Archive for the ‘workplace monitoring’ Category
Employer Liability for Employee’s Internet Misconduct – Or When Surfing the Web can Wipe out your Business.
Generally, the Internet is a tremendous asset in the workplace, except when it is a liability. And liability generally involves employee misconduct. A common example of such liability was recently reported on by the Wall Street Journal (click here for the story). This story discusses repeat instances of employees (in this case U.S. government employees at the Securities and Exchange Commission) accessing Internet pornography. The WSJ’s story notes that one regional supervisor for the SEC had made more than 1,800 attempts to look up pornography in a 17-day span (if you’re doing the math, that is 105.88 times a day!).
Unfortunately, holding employers liable for damages arising out of Internet misconduct by employees is not a novel concept. Common scenarios where employers may be exposed to liability include tort, contract, copyright, and for crimes arising out of an employee’s misuse of a workplace computer.
For example, a case dealing with viewing child pornography resulted in the New Jersey Appellate Division ruling that the company could be liable for damages suffered by innocent third parties where the company failed to investigate reports that an employee was viewing child pornography online at work. Doe v. XYC Corp., (2005). In that case, the Court ruled that when an employer has actual or imputed knowledge that an employee is viewing child porn on a company computer the employer has a duty to act, either by terminating the employee or reporting such activities to law enforcement authorities. In regard to such knowledge, the court noted the following facts.
- The employee’s immediate supervisor, a manager, and the director of network and PC services were all aware of the suspicion that the employee used a company computer to visit sexually explicit websites.
- Co-workers complained about the employee’s computer habits.
- An investigation into these complaints uncovered that he visited child porn sites. The company’s response was to tell the employee to stop. The employee did not and he eventually downloaded more than 1,000 pornographic images on his work computer. He also sent three nude or semi-nude photos of his 10-year-old stepdaughter to a child porn site from his work computer.
It is also worth noting that the employer actually had an Internet usage policy in place (a must for every company) that provided employees were only permitted to “access sites, which are of a business nature only,” and reserved the right to inspect computers. But having such a policy in place does no good if it is not enforced. In this regard, a high-ranking IT executive warned a supervisor against monitoring the employee’s computer use, as it was the IT exec’s belief that the company policy prohibited such monitoring.
The other common scenarios where employers may find themselves exposed to Internet misconduct include:
- Intentional and negligent infliction of emotional distress – In Delfino v. Agilent Technologies, Inc., an employer was not liable under a negligent supervision theory to threat recipients who claimed infliction of emotional distress. This distress arose out of an employee who transmitted Internet threats using employer’s computer system. The court noted that the employer owed the recipients no duty in absence of business relationship or close connection with recipients’ injuries, and employer did not breach any duty as it was unaware of employee’s conduct.
- Harassment / Hostile Work Environment – Even though employers do not have a duty to monitor the private communications of their employees for comments which harass co-employees, employers do have a duty to take effective measures to stop co-employee harassment when the employer knows or has reason to know that the harassment is part of a pattern of harassment that is taking place in the workplace and in settings that are related to the workplace. Effective remedial steps reflecting a lack of tolerance for the harassment will be relevant to an employer’s affirmative defense that its actions absolve it from all liability. For example, in 2007 case, Avery v. Idleaire Technologies Corp., the Court of Appeals allowed a plaintiff’s hostile work environment claim case to go to a jury (it reversed a trial court’s order dismissing the case). In doing so, the Court noted that a jury “could find it to be objectively offensive for an employer to permit employees to use a company computer terminal on company time to actively seek pornographic material, whether for sexual gratification, entertainment, or in the words of one of the plaintiff’s co-workers, simply out of boredom, and for the evidence of this activity (pop-up adds, printouts, internet history, etc.), to be left for the plaintiff and other employees to see.” Similarly, in Gallagher v. C.H. Robinson Worldwide, Inc., (6th Cir. 2009) the decision to dismiss a sexual harassment claim by the trial court was reversed. The court noted that Plaintiff testified that co-workers used Internet to view sexually explicit pictures on their computers, along with other conduct compared to a “guy’s locker room” (I don’t know about you, but I didn’t want to spend any more time than I had to in the locker room).
- Defamation, libel and slander – In Gavrilovic v. Worldwide Language Resources, Inc., the Court held that a coworker’s e-mail statement that an employee of a military contractor was the military base “F*ck toy” was false and defamatory, as required for the employee to recover from the contractor for defamation.
