial compliance. Such change might include the use of rollover icon labeling-a technology that changes a visual image to words, which can then be read by screen-reader software. Human resources professionals should make certain that their companies' Internet sites are screen-readable.
Internet wrongs are increasingly actionable in local courts. Constitutional notions of substantial justice and fair play govern Internet transactions. The wrongdoer's point of presence need not determine which laws apply. A company should thus ensure that its terms-of-use agreement sets a favorable jurisdiction for Internet-related legal difficulties.
There is a legal duty not to spread harassing Internet content. Since the Internet has become mainstream by every commercial standard, it is not surprising that the Internet has been implicated in sexual harassment conduct in the workplace.
Sexual harassment is among the most prevalent-and most preventable-difficulties facing employers due to employees' misuse of the Internet. E-mail provides an ideal medium by which to harass people at the workplace, as well as those outside the workplace. Typically, employees use the employer's Internet service provider to find obscene material and the employer's e-mail to distribute it, thereby making the company vulnerable to sexual harassment charges.
The most common charge resulting from such activity is that a hostile work environment was created, which, the U.S. Supreme Court has ruled, is a form of sexual discrimination. In Meritor Savings Bank v. Vinson, 477 U.S. 57 , the court found that an employer may not need to have actual notice of improper conduct of an employee to be held liable for the employee's acts.
Several well-known corporations have already been the subjects of lawsuits based on claims of Internet-related sexual harassment. Typically, the employer's failure to control e-mail use properly results in a finding adverse to the employer.
Human resources professionals should review their companies' electronic environment for evidence of harassment activity and take appropriate action upon discovering any misconduct.
The Internet may change personnel tax liability. Despite the Internet Tax Freedom Act of 1998, Pub. L. No. 105-277, 112 Stat. 2681-719 , Internet transactions are subject to tax. Human resources professionals need to know how, and where, to apply taxes for employees who work with the Internet.
Employees working on the Internet may do so in more than one jurisdiction. Having more than one work location may change tax withholding requirements and the application of work-related requirements. The remote use of the Internet should be treated like any other remote work location for tax and other work-related legislative purposes.
Human resources professionals should ensure that taxes are paid and local employment laws are satisfied in places where their firms have people who can be arrested, in jurisdictions where company goods can be seized, and in locations where the company has stores that can be padlocked shut.
The law favors technical, rather than legal, protection at times. The pervasive Internet use in home offices means that children may compromise the security of a network. Human resources professionals also need to know that parents are not liable for their children's actions, due to the parental liability doctrine.
Companies should seek both legal and technical solutions to Internet-related matters because children can cause harm that they do not have to pay for.
Lack of active Internet monitoring can be a source of legal liability. Due to its enabling technology, the Internet is a very public communications system and, consequently, lawful active monitoring of the Internet and e-mails is rampant. The legal justification for such monitoring is equally extensive.
Courts throughout the United States have offered a variety of legal justifications for active monitoring of the Internet and e-mail communications. As early as 1996, in Bohach v. City of Reno, 932 F. Supp. 1232 [D. Nev. 1996], a federal court found that by sending a communication over the Internet, the party expressly consents to the recording of the messages. The court also found that such a party has "no reasonable expectation of privacy in his e-mails."
Similarly, in United States v. Charbonneau, 979 F. Supp. 1177 [S.D. Ohio 1997], the court found that an individual did not possess an expectation of privacy for an e-mail transmitted over the Internet and such transmissions may be lawfully monitored.
Privacy expectations for Internet Web sites have been held to be similarly low. In J.S. v. Bethlehem Area School District, 757 A.2d 412 [Pa. Commw. Ct. 2000], a Pennsylvania appeals court found that the trial court was correct in its determination that no expectation of privacy in a Web site could be expected. Thus, Web sites may be lawfully monitored.
Some states, such as Washington, have statutes that make e-mails public records for monitoring and disclosure purposes. Wash. Rev. Code §[ 42.17.020. But while e-mails are public records within the scope of this act, they can be exempt from disclosure if they contain personal information of no public significance.
More recently, courts have found special justification for monitoring Internet use of employees. In TBG Ins. Servs. Corp. v. Superior Court, 2000 Cal. Daily Op. Serv. 1740 , the California Court of Appeal found that the trial court had erred in denying an employer's request to monitor an employee's home computer. The court reasoned that the employer's right to monitor resulted from the employee's written agreement to allow such monitoring.
