Posts Tagged ‘employee investigations’
Among the cyber-crime victims coming forward is a law firm that filed suit against the Chinese government (Click here for the full story from Wired’s Threat Level). In fact, the Wired article notes that “If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it.” The types of threats that such law firms and other companies face are called Advanced Persistent Threats (APT). An APT attack is distinctive in that they are rarely detected by antivirus and intrusion programs. Further, these attacks are espionage focused. In other words, APT hackers attempt to take business intelligence, e.g., files, e-mails, etc., rather than financial or customer data, which serves as a precursor for identity theft. For an in depth, yet very readable discussion about APT attacks, click here (also a Dark Reading post).
Equally dangerous as APT hackers or other cyber-criminals is the current or former rogue employee. For example, a federal grand jury recently indicted a former employee of the Transportation Security Administration (TSA) for trying to corrupt a database of terrorism suspects in an inside job that many within the information security industry say is a stark reminder of how important it is to track insider access to sensitive data stores. (click here for the full story originally posted at Dark Reading. ).
The preceding FBI report and stories illustrate that business organizations should assume that an attempt will be made to compromise their IT infrastructure. I’ve talked with various IT security professionals about what are the appropriate steps to prevent APT or other cyber-attacks. Unfortunately, the general and unsatisfying response has been to the effect of if someone wants in bad enough and has the resources, they will get into your network. The sophistication and resources of some of the high-profile of cyber-victims (Google, Marathon Oil, ExxonMobil, and ConocoPhillips, to name a few), would seem to confirm this conclusion.
And many remedies available to business organizations are only available after the fact (Click here for prior post discussing theft of business assets and Computer Fraud and Abuse Act). But when it comes to discharging employees, low-tech and common sense go a long way in preventing near disasters like that allegedly committed by the former TSA employee: Make sure your termination process first removes all access to sensitive information, databases, e-mail, etc., and then terminate the individual – not the other way around. Such steps are especially important when the employee has administrative rights to the IT infrastructure.
Employer Liability for Employee’s Internet Misconduct – Or When Surfing the Web can Wipe out your Business.
Generally, the Internet is a tremendous asset in the workplace, except when it is a liability. And liability generally involves employee misconduct. A common example of such liability was recently reported on by the Wall Street Journal (click here for the story). This story discusses repeat instances of employees (in this case U.S. government employees at the Securities and Exchange Commission) accessing Internet pornography. The WSJ’s story notes that one regional supervisor for the SEC had made more than 1,800 attempts to look up pornography in a 17-day span (if you’re doing the math, that is 105.88 times a day!).
Unfortunately, holding employers liable for damages arising out of Internet misconduct by employees is not a novel concept. Common scenarios where employers may be exposed to liability include tort, contract, copyright, and for crimes arising out of an employee’s misuse of a workplace computer.
For example, a case dealing with viewing child pornography resulted in the New Jersey Appellate Division ruling that the company could be liable for damages suffered by innocent third parties where the company failed to investigate reports that an employee was viewing child pornography online at work. Doe v. XYC Corp., (2005). In that case, the Court ruled that when an employer has actual or imputed knowledge that an employee is viewing child porn on a company computer the employer has a duty to act, either by terminating the employee or reporting such activities to law enforcement authorities. In regard to such knowledge, the court noted the following facts.
- The employee’s immediate supervisor, a manager, and the director of network and PC services were all aware of the suspicion that the employee used a company computer to visit sexually explicit websites.
- Co-workers complained about the employee’s computer habits.
- An investigation into these complaints uncovered that he visited child porn sites. The company’s response was to tell the employee to stop. The employee did not and he eventually downloaded more than 1,000 pornographic images on his work computer. He also sent three nude or semi-nude photos of his 10-year-old stepdaughter to a child porn site from his work computer.
It is also worth noting that the employer actually had an Internet usage policy in place (a must for every company) that provided employees were only permitted to “access sites, which are of a business nature only,” and reserved the right to inspect computers. But having such a policy in place does no good if it is not enforced. In this regard, a high-ranking IT executive warned a supervisor against monitoring the employee’s computer use, as it was the IT exec’s belief that the company policy prohibited such monitoring.
