Human Resource Professionals and Internet Law
The Legal Intelligencer July 9, 2003, Wednesday
SECTION: BUSINESS LAW; Vol. 229; No. 6; Pg. 5
HEADLINE: What Human Resource Professionals Need to Know About Internet Law
BYLINE: By Jonathan Bick
Internet law has developed in lockstep with the Internet, and both penetrate every aspect of a human resource professional's function.
From how to handle employee data to accommodating disabled Internet users to preventing security breaches that an employee's juvenile family members might cause from a computer in the home that is also used for work purposes, numerous new legal difficulties await the unprepared human resource professional.
1. Communicating Internet employee data is akin to broadcasting it.
While laws vary from state to state, most states make employers liable for preventing dissemination of employee data. This means that when sending employee data via the Internet, precautions - beyond the standard precautions taken when sending e-mail - must be taken.
The Internet works by sending information from computer to computer, with each computer keeping a copy of what it has sent. For example, your computer will send data to an Internet service provider computer; that computer will make a copy and send it to a local backbone computer, which makes a copy; that computer will send it to a national backbone computer after making a copy; and so on.
Generally, employees will give employers confidential information as a condition of employment. Most states require employers to treat that information in such a way that it remains confidential.
Recommendation: Prepare, post and execute an Internet communication policy.
2. Bad privacy agreements are Federal Trade Commission violations.
Internet privacy laws are important because the FTC and state attorneys general are regularly investigating Internet privacy matters.
As a human resource professional you need to know that the connection between your company's privacy policies and privacy actions is the real Internet legal concern. Privacy difficulties arise when privacy notices say one thing and a business staff does another.
Business people need to know that bad privacy agreements are deceptive trade practices. Internet law requires consistent privacy notices and privacy operating procedures.
Recommendation: Ensure that all employees' actions mimic the company's Internet policies.
3. Internet sites must accommodate disabled Internet users.
Disabled people have as much of a right to independent access to the Internet as to shopping centers; the Internet is now deemed a public accommodation.
Recently, America Online settled a lawsuit with the National Federation of the Blind, with AOL agreeing to make its site accessible to blind people.
The Americans with Disabilities Act applies to the Internet. Blind people use a device the size of a PC printer called a screen reader, which converts Internet screens that are screen reader-enabled into Braille or reads the screen out loud.
Deep linking circumvents some methods of navigation. Such circumvention may result in claims that the site owner has violated the ADA. Web site owners should consult with an ADA attorney to prevent such claims.
An attorney aware of Internet-ADA issues will generally recommend sufficient technical content change to achieve substantial compliance. Such change might include the use of rollover icon labeling.
Recommendation: Human resource professionals should make certain that their company's Internet sites are screen readable.
4. Internet policy must be a part of the employment handbook.
Human resource professionals need to know that Internet behavior is still evolving. A company that codifies an expected standard of behavior will be legally protected from the outrageous behavior of a rogue employee.
5. Where to get e-justice.
Be aware that Internet wrongs are increasingly actionable in local courts.
Constitutional notions of substantial justice and fair play govern Internet transactions. The wrongdoer's point of presence need not determine which laws apply.
6. Legal duty not to spread harassing Internet content.
Since the Internet has become mainstream by every commercial standard, it is not surprising that the Internet has been implicated in sexual harassment conduct in the workplace.
Sexual harassment is among the most prevalent [and most preventable] difficulties facing employers due to employees' misuse of the Internet. E-mail provides an ideal medium by which to harass persons in the workplace, as well as those outside the workplace. Typically, employees use the employer's Internet service provider to find obscene material and the employer's e-mail to distribute it, thereby making the company vulnerable to sexual harassment charges.
The most common charge resulting from such activity is that a hostile work environment was created, which the U.S. Supreme Court has ruled is a form of sexual discrimination. In Meritor Savings Bank v. Vinson, 477 U.S. 57 , the court found that an employer may not need to have actual notice of improper conduct of an employee to be held liable for the employee's acts.
Several well-known corporations have already been the subjects of lawsuits based on claims of Internet-related sexual harassment. Typically, the employer's failure to properly control e-mail use results in a finding adverse to the employer.
Recommendation: Human resource professionals should review their company's electronic environment for evidence of harassment activity and take appropriate action upon discovering any misconduct.
7. Internet may change personnel tax liability.
Despite the Internet Tax Moratorium, Internet transactions are subject to tax. Human resource professionals need to know how and where to apply taxes for employees who work with the Internet.
Employees working on the Internet may do so in more than one jurisdiction. Having more than one work location may change tax withholding requirements and the application of work-related requirements. The remote use of the Internet should be treated like any other remote work location for tax and other work-related legislative purposes.
