MONITORING EMPLOYEE INTERNET USE

New Jersey Law Journal     Volume 191, No. 8  February 25, 2008

MONITORING EMPLOYEE INTERNET USE  -- THE USE OF TECHNOLOGY HELPS TO MINIMIZE EMPLOYEE INTERNET BAD ACTS, AND EMPLOYER LIABILITY

JONATHAN BICK - Bick is of counsel to WolfBlock Brach Eichler of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000].

As employee Internet use swells, the employers' obligation to scrutinize employee e-conduct has also increased. Doe v. XYC Corp., 382 N.J. Super. 122 (App. Div. 2005), expanded employers' Internet duties to include taking affirmative action if the employee's Internet use imperils a third person. To avoid tort liability, Doe. requires employers to investigate Internet misconduct reports, discipline employees' Internet bad acts and report dangerous employee Internet acts to proper authorities.

Previously, employers were found liable when their employee-operated Internet assets were used to download infringing Internet content, to send racial discrimination e-mail or to post sexual harassment messages on an electronic bulletin board. Employee bad acts on the Internet have resulted in claims for defamation, misappropriation of trade secrets, hacking and violation of securities laws. Such liability can be ameliorated through the implementation of technology, such as Internet transaction monitoring software, timely legal notices and specific management procedures.

Employer liability for an employee's use of e-mail was at issue in Blakey v. Continental Airlines, 164 N.J. 38 (2000). This case involved a pilot's claims for sexual harassment and defamation stemming, in part, from a co-employee's postings on an electronic bulletin board provided by Continental's chosen Internet Service Provider. The Court found the company liable for the employee's use of the electronic bulletin board, but in the context of a Title VII sexual harassment suit, the Court found that that employers do not have a duty to monitor employees' mail.

It should be noted that the Blakey court held that the electronic bulletin board, although not part of the physical workplace of the employer, was so closely related to the workplace environment that harassment on the forum should be regarded as part of the workplace. Additionally, the court found that employers have a duty to take effective measures to stop co-employee harassment when the employer knows or has reason to know that such harassment is part of a pattern of harassment that is taking place via Internet access related to the workplace.

The Doe court held that an employer with notice of an employee viewing child pornography via the Internet has a duty to investigate and act to avoid third-party injury. This finding is consistent with other courts' findings that a duty to act to prevent injury by another to a third party requires a special relationship with a victim or with an aggressor. In Haybeck v. Prodigy Services, 944 F. Supp. 326 (S.D.N.Y. 1996), for example, an employer was sued for negligence, carelessness, recklessness and gross negligence for an employee's online network use. While the Prodigy court held for the employer, it recognized the potential for employer liability. In has been argued that had the Doe court's rationale been applied to the facts of the Prodigy case, the court could have found that the employee's acts were not only within the scope of his employment but that they were also foreseeable. In that case, the ruling would not have favored the employer.

Two legal theories support the Doe court's findings. In particular, the theory of respondeat superior and the theory of liability based on negligent retention or supervision, which may allow a plaintiff to bring an action against an employer. Generally, even when the courts have been unwilling to expand the boundaries of those situations where the employer is found liable under the theory of respondeat superior, they have held the employer accountable under a negligence retention or supervision doctrine. The negligent retention theory offers plaintiffs an alternative cause of action to allege employer liability.

With the exception of Minnesota, Vermont and Rhode Island --; states that have statutes providing for fines for failure to provide aid --; a party has no duty to control the conduct of another person absent a special relationship. The special relationship prerequisite for liability applies coast to coast, as illustrated by Tarasoff v. Regents of University of California, 551 P.2d 334 (Cal. 1976), which found that one person owed no duty to control the conduct of another and D'Amico v. Christie, 518 N.E.2d 896 (N.Y. 1987), which found that a defendant generally has no duty to control the conduct of third persons so as to prevent them from harming others.

Two cases laid the foundation for the Doe court findings. First, Mandy v. Minnesota Min. and Mfg., 940 F. Supp. 1463 (1996), found that an employer's duty is limited to averting an employee from inflicting personal injury upon a third person. Second, in New York v. Ferber, 458 U.S. 758 (1982), a bookstore proprietor was convicted under a New York statute prohibiting persons from knowingly promoting a sexual performance by a child under the age of 16 by distributing material which depicted such a performance. The Court found that the use of children as subjects of pornographic materials is harmful per se, thus, physical harm need not be proved.

The Doe court found that a special relationship exists between an employer and an employee who is using the employer's Internet assets. In particular, the court determined that an employer has a duty to monitor employee Internet asset use to prevent employees from causing harm to third parties. This finding is consistent with prior rulings that employers have a duty to police company assets when suspicion of wrongdoing arises.

