What to do When Your Client Discovers Child Pornography on Workplace Computers

by Matthew L. Mitchell

Practice Tips

Scenario:  An employer’s Information Technology department performs a routine software update on an employee’s office computer.  During the course of the maintenance, an Information Technology professional discovers what appears to be child pornography saved on the hard drive.

This nightmare scenario raises several very difficult questions for the employer:

  • Should the matter be resolved through internal discipline procedures, or should (or must) the employer involve local police or other law enforcement authorities?
  • What should the employer do with the offending images or materials?
  • Should the employer conduct a further investigation?

The answers to these questions depend on a rapidly evolving body of case law and statutes, including statutory mandates that impose specific, affirmative duties on employers who discover child pornography in the workplace.  Employers must be aware of their duties and responsibilities, and be prepared to act when violations occur.  Failure to adhere to these mandates may subject employers to significant penalties and criminal sanctions.

Possession of Child Pornography Is a Crime

Under both Massachusettsand federal law, it is a crime to “knowingly possess” child pornography.  See M.G.L. ch. 272, §29C ; 18 U.S.C. § 2552.  As such, if child pornography is discovered in the workplace or on company computer networks, the employer is in violation of these laws.  Under the federal law that criminalizes possession of child pornography, 18 U.S.C. § 2252, an employer that discovers child pornography in the workplace may limit its liability if it “promptly and in good faith” (a) destroys the offending materials; or (b) informs a law enforcement agency that it has discovered illegal child pornography and affords that agency the opportunity to access the materials. See 18 U.S.C. § 2252(c).  This “safe harbor” may, however, be at odds with other statutory and regulatory mandates.  For example, as discussed below, there are federal and state statutes, potentially applicable to some employers, which expressly prohibit the destruction of evidence of child pornography.

In addition, most jurisdictions, including Massachusetts, recognize that willful or deliberate ignorance is tantamount to actual knowledge of the wrongdoing.  See, e.g., United States v. Guerrero, 114 F.3d 332, 343 n. 12 (1st Cir.1997) (“Where ‘the facts suggest a conscious course of deliberate ignorance,’ a jury is warranted in finding the defendants’ deliberate ignorance of criminal events, which is tantamount to knowledge.”) (internal citations omitted).  Accordingly, if an employer has reason to suspect that an employee is storing child pornography at the worksite or within employer’s computer systems, the employer may not avoid liability by simply ignoring the situation.  Rather, depending on the circumstances, the employer may have a duty to investigate the employee’s activities, including searching its computer files or monitoring employee’s computer usage, and taking prompt remedial action if offending material is discovered.  This duty may trump any privacy rights of the employee.  See, e.g., Doe v. XYZ Corporation, 887 A. 2d 1156, 1158 (N. J. Super. 2005) (“[An] employer who is on notice that one of its employees is using a workplace computer to access pornography, possibly child pornography, has a duty to investigate the employee’s activities and to take prompt and effective action to stop the unauthorized activity, lest it result in harm to innocent third-parties. No privacy interest of the employee stands in the way of this duty on the part of the employer.”).

Under both Massachusettsand federal law, penalties for knowing possession of child pornography include substantial fines and prison sentences.  See M.G.L. ch. 272, § 29C (imposing state prison terms of up to 5 years, and fines up to $30,000 for knowing possession of child pornography); 18 U.S.C. § 2252 (imposing up to 20 year prison sentences for knowing possession of child pornography).

A Duty to Report?

There are several federal and Massachusettsstatutes that may impose affirmative duties on Massachusettsemployers to report child pornography to law enforcement authorities.  For example, federal statute 18 U.S.C. § 2258A requires “whoever, while engaged in providing an electronic communication service or a remote computer services. . ., obtains actual knowledge of any facts or circumstances [concerning child pornography] . . . [must] provide to the CyberTipline of the National Center for Missing and Exploited Children . . . a report of such facts and circumstances. . .”  18 U.S.C. § 2258A.  If the “facts and circumstances” of child pornography include physical materials, such as images, data, or digital files, those materials must be preserved in a “secure location,” and made available to the appropriate authorities upon request.  18 U.S.C. § 2258A(h).  For purposes of the statute, the term “electronic communication service” is defined broadly as “any service which provides to users thereof the ability to send or receive wire or electronic communications.”  18 U.S.C. § 2510.  On its face, the statute appears to apply its mandatory reporting requirement to any employer that provides e-mail access to its employees.  Although some commentators suggest that the scope of 18. U.S.C. § 2258A is limited to Internet Service Providers (such as Comcast or Verizon), this limitation has not been addressed in regulations or case precedent.

Also, under Massachusetts General Law Chapter 119, §51A, certain “mandated reporters,” such as school or hospital employees, are required to report suspected incidents of child abuse and neglect to law enforcement authorities.

