The United States v. Ziegler case I wrote about in a previous post brings to mind a radical employment law case decided last December in New Jersey. [Thanks to Charlie Sullivan and Timothy Glynn for bringing the case to my attention]. The case is Doe v. XYC, 887 A.2d 1156 (N.J. Super. 2005). Since I couldn’t find a version of it online, I’ve posted a copy here [link no longer available].
In Doe v. XYC, Jane Doe sued XYC Corporation on behalf of her daugher, Jill. XYC Corporation employed Jane’s husband and Jill’s stepfather (referred to in the opinion as the “Employee”). The Employee “had been secretly videotaping and photographing Jill at their home in nude and semi-nude positions. Jill was ten years old at the time.” The Employee “tramsitted three of the clandestinely-taken photos of Jill Doe over the Internet from his workplace computer to a child pron site in order to gain access to the site. Employee later acknowledged that he stored child pornogrpahy, including nude photos of Jill Doe, in his workplace computer.”
The court held that XYC Corporation could be liable:
We hold that an employer who is on notice that one of its employees is using a workplace computer to access pornography, possibly child pornography, has a duty to investigate the employee’s activities and to take prompt and effective action to stop the unauthorized activity, lest it result in harm to innocent third parties. No privacy interest of the employee stands in the way of this duty on the part of the employer.
Here’s how the court reached its conclusion. I’ll try my best to trace the steps of the court’s reasoning.
First, the court noted:
In this case, defendant had an e mail policy which stated that “all messages composed, sent or received on the e mail system are and remain the property of the [defendant]. They are not the private property of any employee.” Further, defendant reserved the “right to review, audit, access and disclose all messages created, received or sent over the e mail system as deemed necessary by and at the sole discretion of [defendant].” Concerning the internet, the policy stated that employees were permitted to “access sites, which are of a business nature only” and provided that:
Any employees who discover a violation of this policy shall notify personnel. Any employee who violates this policy or uses the electronic mail or Internet system for improper purposes shall be subject to discipline, up to and including discharge.
Second, XYC’s computer network administrator discovered that the Employee was visiting porn websites. Company officials told the Employee to stop. The Employee said he would halt this activity. Note that XYC was only on notice that the Employee was viewing porn, not child porn. Therefore, the court concluded, “[w]e impute to defendant knowledge that Employee was using his work computer to access pornography.”
Third, the court held that a jury “could conclude that an appropriate investigation . . . would have revealed the extent of Employee’s activities and, presumably, would have led to action to shut down those activities.”
Fourth, the court concluded, XYC therefore had a duty to prevent the Employee from viewing child porn on his computer “either by terminating Employee or reporting his activities to law enforcement authorities.”
Finally, XYC may be found to have violated its duty and this may have caused harm to Jill.
I find this case to be immensely problematic. It suggests that if an employer has a policy of monitoring its employees’ computer use (and countless employers do), then that employer is responsible for harm resulting from not monitoring or from not disciplining employees who are in violation of the policy. In other words, an employer that monitors to a limited degree and that doesn’t rigorously enforce its policy can be liable. This puts an incredible burden on employers, and it creates incentives to either monitor as extensively as Big Brother or have no monitoring policy at all.
I’m not an employment law expert, but I doubt many other courts will adopt such a holding — and I sure hope not.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* LinkedIn Influencer blog
* Twitter
* Newsletter