Recommendation: Human resource professionals should ensure that taxes are paid and local employment laws are satisfied: in places where their firm has people who can be arrested; in jurisdictions where company goods can be seized; and in locations where the company has stores that can be padlocked shut.
8. Law favors technical rather than legal protection at times.
My then-10-year-old son, Alex, had a disagreement with his mother and went upstairs to his computer. My then-8-year-old daughter, Emily, came down the stairs awhile later, singing, "I am your password, I am your password."
My wife, a manager for a Fortune 30 firm, whose home office exists because of the Internet, thought nothing of it until she found out that she was locked out of her computer. Alex had used the Internet to circumvent security and changed her password to Emily [hence Emily singing "I am your password, I am your password"].
The pervasive Internet use in home offices means human resource professionals need to know that if my son were 7 years older, he'd be guilty of violating the Electronic Communications Privacy Act; The Computer Fraud and Abuse Act; and The Identity Theft Act. Human resource professionals also need to know that as a parent I am not liable for his actions, due to the parental liability doctrine.
Recommendation: Seek both legal and technical solutions to Internet-related matters because children can cause harm that they do not have to pay for.
9. Lack of active Internet monitoring is a source of legal liability.
Due to its enabling technology, the Internet is a very public communications system and, consequently, lawful active monitoring of the Internet and e-mails is rampant. The legal justification for such monitoring is equally extensive.
Courts throughout the United States have offered a variety of legal justifications for active monitoring of the Internet and e-mail communications. As early as 1996, in Bohach v. City of Reno, 932 F. Supp. 1232 [D. Nev. 1996], a federal court found that by sending a communication over the Internet, the party expressly consents to the recording of the messages. The court also found that such a party has "no reasonable expectation of privacy in his e-mails."
Similarly, in United States v. Charbonneau, 979 F. Supp. 1177 [S.D. Ohio 1997], the court found that an individual did not possess an expectation of privacy for an e-mail transmitted over the Internet and such transmissions may be lawfully monitored.
Privacy expectations for Internet Web sites have been held to be similarly low. In J.S. v. Bethlehem Area School District, 757A.2d 412 , a Pennsylvania appeals court found that the trial court was correct in its determination that no expectation of privacy in a Web site could be expected. Thus, Web sites may be lawfully monitored.
Some states, such as Washington, have statutes that make e-mails public records for monitoring and disclosure purposes [Wash. Rev. Code Section 42.17.020]. It should be noted that though e-mails were public records within the scope of this public records act, they can be exempt from disclosure if the e-mail contains personal information of no public significance.
The legal theory of implied consent has been used to overcome state privacy act legal restrictions to Internet and e-mail monitoring in some criminal cases. [An appellant who was convicted of attempted second-degree rape of a child had contended that the trial court had erroneously admitted into evidence copies of incriminating e-mail.]
More recently, courts have found special justification for monitoring Internet use of employees. In TBG Ins. Servs. Corp. v. Superior Court, [2000 Cal. Daily Op. Service 1740 ], the court of appeals of California found the trial court had erred in denying an employer's request to monitor an employee's home computer. The court reasoned that the employer's right to monitor resulted from the employee's written agreement to allow such monitoring.
Even when employees place e-mail in electronic personal folders and use passwords to block access to e-mail, the courts have found that employees do not have a reasonable expectation of privacy. In McLaren v. Microsoft, [1999 Tex. App. LEXIS 4103], the court reasoned that an employer's action of reading e-mails stored in a personal folder that was protected by a password would not be considered an invasion of privacy because its need to prevent inappropriate use of its e-mail system would outweigh any privacy interest.
Recommendation: Use active monitoring.
Employers are regularly advised by their counsel that they can diminish an individual employee's expectation of privacy by publishing in the firm's employee handbook that electronic communications are to be used solely for company business.
The handbook should also note that the company reserves the right to monitor or access all employee Internet or e-mail usage. The handbook should further emphasize that the company will keep copies of Internet or e-mail passwords and that the existence of such passwords is not an assurance of the confidentiality of the communications.
10. Respondeat superior applies to online activity.
Internet-use policies are critical to protect employers from employees' illegal Internet acts.
Using the Internet, employees can copy and distribute confidential information from their office computer, send sexually harassing or threatening messages via e-mail, obtain unauthorized access to another's computer and engage in fraudulent activities. And the recent Princeton-Yale Web-hacking scandal shows that unlawful Internet behavior by employees can adversely affect organizations that are outside traditional commerce.