The other common scenarios where employers may find themselves exposed to Internet misconduct include:
- Intentional and negligent infliction of emotional distress – In Delfino v. Agilent Technologies, Inc., an employer was not liable under a negligent supervision theory to threat recipients who claimed infliction of emotional distress. This distress arose out of an employee who transmitted Internet threats using employer’s computer system. The court noted that the employer owed the recipients no duty in absence of business relationship or close connection with recipients’ injuries, and employer did not breach any duty as it was unaware of employee’s conduct.
- Harassment / Hostile Work Environment – Even though employers do not have a duty to monitor the private communications of their employees for comments which harass co-employees, employers do have a duty to take effective measures to stop co-employee harassment when the employer knows or has reason to know that the harassment is part of a pattern of harassment that is taking place in the workplace and in settings that are related to the workplace. Effective remedial steps reflecting a lack of tolerance for the harassment will be relevant to an employer’s affirmative defense that its actions absolve it from all liability. For example, in 2007 case, Avery v. Idleaire Technologies Corp., the Court of Appeals allowed a plaintiff’s hostile work environment claim case to go to a jury (it reversed a trial court’s order dismissing the case). In doing so, the Court noted that a jury “could find it to be objectively offensive for an employer to permit employees to use a company computer terminal on company time to actively seek pornographic material, whether for sexual gratification, entertainment, or in the words of one of the plaintiff’s co-workers, simply out of boredom, and for the evidence of this activity (pop-up adds, printouts, internet history, etc.), to be left for the plaintiff and other employees to see.” Similarly, in Gallagher v. C.H. Robinson Worldwide, Inc., (6th Cir. 2009) the decision to dismiss a sexual harassment claim by the trial court was reversed. The court noted that Plaintiff testified that co-workers used Internet to view sexually explicit pictures on their computers, along with other conduct compared to a “guy’s locker room” (I don’t know about you, but I didn’t want to spend any more time than I had to in the locker room).
- Defamation, libel and slander – In Gavrilovic v. Worldwide Language Resources, Inc., the Court held that a coworker’s e-mail statement that an employee of a military contractor was the military base “F*ck toy” was false and defamatory, as required for the employee to recover from the contractor for defamation.
- Copyright infringement – Employers also may be needlessly exposed to lawsuits for copyright violations if they permit (or ignore the fact that) employees to receive or download software or other materials, e.g., music, video, and graphics files. See Varilease Tech. Group, Inc. v. Michigan Mut. Ins. Co. ((Mich. Ct. App. 2004), which concerned a suit against an employer alleging its employees copied and retained copyrighted product support manuals and diagnostic software, used the materials in their contracts to perform service and maintenance for their clients, and distributed the materials to subcontractors.
It is also worth noting that, in limited circumstances, there may be an upside for employee Internet misconduct. For example, a former employee’s acts of transmitting sexual images via employer’s internet and email applications was a deliberate violation of employer’s computer usage policy, and accordingly, his actions constituted misconduct connected with his work, and thus, claimant was disqualified from unemployment benefits; Ernst v. Sumner Group, Inc., 264 S.W.3d 669, Unempl. Ins. Rep.(2008).
The Take Aways: Monitoring Is A Must
While claims against employers for employee Internet misconduct may ultimately fail to impose liability, the exposure is still there. And the preceding cases underscore the importance of monitoring employee Internet browsing to minimize that liability. Here are some suggestions to consider when it comes to monitoring employee’s Internet usage:
- Create a policy that spells out what types of sites are off-limits. Also explain that the company has the right to monitor employee usage of company computers to confirm compliance with the policy and, therefore, employees should have no expectation of privacy when it comes to any of the company’s electronic equipment. Make sure employees also understand that violating the policy may result in discipline.
- Communicate the policy. It is also important for IT to understand that monitoring is permitted and under what circumstances.
- Highlight to employees the negative effects misuse of the Internet may have on the company (e.g., liability for sexual harassment).
- If you believe an employee is violating your Internet usage policy, make sure you properly preserve the evidence, e.g., Web activity, the employee’s PC or laptop.
- If a violation occurs, assess whether law enforcement officials should be contacted, (child porn).
Feel free to shoot me your thoughts or comments about this post. And if you have story that tops the SEC supervisor’s 17 day porn rampage, I would be interested in hearing about it, but I don’t need to see the proof.