- Copyright infringement – Employers also may be needlessly exposed to lawsuits for copyright violations if they permit (or ignore the fact that) employees to receive or download software or other materials, e.g., music, video, and graphics files. See Varilease Tech. Group, Inc. v. Michigan Mut. Ins. Co. ((Mich. Ct. App. 2004), which concerned a suit against an employer alleging its employees copied and retained copyrighted product support manuals and diagnostic software, used the materials in their contracts to perform service and maintenance for their clients, and distributed the materials to subcontractors.
It is also worth noting that, in limited circumstances, there may be an upside for employee Internet misconduct. For example, a former employee’s acts of transmitting sexual images via employer’s internet and email applications was a deliberate violation of employer’s computer usage policy, and accordingly, his actions constituted misconduct connected with his work, and thus, claimant was disqualified from unemployment benefits; Ernst v. Sumner Group, Inc., 264 S.W.3d 669, Unempl. Ins. Rep.(2008).
The Take Aways: Monitoring Is A Must
While claims against employers for employee Internet misconduct may ultimately fail to impose liability, the exposure is still there. And the preceding cases underscore the importance of monitoring employee Internet browsing to minimize that liability. Here are some suggestions to consider when it comes to monitoring employee’s Internet usage:
- Create a policy that spells out what types of sites are off-limits. Also explain that the company has the right to monitor employee usage of company computers to confirm compliance with the policy and, therefore, employees should have no expectation of privacy when it comes to any of the company’s electronic equipment. Make sure employees also understand that violating the policy may result in discipline.
- Communicate the policy. It is also important for IT to understand that monitoring is permitted and under what circumstances.
- Highlight to employees the negative effects misuse of the Internet may have on the company (e.g., liability for sexual harassment).
- If you believe an employee is violating your Internet usage policy, make sure you properly preserve the evidence, e.g., Web activity, the employee’s PC or laptop.
- If a violation occurs, assess whether law enforcement officials should be contacted, (child porn).
Feel free to shoot me your thoughts or comments about this post. And if you have story that tops the SEC supervisor’s 17 day porn rampage, I would be interested in hearing about it, but I don’t need to see the proof.
Spoliation in litigation generally refers to the destruction or significant alteration of evidence, or the failure to preserve crucial items as evidence in pending or reasonably foreseeable litigation. Spoliation has become an increasingly hot issue in the context of digital information, such as e-mails and hard drives. The Michigan Court of Appeals recently reaffirmed that spoliation can result in severe sanctions by affirming a trial court’s decision to dismiss a plaintiff’s sexual harassment lawsuit with prejudice. Gillett v. Michigan Farm Bureau, Mich. Ct. App., No. 286076, (Dec. 22, 2009). The dismissal was a sanction for the plaintiff’s deletion of digital evidence.
In Gillett, the plaintiff’s lawsuit arose out of alleged sexual harassment by defendants in his workplace. Plaintiff resigned, then retained an attorney to pursue possible causes of action against defendants. The plaintiff’s attorney wrote a demand letter to defendants. Defendants’ attorney responded with a notification that plaintiff should preserve his personal e-mails. Plaintiff’s counsel represented that plaintiff would submit his personal e-mails and his personal laptop computer hard drive for defendants’ inspection.
But in plaintiff’s deposition, plaintiff acknowledged that he had deleted e-mails from his personal account after receiving the notification from defendants. In addition, a forensic analysis of plaintiff’s computer indicated that he had deleted massive numbers of files from the hard drive shortly before plaintiff submitted his computer for defendants’ inspection. The forensic analyst determined that the deleted files were not recoverable, and opined that the deletions were intended to interfere with the discovery process. The analyst also noted that although plaintiff claimed the deletions were due to uninstalling of problematic software, that software was still installed on plaintiff’s computer.
On appeal, the plaintiff contended that the trial court abused its discretion by imposing the “drastic sanction of dismissal” and failed to determine whether the deleted electronic evidence was relevant. Specifically, plaintiff acknowledged that he deleted e-mails, but maintained that the deletion was a result of his routine procedures rather than a deliberate attempt to destroy evidence. The trial court rejected plaintiff’s contention, finding the number of data files deleted to be “[e]xtremely significant.” The court observed that plaintiff deleted on average 2,000 files each month through September 2007, but that in October 2007 the deletions increased to more than 200,000 files, with an additional 28,000 files deleted in the first six days of November.