Section 317 of the Restatement (Second) of Torts imposes a duty on an employer under certain circumstances to control its employee, even when the servant is acting outside the scope of his employment, to prevent the employee from intentionally harming others. The use by an employee of an employer's asset is such a circumstance when it is deemed the employer can reasonably control or supervise the use of said asset. The Doe court ruled that the employer had information that the employee was engaging in potentially harmful activities with the help of employer's Internet asset.

While an employer may have a duty to diminish harm associated with an employee's bad Internet acts, said duty is not all encompassing. Numerous employee-instigated discrimination and sexual harassment cases where harm is de minimus have resulting in limited employer liability. However, negligent supervision, the failure of the employer to exercise ordinary care in supervising the employment, have resulted in significant employer liability.

With respect to employee Internet bad acts, courts regularly recognize that an employer can implement software to control and monitor Internet assets. In addition, courts habitually point out that even without the aid of specialized Internet monitoring software an employer can easily determined which Web sites the employee visited and what Internet transactions an employee was engaged in on any given day.

To avoid collateral privacy suits, most employers also implement and distribute to employees a policy that recognizes the employer's right to monitor employee Web site activity and e-mails. Such a policy makes it clear that e-mails, Internet site visits and other Internet records are not confidential.

The use of technology helps to minimize employee Internet bad acts. Typically, firms employ Internet transaction monitoring software that allows them to control access to a large scope of Web sites, and limit or eliminate Internet communications that contain pornography, hate literature and anything else a firm considers inappropriate. Internet monitoring software normally have the following features: record Web site activity, record chats and Instant messaging; log keystrokes; record email both sent and received; record e-mail attachments and take screenshots automatically of each transaction when an 'important' word appear anywhere in the transaction.

Internet transaction monitoring software is widely available via Internet software download, and with a starting price of less than $100 for a network system, affordable. The only shortcoming of a low-cost system is that it has no mechanism for blocking peer-to-peer (P2P) applications. With the growth of illegal music downloading and movie piracy that takes place on P2P networks, larger firms tend to invest in more expensive Internet transaction monitoring software.

The Doe case has two important repercussions for employers. First, once an employer has a policy or practice of monitoring e-mail communications and suspects pornography, it has a corresponding legal duty to investigate. Second, workplace Internet transactions may cause physical harm to third parties.

It is not clear when an employer's duty to investigate is triggered. Therefore, once an employer has any information that an employee has used a work computer to view or e-mail pornography, it should take immediate action to determine whether the employee violated child pornography or other laws, if so, report it to proper authorities.

The Doe case emphasizes how important it is for employers to have an effective electronic media and services policy that addresses the use of work Internet assets. At a minimum, such a policy should inform employees that they should have no expectation of privacy when using the company's e-mail system or when accessing the Internet using the company's network systems and put a user of the company's Internet assets on notice that non-business-related activities are subject to monitoring.

However, an Internet asset policy is not enough. Employers must implement and enforce this policy as well. For example, when an employer suspects an employee's misuse of Internet assets, the employer should undertake a prompt and thorough investigation. If the investigation reveals inappropriate Internet asset use, the employer should take timely remedial action. Depending on the circumstances, this may include terminating the employee's employment and/or reporting the employee's conduct to the appropriate authorities.

Employers should conduct regular audits to ensure that their policies are in compliance with applicable law and are being followed by employees. Multi-national employers should keep in mind that many countries outside of the United States prohibit or strictly regulate employee monitoring. Such laws also typically prohibit employers from disclosing information about an employee's use of the Internet or e-mail.

Additionally, employers should adopt, implement and enforce an Internet asset use policy. To limit employee right to privacy claims, the policy language should notify employees that their e-mail messages and Internet activity may be monitored. To minimize unjust outcomes, the policy should include specific restrictions pertaining to the content of electronic messages, prohibiting messages that are defamatory, profane, obscene, tortious, offensive or otherwise unlawful and prohibiting employees from distributing copyrighted material or company trade secrets and confidential information. To ensure proper implementation, the policy should establish and enforce a procedure for e-mail retention and system security, including the need for employees to protect their passwords and use security measures.

The Internet asset policy should contain several other elements including procedures that encourage early reporting by employees of offensive practices and the implementation of internal procedures to effectuate a prompt, fair investigation of employee complaints involving the use of Internet; the regular use of Internet transaction monitoring program; and the implementation of an employee Internet bad acts reporting and follow-up action policy.