The plaintiff, Kevin Sporer contended that his former employer, United Air Lines invaded his privacy by viewing a pornographic video attached to an e-mail that Sporer sent from his work account to his personal account. Sporer also contended that United wrongfully terminated his employment. Sporer was a supervisor at the time of the discharge.
Sporer received an e-mail entitled “Amazing oral talent!!!!!!!!!!” on his work e-mail account from a friend. Sporer then sent this e-mail from his work computer, over United’s server, to his personal e-mail account. The trial court noted that the e-mail “contained a pornographic movie of a woman orally copulating a man in various acrobatic positions.” (Imagine if you were the judge explaining to your significant other: “Honestly, honey, I have to watch this for work.”).
A few minutes after transmitting the email to his personal e-mail account, Sporer emailed his friend that sent the e-mail: “Thank you for the spiritual lift. However, I need you to use my home E-mail address…. Apparently United Air Lines, Inc. has a strict computer security policy and these babies will get me fired.”
During a routine audit (yes, employers actually do this), United’s Information Security department came across the pornographic e-mail Sporer sent to his personal e-mail account, which eventually resulted in Sporer’s discharge for violating United’s e-mail policy.
The E-mail Policy:
UAL’s e-mail policy provided, in relevant part:
Message content must always be professional. It is strictly prohibited to transmit or store any messages or data that compromises or embarrasses the Company, contains explicit or implicit threats, obscene, derogatory, profane or otherwise offensive language or graphics, defames, abuses, harasses, or violates the legal rights of others.
United’s Information Security Policy also prohibited the transmission of obscene, derogatory, profane or otherwise offensive language or graphics. United’s information security policies are established to: “(1) protect the company’s investment in its human and financial resources expended to create its systems; (2) safeguard its information; (3) reduce business and legal risk; and (4) maintain public trust and the reputation of the company.” Under the heading “Privacy and Monitoring,” United’s Electronic Communications Standards provides:
The company reserves the right to monitor all e-mail on the company e-mail system-In other words, as an employee you should assume no right of privacy on e-mail transmitted on the company system. In addition, and messages sent or received, for business or personal reasons, may be disclosed to law enforcement officials or third parties without your prior consent.
Sporer admitted to having received reminders about United’s e-mail policy and that he understood that the content of his emails should not be less than professional. In fact, to turn on and use his work computer, Sporer had to click “OK” to clear the Warning Notice, informing him that the computer system is monitored.
Plaintiff’s Arguments Against Discharge
Sporer argued that his termination was wrongful because it was in violation of his right to privacy and in violation of a federal statute (18 U.S.C. § 2511, et seq.), which prohibits the interception and disclosure of wire, oral (Amazing or otherwise), or electronic communications. An invasion of privacy claim under California law requires a plaintiff to demonstrate: “(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.” Hill v. National Collegiate Athletic Assn., 7 Cal.4th 1, 39-40, 26 Cal.Rptr.2d 834, 865 P.2d 633 (1994). The Court quickly dismissed Sporer’s invasion of privacy claim noting that in 2001, “more than three-quarters of this country’s major firms monitor, record, and review employee communications and activities on the job, including their telephone calls, e-mails, Internet connections, and computer files.” Id. at 451, 117 Cal.Rptr.2d 155. The court further noted that there can be serious consequences for employers who do not monitor their employee’s communications and activities on the job. Id. at 452 n. 7, 117 Cal.Rptr.2d 155. Further, the advance notice that United monitored computer use for compliance with its policies, including a prohibition against use for “obscene or other inappropriate purposes,” and Sporer having an opportunity to consent to such monitoring, further undercut any reasonable expectation of privacy. Additionally, and this is a key point for employers, United had a policy of monitoring its employee’s computer use, warned employees that they had no expectation of privacy on e-mail transmitted on the company system, and provided its employees with a daily opportunity to consent to such monitoring. In light of these facts, the Court found that Sporer had no reasonable expectation of privacy in the use of his work email.