The Court of Appeals rejected the plaintiff’s arguments and in doing so relied heavily on Leon v. IDX Systems Corp., 464 F3d 951 (CA 9, 2006), a case in which the federal district court explored the many sanctions short of dismissal before concluding that dismissal was the appropriate sanction. Similar to Gillett, Leon involved there was no manner in which to verify the recovery of all the deleted information and no way to know the content of the deleted information. The Court further observed that plaintiff’s “spoliation threatened to distort the resolution of the case … because any number of the … files could have been relevant to [defendants’] claims or defenses, although it is impossible to identify which files and how they might have been used .” Id. at 960. The Court noted that plaintiff “did not have the authority to make unilateral decision about what evidence was relevant in this case.” Leon, supra at 956-957.
This case illustrates a number of key points that business organizations and their attorneys must consider when it comes to litigation and preserving digital information.
First, even when an action has not been commenced and there is only a potential for litigation, a duty to preserve evidence may arise where the prospective litigant knows or reasonably should know information is relevant to the prospective action.’” Bloemendaal v Town & Country Sports Ctr, Inc, 255 Mich App 207 (2002). The problem for business organizations, however, is nailing down when that duty arises and what steps must be taken. This is especially true when the appropriate decision-makers have – at best – a vague awareness of a potential dispute of unknown parameters. Implementing preservation efforts under such conditions can be very expensive and burdensome. And that expense and burden may prove to be unnecessary if litigation is never filed. But, if you guess wrong, the organization may be open itself up to sanctions like the one in Gillett. For a ridiculous example see Phillip M. Adams & Associates, L.L.C., v. Dell, Inc., 2009 WL 910801 (D.Utah March 30, 2009) (Magistrate held that a defendant should have imposed a hold eight years before the suit was filed); See also KCH Services, Inc. v. Vanaire, Inc. 2009 WL 2216601 (W.D.Ky. July 22, 2009) (Sanctions awarded against the defendant for pre-suit spoliation). It can be a razor’s edge between the routine and efficient disposal of information that no longer has a business purpose and the destruction of potential evidence.
Second, once the duty to preserve arises, counsel – including in-house counsel – must carefully determine and understand what sources of discoverable information are in the custody or control of the client. It is not uncommon for courts to impose sanctions on both for failing to do so. See Phoenix Four, Inc. v. Strategic Resources Corp., 2006 WL 1409413 (S.D.N.Y. May 23, 2006) (Court sanctioned a law firm and client for failing to identify and preserve “all” information which a “methodical survey of [the client’s] sources of information” should have produced – A partitioned hard drive contained 200-300 boxes worth of evidence, and was not discovered until the discovery deadline); Swofford v. Eslinger, Case. No.6:08-cv-Orl-35DAB (FL.M.D. Sept. 28, 2009) (Court imposed sanctions against in-house counsel for failure to preserve evidence, including email and laptops); Green v. McClendon, 2009 WL 2496275 (S.D.N.Y. Aug. 13, 2009) (Magistrate entered sanctions against a defendant and her attorney for or their mutual failure to implement a proper litigation hold and preserve digital information and for the attorneys handling of digital information). In this regard, it is essential to communicate with the key stakeholders, which include the business organization’s IT professionals as well as the actual authors and recipients of any digital information relating to that litigation to ascertain the full scope of the organization’s digital universe. From that universe decisions can then be made as to what needs to be carved out for preservation.
Third, parties must realize when it comes to deleting/destroying digital information the cover up, i.e. the “deletion,” almost always becomes worse than the crime. The Gillett Court highlighted this point by noting that “any number of the … files could have been relevant to [defendants’] claims or defenses, although it is impossible to identify which files and how they might have been used.” Speaking from experience, letting a judge or jury’s imagination run wild as to why a litigant destroyed digital evidence and what that evidence may or may not have shown is a big bat to swing in trying to resolve litigation.
Additionally, failing to preserve digital information may also result in the loss of favorable information. A common such scenario arises in employment litigation where an employer seeks to assert an “after-acquired evidence defense.” Such a defense generally arises when during the course of the litigation the employer learns of something that, had it known of the information earlier, would have justified terminating the employee for legitimate, non-discriminatory reasons. See Olson v International Business Machines (D.Minn. 2006) (Addressing after-acquired evidence in employment litigation: IBM learned about allegedly pornographic materials on plaintiff’s laptop after he was terminated and only learned during discovery that plaintiff actually cleaned out the hard drive).