Even when employees place e-mail in electronic personal folders and use passwords to block access to e-mail, the courts have found that employees do not have a reasonable expectation of privacy. In McLaren v. Microsoft, No. 05-97-00824-CV, 1999 Texas App. Lexis 4103 [Texas App. May 28, 1999], the court reasoned that an employer's action of reading e-mails stored in a personal folder that was protected by a password would not be considered an invasion of privacy because its need to prevent inappropriate use of its e-mail system would outweigh any privacy interest.
Employers are regularly advised by their counsel that they can diminish an individual employee's expectation of privacy by publishing in the firm's employee handbook that electronic communications are to be used solely for company business.
The handbook should also note that the company reserves the right to monitor or access all employee Internet or e-mail usage. The handbook should further emphasize that the company will keep copies of Internet or e-mail passwords and that the existence of such passwords is not an assurance of confidentiality of the communications.
Respondeat superior applies to online activity. Internet-use policies are critical to protect employers from employees' illegal Internet acts.
Using the Internet, employees can copy and distribute confidential information from their office computer, send sexually harassing or threatening messages via e-mail, obtain unauthorized access to another's computer and engage in fraudulent activities. And the recent Princeton-Yale Web-hacking scandal shows that unlawful Internet behavior by employees can adversely affect organizations that are outside traditional commerce.
Although most employees who engage in such activities are doing so contrary to their employer's interests, employers may still be responsible due to strong public policy that supports the imposition of liability on employers for an employee's wrongful actions.
To be within the scope of employment generally means that the employee's conduct is of the kind that the employee is employed to perform and that generally occurs during the time of employment. It is also helpful if the activity in question serves, at least in part, the objectives of the employer. Courts have limited the situations when an employer may be liable for the wrongful acts of his or her employees, generally holding that acts that are purely motivated by personal interests or that are outrageous in nature are to be considered outside the scope of employment.
But courts have been willing to amplify employer liability in situations in which the employee's acts only benefit the employer. Thus, courts have found that an injury may be deemed to arise out of one's employment if its origin is in some way connected with the employment so that there is a connection between the employment and the injury. Thus, an employer may be vicariously liable when one of its employees harms another through the opportunity offered by the job.
A federal district court, in Seolas v. Bilzerian, 951 F. Supp. 978 , held that the application of respondeat superior in securities fraud cases was consistent with congressional intent.
Alternatively, in cases where an employee's tortious conduct cannot result in any violation under respondeat superior, courts have been willing to recognize the negligent-retention theory. The negligent-retention doctrine holds employers liable under a completely different theory of negligence when the employer negligently retains or manages the employee tortfeasor.
An employer is potentially liable under this cause of action even when the employee was not acting within the scope of employment. Negligent retention is based on the fact that an employer is responsible when that employer places an unfit person in an employment situation involving an unreasonable risk of harm to others. Alternatively, negligent retention is used when an employer fails to oversee properly the conduct of an employee subject to his or her control.
In addition to civil liability, an employee's Internet activities may expose an employer to criminal liability. It has become increasingly common for companies to be held criminally accountable for the misdeeds of their directors, managers, supervisors and employees, particularly when a company fails to establish and enforce corporate policy.
It should be noted that the courts do not impose strict liability on employers for the actions of rogue employees. Under the doctrine of respondeat superior and negligent retention, there are elements of foreseeability and negligence.
To reduce the risk of liability, employers should take three actions. First, they should adopt appropriate Internet-use policies and procedures prohibiting illegal and wrongful Internet conduct. Second, using notices and training sessions, employers must make employees aware of the organization's Internet-use policy. Third, employers should enforce that policy by taking prompt action in the event of their becoming aware of illegal or wrongful activity on the part of their employees.
A properly prepared and fully implemented policy is among an employer's best defenses against liability under respondeat superior. An appropriate Internet-use policy should be tailored to reflect the specific needs of the employer. However, most Internet policies will have common elements, including the stipulation that Internet use is for business purposes only and that sexual harassment is strictly prohibited. In addition, employees should be informed that adherence to the Internet policy is a condition of employment.
Like an organization's sexual harassment policy, the Internet policy should be in writing and be easily accessible to employees-particularly on the computer they use to access the Internet. A copy of the policy should be distributed to each employee, signed by the employee and placed in the employee's personnel file.
In short, it is important that the policy include a provision that
the employee understands and agrees to follow the company's Internet