Sporer’s contention that United violated the federal statute (18 U.S.C. § 2511) by monitoring his work e-mail also failed. The statute excludes surveillance of communications where there is consent. The Court construed “consent” to express and implicit consent and that implied consent may be inferred “from surrounding circumstances indicating that the [party] knowingly agreed to the surveillance.” Id at 116-117. Circumstances showing consent will ordinarily include “language or acts which tend to prove … that a party knows of, or assents to, encroachments on the routine expectation that conversations are private.” Id. at 117. In regard to Sporer, he had been repeatedly informed that United monitored use of its computers, including emails and he had to click “OK” to clear the Warning Notice informing him that the computer system is monitored. Sporer also knew from past experience that United monitors work e-mail accounts. In fact, he was previously disciplined for sending an e-mail with a sexual video from his work account to his personal account. And the e-mail Sporer wrote to his friend minutes after he received the inappropriate email made clear that Sporer was aware of United’s strict computer policy and that United monitored work email accounts. The Court, therefore, found that because Sporer knew his work e-mail account was not private and was being monitored by United his consent to such monitoring may be implied. Accordingly, United did not violate 18 U.S.C. § 2511 by monitoring Sporer’s work e-mail account.
While monitoring employer provided e-mail accounts is (or should be) the norm, courts can reach conflicting decisions as to when and under what circumstances such monitoring is permissible. See How Far Can Employers Go in Reading Employee E-mail? For this reason, it is important for employers to reduce the risk that a Court will “second guess” such monitoring. The Sporer/United decision provides a text book roadmap for “getting it right” when it comes to employer e-mail policies and employee monitoring. In that regard, a few “take-aways” are as follows:
- Have a written policy: Employers must have a written e-mail policy that explains how company e-mail should be used. The overall theme of this policy should be that e-mail must be used for business purposes. Ideally, this e-mail policy will be part of an overall technology policy that establishes a road map with respect to the intended use of IT resources and what is prohibited. For example, limitations for accessing certain Websites and restrictions for loading unauthorized software into the company IT environment. See “How High Can Damages go for Unlicensed Software Use.“
- Writing the Email Policy: Your e-mail policy will depend upon your organizational needs. Generally it makes sense to get input from upper management in drafting a policy that supports the company’s overall mission. IT professionals can make recommendations as to what is technologically possible. And human Resource professionals should also be consulted because the policy will affect every employee. Equally important are recommendations from legal counsel. Aside from selfish job security motivations, legal counsel will provide valuable insight as to what is permitted, what is not permitted, and overall compliance recommendations. While not required, getting input from employees increase the chances of the policy ultimately being followed by employees.
- Communicate and Explain the Policy: Employers must communicate the policy to all stakeholders, including employees. It is also a good practice to document the employee has read and understands the policy by obtaining signed acknowledgment forms.
- Communicating the Policy is not a One Time Event: While it is not necessary, periodically communicating the existence of the policy is a good practice. First, it is a reminder to employees of what is expected in regard to e-mail/technology use and what is prohibited. Second, if your company ever needs to rely upon it in litigation, it just “looks better” if an employee was “reminded” about the policy. For example, United’s log-in procedure required employees to click a button (“OK”) to clear the notice that the employee’s email may be monitored. In other instances, employers have actually displayed random provisions of their overall employee policy at the log in screen, which also had to be cleared through clicking a button similar to “OK.” This random display also directed the employee to a link for the full policy for more information.
- Providing an Employee Out: It is a fact of Internet life that unsolicited e-mail is a given (I’m always amazed at how many women are waiting to hear from me or the number of Nigerian businessmen that need my assistance). And a lot of this unsolicited email is along the lines of the “Amazing” video of the pseudo-acrobat. Accordingly, chances are an employee will receive an e-mail that violates the company’s e-mail use policy. In that event, make sure employees understand what is expected, e.g., deleting it, contacting a supervisor., contacting IT, or whatever reporting requirements that are determined to be appropriate. Applying this to Mr. Sporer’s situation, his mistake was not in receiving the email, but rather forwarding it on to his personal email account and then deleting it. Presumably had he just deleted the email he would not have violated the policy. This goes back to effectively communicating what is expected of employees.
For more information on comprehensive technology policies or specific questions about e-mail policies, please feel free to contact me.
Employers routinely face situations where they must investigate an employee suspected of misconduct. Such investigations increasingly – if not always – involve email. But do employers become guilty of misconduct or otherwise risk liability if they access an employee’s email account? Does it matter if the company has a policy regarding email privacy? What if the policy is inconsistent or not enforced? Does it matter if the the email account is a company provided account or accessed using company computers/Internet connections? While the answers to these questions will, unfortunately, depend upon the circumstances, a great overview of issues employers should consider prior to investigating employee email is found at Investigating Personal Web-Based E-Mail.