In addition to these statutory mandates, employers have been found liable for common law negligence for failing to report child pornography found on a work computer.  In the New Jerseycase of Doe v. XYC Corporation, a mother, on behalf of her daughter, brought a negligence action against her husband’s employer, seeking to hold employer liable for the husband’s use of workplace computer to access pornography and send nude photographs of the daughter to a child pornography site.  Although the employer was on notice that the husband was using work computers to access pornographic websites, the employer did not investigate the husband’s behavior or report his conduct to authorities.  In reversing summary judgment in the employer’s favor, the court held that the employer “had a [common law] duty to report Employee’s activities to the proper authorities and to take effective internal action to stop those activities, whether by termination or some less drastic remedy.” See XYC Corporation, 887 A. 2d at 1168.

In sum, employers must be prepared to promptly report incidents of suspected child pornography to law enforcement authorities.

The Need to be Proactive

Although it is critically important for employers to understand the appropriate actions to take after discovering child pornography, it is equally important to adopt policies and procedures that limit the likelihood of such illegal material entering the work place.  A fundamental tool in this regard is an effective media policy that addresses employee use of workplace computer equipment and systems.  Such a policy should:

  • Restrict employee computer use to authorized work-related activities and limited personal use that does not interfere with work activities or burden the employer’s computer system;
  • Notify employees that work computers, e-mail accounts, and internet activity may be monitored by the employer, and that employees have no expectation of privacy in information stored on such equipment or transmitted through such services;
  • Notify employees that the employer reserves the right to monitor employee usage of company computer equipment and systems; and
  • Inform the employee that illegal use of the company’s computer systems may be reported to law enforcement authorities.

Employers should also be committed to enforcing the policy. When an employer suspects or becomes aware of an employee’s misuse of company computer systems, the employer should engage in a prompt and thorough investigation.  If the investigation reveals inappropriate employee conduct, the employer should take remedial action.  As discussed above, such action may involve subjecting the employee to internal disciplinary procedures or, if circumstances warrant, reporting the employee’s conduct to the appropriate authorities.

Conclusion

Although the statutory and case precedent on this issue continues to evolve, a clear principle has emerged: employers may not ignore employee conduct that may involve child abuse or child pornography.

Matthew L. Mitchell is a partner at Holland & Knight LLP.  Mr. Mitchell represents businesses and educational institutions on a broad range of employment, student, and compliance related matters.


2 Comments on “What to do When Your Client Discovers Child Pornography on Workplace Computers”

  1. RD says:

    Thank you for your article. I am surprised there are not any comments here.

    I am on the west coast. It may do well to mention, I have discovered in my communications with various law enforcement agencies (fed, sheriffs, local police in different areas) that, in the event of a report of CP, LE generally considers it within their jurisdiction to make a determination to confiscate any or all electronic recording (computers, storage media, etc) equipment for auditing at their discretion.

    In the case of an IT security agent/agency, this includes the IT agent’s / agency’s equipment as well.

    Since this is discretionary on the part of the LE agencies that may become involved, it seems anyone’s guess as to how this might play out (the magnitude of audit to be determined, etc).

    If one feels there is a legal issue with regard to scope of jurisdiction, or what is happening at the time, it would likely have to be taken up in court later – after stuff is confiscated.

    So for instance, if the IT tech/admin/agency is conducting a repair on a machine that has been taken back to their offices for handling, their equipment also becomes subject to collection for auditing. All leo’s I have spoken with have indicated to me that consideration is given …that any computers that the suspect machine may now be, or have been, in connection/communication with are subject to confiscation for auditing purposes.

    Needless to say, this can have devastating ramifications …how can a company, or IT agency, conduct/maintain their business without their equipment (suddenly and for an unspecified period)? How does one plan for such a risk factor!

  2. RD says:

    Thank you for your article. I am surprised there are not any comments here.

    I am on the west coast. It may do well to mention, I have discovered in my communications with various law enforcement agencies (fed, sheriffs, local police in different areas) that, in the event of a report of CP, LE generally considers it within their jurisdiction to make a determination to confiscate any or all electronic recording (computers, storage media, etc) equipment for auditing at their discretion.

    In the case of an IT security agent/agency, this includes the IT agent\’s / agency\’s equipment as well.

    Since this is discretionary on the part of the LE agencies that may become involved, it seems anyone\’s guess as to how this might play out (the magnitude of audit to be determined, etc).

    If one feels there is a legal issue with regard to scope of jurisdiction, or what is happening at the time, it would likely have to be taken up in court later – after stuff is confiscated.

    So for instance, if the IT tech/admin/agency is conducting a repair on a machine that has been taken back to their offices for handling, their equipment also becomes subject to collection for auditing. All leo\’s I have spoken with have indicated to me that consideration is given …that any computers that the suspect machine may now be, or have been, in connection/communication with are subject to confiscation for auditing purposes.

    Needless to say, this can have devastating ramifications …how can a company, or IT agency, conduct/maintain their business without their equipment (suddenly and for an unspecified period)? How does one plan for such a risk factor!


Comment on this article

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.