Fourth, deleting unfavorable digital information is more often than not almost always detectable. Michael Ahern of the Center for Computer Forensics explains that, “[i]t is relatively easy for forensic experts to see the volume of deleted files and recover those files. If the volume of deleted data is unusually low, the forensic expert can look for evidence of a wiping utility or program that indicates the intentional destruction of digital information.” As technology advances, detecting wrongful deletion of evidence becomes more challenging. Mr. Ahern further explained that with older wiping programs, it was easy to detect their use. But newer wiping utilities are designed to hide their process so that there is no digital fingerprint of its existence when it is deleted. There are, however, common “tell-tale” signs that forensic specialist will use to identify suspicious or outright wrongful deletion in addition to technical mistakes of even savvy would-be digital saboteurs. Mr. Ahern notes, “I always say, we rely on people’s computer ignorance to find some level of evidence, especially if they are in a hurry.”
Gillett reinforces the conclusion that Courts expect litigants and their attorneys to properly preserve digital information pertaining to litigation. And failure to do so will often result in range of sanctions from adverse jury instructions to dismissal of an entire case. Accordingly, it is critical for litigants and their attorneys to properly address the preservation and handling of digital information that may be relevant to litigation. For more information about what steps your business organization can take to minimize the risks of sanctions for destroying digital evidence, please contact Jason Shinn.
A special thanks to Michael Ahern of the Center for Computer Forensics for sharing his experience and technical insight into computer forensics.
Steve Carell stars in The Office. His character, Michael Scott, generally delivers laughs as he bungles his way through managing Dunder Mifflin. But in real life, his management “approach” is exactly the sort of thing that can turn into big and increasingly expensive headaches for employers. In fact, according to the Manpower Employment Blog (citing to a 2008 study from Jury Verdict Research) employment discrimination verdicts rose 70%, from $147,500 in 2006 to $252,000 in 2007. Then there are attorneys’ fees. A reasonable estimate puts such fees in the ballpark of $95,000 for a single plaintiff lawsuit that settles just short of trial.
But it is not just the money that employers need to consider: There is also the time and aggravation spent involved in litigation, which includes the time to respond to written discovery requests, gather responsive documents, prepare for depositions, etc. And this business interruption generally falls upon owners and management, who already are working 25 hours/day, 8 days a week trying to “do more with less.” These costs and business interruption will continue to grow as litigation increasingly takes place in the context of digital “documents,” i.e., e-mail, backup tapes, databases, and the like. Such information must be specifically addressed under federal and state court rules, including the 2009 Amendments to the Michigan Court Rules. By way of illustration as to costs, in a 2007 employment related lawsuit, the cost for retrieving and reviewing a sampling of e-mails for seven former employees and two managers totaled $42,892.42 in an employment claim. See Henry v Quicken Loans, Inc, Case No. 4:04-cv-40346-PVG-SDP, Dkt. No. 384 (ED Mich Feb 20, 2007). I’m told that the e-discovery costs just for this sampling more than doubled when all was said and done.
Fortunately, most employers do not have a Michael Scott on their payroll, or if they do, they also have a counterbalancing voice of reason like The Office’s HR character “Toby” to properly address employment matters. And when it comes to these matters, employers and HR are generally well-prepared to respond to the “usual suspects,” i.e., sexual harassment, discrimination, and disabilities under state and federal law. But it is also important for employers to exercise caution in responding to these claims in the investigation phase. Otherwise, employers may inadvertently expand the litigation buffet a plaintiff’s’ attorneys may choose from in filing litigation.
Take for example, defamation. Under Michigan law, a defamation claim requires a showing of (1) a false and defamatory statement concerning the plaintiff, (2) an unprivileged publication to a third party, (3) fault amounting to at least negligence on the part of the publisher, and (4) either actionability of the statements irrespective of special harm, or the existence of special harm caused by the publication. Hawkins v. Mercy Health Services, Inc, (1998). It is true that a Michigan employer has a qualified privilege regarding employee defamation when it comes to making statements to other employees whose duties interest them in the subject matter. Patillo v. Equitable Life Assurance Society of the United States (1993). A plaintiff, however, may overcome this qualified privilege by showing that the statement was made with actual malice, i.e., with knowledge of its falsity or reckless disregard of the truth. Gonyea v. Motor Parts Federal Credit Union, (1991). An employer may also lose the privilege.
For example, in Sias v. General Motors Corp., the Michigan Supreme Court held that no privilege extended to the defendant corporation when it called in fellow employees to explain the circumstances of the plaintiff’s separation. A corporate representative explained to employees that the plaintiff had been released for misappropriation of company property. These individuals, however, were not supervisors, personnel department representatives, or company officials, but employees in identical work. The Court even noted that, the employer was motivated by the seemingly legitimate business concern of restoring morale and quieting rumors. But despite this legitimate motivation, the Court still ruled against the employer.