When it comes to investigating employees and email, employers will often feel as if they are shooting at a moving target in the dark when it comes to “getting it right.” That is because court opinions addressing employee email investigation often become very fact specific and reach conflicting results.
For example, in Stengart v Loving Care Agency, Inc. (New Jersey 2009), the employer provided plaintiff with a laptop computer and a work email address. Prior to plaintiff’s resignation, she communicated with her attorneys about her anticipated suit against her employer. These email communications were sent from plaintiff’s work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After plaintiff filed suit, the company created a forensic image of the hard drive from plaintiff’s computer. In reviewing plaintiff’s Internet browsing history, the employer’s attorney discovered and read numerous communications between plaintiff and her attorney.
The trial judge found in favor of the employer noting that the company’s policy put employees on sufficient notice that electronic communications, “whether made from her company E-mail address or an Internet based E-mail address would be subject to review as company property.”In reaching this conclusion, the judge stated that the company policy “specifically place[d] plaintiff on notice that all of her Internet based communications [we]re not to be considered private or personal” and that the policy “put employees on notice that the technology resources made available to employees were to be used for work related purposes, particularly during business hours.”
The Court of Appeals, however, reversed this decision noting that “there is much about the language of the policy that would convey to an objective reader that personal emails, such as those in question, do not become company property when sent on a company computer, and little to suggest that an employee would not retain an expectation of privacy in such emails.” The Court further based its decision on the “important societal considerations that undergird the attorney-client privilege.” This opinion is available here and is worth reviewing for its interesting discussion of the competing interests between employers’ interest in maintaining its business operations and employee privacy against the backdrop of digital communication (yes, I’ve been told I’m a dork for finding this stuff interesting).
In contrast to Stengart, the court in Scott v. Beth Israel Med. Center Inc., (N.Y. Sup. Ct. 2007) sided in favor of the employer and decided that email communications between plaintiff and his attorney exchanged over the employer’s email system was not protected by attorney-client privilege or work product doctrine. The emails in question were were all sent over the employer’s email server. And the employer’s email policy stated, among other things, that the electronic mail systems were the property of the employer and should be used for business purposes only, that employees “have no personal privacy right in any material created, received, saved or sent using [employer's] communication or computer systems,” and that the employer reserved the right to access and disclose such material at any time without prior notice.
The take away for employers is that it takes planning to bench the judicial-Monday-morning quarterback scrutinizing your investigation decisions. This planning starts with a well-written policy clearly advising employees of how company computers, Internet resources, and email will be treated. An employer should obtain the employee’s signed acknowledgement that the policy was received and understood. And, the policy must be enforced. See Privacy in the Digital Workplace – Oxymoron? Maybe Not, where an employer had such a policy in place, but represented it would not be enforced, which – under the facts of that case – created an “expectation of privacy” for the plaintiff employee.
Steve Carell stars in The Office. His character, Michael Scott, generally delivers laughs as he bungles his way through managing Dunder Mifflin. But in real life, his management “approach” is exactly the sort of thing that can turn into big and increasingly expensive headaches for employers. In fact, according to the Manpower Employment Blog (citing to a 2008 study from Jury Verdict Research) employment discrimination verdicts rose 70%, from $147,500 in 2006 to $252,000 in 2007. Then there are attorneys’ fees. A reasonable estimate puts such fees in the ballpark of $95,000 for a single plaintiff lawsuit that settles just short of trial.
But it is not just the money that employers need to consider: There is also the time and aggravation spent involved in litigation, which includes the time to respond to written discovery requests, gather responsive documents, prepare for depositions, etc. And this business interruption generally falls upon owners and management, who already are working 25 hours/day, 8 days a week trying to “do more with less.” These costs and business interruption will continue to grow as litigation increasingly takes place in the context of digital “documents,” i.e., e-mail, backup tapes, databases, and the like. Such information must be specifically addressed under federal and state court rules, including the 2009 Amendments to the Michigan Court Rules. By way of illustration as to costs, in a 2007 employment related lawsuit, the cost for retrieving and reviewing a sampling of e-mails for seven former employees and two managers totaled $42,892.42 in an employment claim. See Henry v Quicken Loans, Inc, Case No. 4:04-cv-40346-PVG-SDP, Dkt. No. 384 (ED Mich Feb 20, 2007). I’m told that the e-discovery costs just for this sampling more than doubled when all was said and done.