Although most employees who engage in such activities are doing so contrary to their employer's interests, employers may still be responsible due to strong public policy that supports the imposition of liability on employers for an employee's wrongful actions.
As early as 1909, the Supreme Court, in New York Central v. United States, 212 U.S. 481, , found that a corporation could be held criminally liable for the acts, omissions or failures of an agent acting within the scope of his or her employment because the corporation acts only through its agents or employees whose knowledge and purpose may be attributed to the corporation.
The court went on to find that since corporations are purely legal entities, they cannot actually act or intend an action. Thus, the court focused on the employees of the corporation as a means of imputing intent and guilty acts to the corporation - the doctrine of respondeat superior.
To be within the scope of employment generally means that the employee's conduct is of the kind that the employee is employed to perform and that generally occurs during the time of employment. It is also helpful if the activity in question serves, at least in part, the objectives of the employer.
Courts have limited the situations when an employer may be liable for the wrongful acts of his or her employees, generally holding that acts that are purely motivated by personal interests or that are outrageous in nature are to be considered outside the scope of employment.
But courts have been willing to amplify employer liability in situations where the employee's acts only benefit the employer. Thus, courts have found that an injury may be deemed to arise out of one's employment if its origin is in some way connected with the employment so that there is a connection between the employment and the injury. Thus, an employer may be vicariously liable when one of its employees harms another due to the opportunity offered by the job.
Alternatively, in cases where an employee's tortious conduct cannot result in any violation under respondeat superior, courts have been willing to recognize the negligent-retention theory.
The negligent-retention doctrine holds employers liable under a completely different theory of negligence when the employer negligently retains or manages the employee tortfeasor.
An employer is potentially liable under this cause of action even when the employee was not acting within the scope of employment. Negligent retention is based on the fact that an employer is responsible when that employer places an unfit person in an employment situation involving an unreasonable risk of harm to others. Alternatively, negligent retention is used when an employer fails to properly oversee the conduct of an employee subject to his or her control.
The Internet has been used in numerous unlawful activities, including larceny, embezzlement, abuse of trade secrets, fraud, libel, harassment, securities fraud, trespass and intellectual property infringement. In many situations an employer may be held liable for employees participating in these types of activities.
The legal doctrine of respondeat superior is also the basis for an employer's liability if one of its employees uses the company's technology to engage in securities fraud. An employer's liability may arise simply from an employee's use of the employer's Internet access or e-mail system to commit a securities crime.
A federal district court, in Seolas v. Bilzerian, 951 F. Supp. 978 , held that the application of respondeat superior in securities fraud cases was consistent with congressional intent.
It is clear from the legislative history associated with amendments to the Securities Exchange Act of 1934 that even though Congress did not specifically identify the Internet as a form of covered communication, it is covered nevertheless. Thus, respondeat superior under the standards established by the court will not be applied any differently to an employer merely because the method that their employees use to commit fraud is the Internet.
In addition to civil liability, an employee's Internet activities may expose an employer to criminal liability. It has become increasingly common for companies to be held criminally accountable for the misdeeds of their directors, managers, supervisors and employees, particularly when a company fails to establish and enforce corporate policy.
It should be noted that the courts do not impose strict liability on employers for the actions of rogue employees. Under the doctrine of respondeat superior and negligent retention, there are elements of foreseeability and negligence.
To reduce the risk of liability, employers should take three actions. First, they should adopt appropriate Internet-use policies and procedures prohibiting illegal and wrongful Internet conduct. Second, using notices and training sessions, employers must make employees aware of the organization's Internet-use policy. Third, employers should enforce that policy by taking prompt action in the event that they become aware of illegal or wrongful activity on the part of their employees.
A properly prepared and fully implemented policy is among an employer's best defenses against liability under respondeat superior.
An appropriate Internet-use policy should be tailored to reflect the specific needs of the employer. However, most Internet policies will have common elements, including that Internet use is for business purposes only and that sexual harassment is strictly prohibited. In addition, employees should be informed that adherence to the Internet policy is a condition of employment.
Recommendation: Like an organization's sexual harassment prevention policy, the Internet policy should be in writing and be easily accessible to employees - particularly on the computer they use to access the Internet. A copy of the policy should be distributed to each employee, signed by the employee and placed in the employee's personnel file.
In short, it is important that the policy include a provision that the employee understands and agrees to follow the company's Internet policy.
To increase the likelihood that an organization's Internet policy will
be able to shield the employer from liability, it must be known by the
employees and enforced by the employer. To further awareness on a regular
basis, as part of an employer's Internet access, employees should be
notified that their Internet use is governed by the employer policy.