While the standards for overcoming an employer’s qualified privilege are high, it does create another hurdle that an employer must jump over in defending against litigation. And there is always the risk that a court may second guess an employer or find a question of fact as to whether the statements extended beyond those with an interest in the subject matter of the investigation.
In regard to investigating employee misconduct, there are no hard and fast rules for how to conduct an investigation, with the exception of doing it right the first time. In this regard, the following, while certainly not an exhaustive list, should be considered in consultation with counsel:
- If you haven’t already done so, develop a written policy outlining what steps will be taken in response to allegations of employee misconduct. This investigation policy should also be a component of a company’s overall policy for reporting workplace misconduct. Make sure, however, your company is committed to follow the investigation steps outlined in your policy. Thus, do not commit to more than your company is willing to do in investigating matters;
- The question most often asked is whether the investigation should be conducted by an attorney. As a general rule, an attorney should conduct or — at a minimum — supervise the investigation. Aside from the author’s concern for job security, an attorney will likely be more independent and objective in assessing the facts. Further, the attorney-client privilege will be available to protect communications critical to the investigation and the attorney work-product doctrine will protect materials generated through the investigation;
- If counsel will not be used, it is especially critical for employers to give careful consideration in organizing and planning the investigation. This assessment includes determining who will conduct it, the likely key witnesses to interview, and how the investigation will be supervised; and
- Part of the investigation should include identifying likely sources of relevant documents and digital information. This point needs to be carefully considered because a party has an obligation to suspend any automatic deletion procedures and to otherwise preserve information once litigation is commenced or a party reasonably anticipates litigation, i.e., possibly investigating misconduct. In this regard and out of an abundance of caution, immediately enlist your IT professionals to make sure such information is preserved. If an employee’s company e-mail will be monitored, make sure it is done consistent with your company’s policy and applicable law.
Certainly navigating state and federal employment law is the first line of defense in avoiding employment litigation. But if when an employer must investigate an alleged violation under these laws, (or any misconduct for that matter) it is important to respond in a well-reasoned manner because an investigation is not risk free. Accordingly, employers need to look long and hard (in tribute to Michael Scott, “that’s what she said“) when it comes to investigating such matters because of the need to get the facts right, to minimizing any stigma that could follow an employee accused of misconduct, and – adding injury to insult – no employer wants to investigate one potential lawsuit only to create another.
The Spring 2009 Hofstra Labor and Employment Law Journal includes a symposium on Emerging Technology and Employee privacy. There are two articles that are especially relevant to employers: Invasion of Privacy Liability in the Electronic Workplace: A Lawyer’s Perspective (by Christine E. Howard) and The Emergence of State Data Privacy and Security Laws Affecting Employers (by Joseph J. Lazzarotti).
Employee privacy has received increased attention. For example, in a 2008 case, Quon v. Arch Wireless Operating and Co., the 9th Circuit Court of Appeals held that a company that contracted with an employer to provide text messaging services to the employer’s employees, violated the federal Stored Communications Act (SCA) when it provided the stored text messages to the employer. Employers will also want to take notice because the Court held, in the particular factual context presented, that the employer violated its employee’s privacy rights as well as the recipients of the text messages under the Fourth Amendment and under Article I, Section 1 of the California Constitution.
These particular facts are as follows: The City of Ontario contracted with Arch Wireless for pagers that supported text messaging,. These pagers were issued to Police Department employees, including plaintiff Jeff Quon. The Police Department had a general “Computer Usage, Internet and E-mail Policy” that limited the “use of City-owned computers and all associated equipment, software, programs, networks, Internet, e-mail and other systems . . .” to City business. The policy also provided that “[u]sers should have no expectation of privacy or confidentiality when using these resources” which extended to the pagers. But, the police official responsible for overseeing the City’s text-message program, had stated that the City would not read an officer’s text messages, so long as the officer paid for any charges for overages under the City’s plan. Quon did in fact pay for overages on several occassions. Subsequent to this statement and payment of Quon’s overages, the Chief of Police ordered transcripts, which were turned over by Arch, the wireless provider. Many of Quon’s messages were personal in nature, including sexually explicit. The Court held that Quon had a reasonable expectation of privacy in his text messages as the result of the lieutenant’s statements that the messages would not be audited if overages were paid.
The take-away from Quon for employers is that a clear policy that electronic communications are not private is a must. Further, to minimize the chance that this policy is not undercut by stray assurances of privacy or workplace reality (i.e., employers generally don’t have the time or interest to read employee e-mails), it should also provide that no one other than a designated person has the authority to change the terms of the policy and that all such changes must be in writing. There may be some additional recommendations in the articles referenced above and feel free to offer your own insight. Thanks.