Fortunately, most employers do not have a Michael Scott on their payroll, or if they do, they also have a counterbalancing voice of reason like The Office’s HR character “Toby” to properly address employment matters. And when it comes to these matters, employers and HR are generally well-prepared to respond to the “usual suspects,” i.e., sexual harassment, discrimination, and disabilities under state and federal law. But it is also important for employers to exercise caution in responding to these claims in the investigation phase. Otherwise, employers may inadvertently expand the litigation buffet a plaintiff’s’ attorneys may choose from in filing litigation.
Take for example, defamation. Under Michigan law, a defamation claim requires a showing of (1) a false and defamatory statement concerning the plaintiff, (2) an unprivileged publication to a third party, (3) fault amounting to at least negligence on the part of the publisher, and (4) either actionability of the statements irrespective of special harm, or the existence of special harm caused by the publication. Hawkins v. Mercy Health Services, Inc, (1998). It is true that a Michigan employer has a qualified privilege regarding employee defamation when it comes to making statements to other employees whose duties interest them in the subject matter. Patillo v. Equitable Life Assurance Society of the United States (1993). A plaintiff, however, may overcome this qualified privilege by showing that the statement was made with actual malice, i.e., with knowledge of its falsity or reckless disregard of the truth. Gonyea v. Motor Parts Federal Credit Union, (1991). An employer may also lose the privilege.
For example, in Sias v. General Motors Corp., the Michigan Supreme Court held that no privilege extended to the defendant corporation when it called in fellow employees to explain the circumstances of the plaintiff’s separation. A corporate representative explained to employees that the plaintiff had been released for misappropriation of company property. These individuals, however, were not supervisors, personnel department representatives, or company officials, but employees in identical work. The Court even noted that, the employer was motivated by the seemingly legitimate business concern of restoring morale and quieting rumors. But despite this legitimate motivation, the Court still ruled against the employer.
While the standards for overcoming an employer’s qualified privilege are high, it does create another hurdle that an employer must jump over in defending against litigation. And there is always the risk that a court may second guess an employer or find a question of fact as to whether the statements extended beyond those with an interest in the subject matter of the investigation.
In regard to investigating employee misconduct, there are no hard and fast rules for how to conduct an investigation, with the exception of doing it right the first time. In this regard, the following, while certainly not an exhaustive list, should be considered in consultation with counsel:
- If you haven’t already done so, develop a written policy outlining what steps will be taken in response to allegations of employee misconduct. This investigation policy should also be a component of a company’s overall policy for reporting workplace misconduct. Make sure, however, your company is committed to follow the investigation steps outlined in your policy. Thus, do not commit to more than your company is willing to do in investigating matters;
- The question most often asked is whether the investigation should be conducted by an attorney. As a general rule, an attorney should conduct or — at a minimum — supervise the investigation. Aside from the author’s concern for job security, an attorney will likely be more independent and objective in assessing the facts. Further, the attorney-client privilege will be available to protect communications critical to the investigation and the attorney work-product doctrine will protect materials generated through the investigation;
- If counsel will not be used, it is especially critical for employers to give careful consideration in organizing and planning the investigation. This assessment includes determining who will conduct it, the likely key witnesses to interview, and how the investigation will be supervised; and
- Part of the investigation should include identifying likely sources of relevant documents and digital information. This point needs to be carefully considered because a party has an obligation to suspend any automatic deletion procedures and to otherwise preserve information once litigation is commenced or a party reasonably anticipates litigation, i.e., possibly investigating misconduct. In this regard and out of an abundance of caution, immediately enlist your IT professionals to make sure such information is preserved. If an employee’s company e-mail will be monitored, make sure it is done consistent with your company’s policy and applicable law.
Certainly navigating state and federal employment law is the first line of defense in avoiding employment litigation. But if when an employer must investigate an alleged violation under these laws, (or any misconduct for that matter) it is important to respond in a well-reasoned manner because an investigation is not risk free. Accordingly, employers need to look long and hard (in tribute to Michael Scott, “that’s what she said“) when it comes to investigating such matters because of the need to get the facts right, to minimizing any stigma that could follow an employee accused of misconduct, and – adding injury to insult – no employer wants to investigate one potential lawsuit only to create another.