Possession of child pornography often involves a computer and is a serious crime. But what happens when that crime takes place on an employer's network or company computer?
The thirteenth-century Spanish King Alfonso X said, "Had I been present at the creation, I would have given some useful hints for better ordering of the universe." Based on prior experience counseling employers and insight from Detective Thomas Kish of the Michigan State Police Department's Computer Crime Unit - but with a little more modesty than the King - the following points are offered to employers for responding to computer misconduct, including criminal misconduct, in the workplace.
1. Investigate and Confirm the Facts Before Reporting Suspected Child Pornography.
Before reporting suspected child pornography, it is absolutely critical employers make certain the material is actually child pornography. From law enforcement's perspective, it is important to minimize expending resources on investigating material that - while offending or in poor taste - does not rise to the level of criminal possession of child pornography.
Further, the stigma of possessing child pornography certain to follow the accused and the potential negative publicity to an employer are also equally compelling reasons to be certain that the offending material rises to the statutory definition of child pornography.
Knowing, however, what is or is not "child pornography" may not always be straightforward. For example, it is generally more than an image of a nude child. Instead, under Title 18 United State Code (USC) § 2252, "child pornography" refers to the knowing possession of:
books, magazines, periodicals, films, video tapes, or other matter which contain any visual depiction that has been mailed, or has been shipped or transported in interstate or foreign commerce, or which was produced using materials which have been mailed or so shipped or transported, by any means including by computer, if—
(i) the producing of such visual depiction involves the use of a minor engaging in sexually explicit conduct; and
(ii) such visual depiction is of such conduct ...
Because any statutory definition may contain hidden nuances or must be applied to factual circumstances that are not always clear-cut, it is important to consult with a competent attorney in assessing your obligations under this statute.
2. IT Must be Included in an Employer's Response Team.
A critical component of an employer's response team will be IT professionals. IT - along with anyone investigating the matter - must understand that confidentiality is a must because of the sensitive subject matter of the investigation.
Among the tasks IT should address are identifying user log in dates, preserving server logs, and preserving any Internet cache (A cache is a storage mechanism designed to speed up the loading of Internet displays. When a user views a Web page, the Web browser stores a copy of the page on the computer's hard drive in a folder or directory) or other images that relate to the suspected child pornography.
Such evidence is especially critical in determining the identity of the suspect where a computer used to facilitate the possession of the offending material may be shared by employees or is otherwise unsecured.
Additionally, IT will also want to focus on making sure nothing is done to damage, taint or destroy potential evidence.
3. Do Not Forward, Delete or Try to Erase the Offending Material.
Certainly a common response to discovering child pornography in any setting is disgust. But don't let this response motivate your company and its employees to destroy the offending material. Destroying child pornography could lead to criminal charges for having reviewed or possessed child porn, or for obstruction of justice. Additionally, criminal liability could result with each forward, view, or distribution. It is, therefore, important to isolate the suspected child pornography and refrain from intentionally making any copies or inadvertently making copies by forwarding the material.
4. Limiting Business Interruption
A point that employers often overlook is that once child pornography is discovered and reported to law enforcement, the storage medium - whether it is the hard drive of a company PC, laptop, portable storage, etc. - will be seized by law enforcement. Such storage medium will also be eventually purged of illegal content as well as any business related content.
For this reason, it is important to work with your IT professionals to determine what business-critical information may reside on the storage medium subject to confiscation and that this loss will be a moot issue because the information is backed-up. Alternatively, your attorney may need to work with law enforcement to try and "carve-out" preservation of the business related information that would be permanently lost if it is purged.
5. Report Actual Child Pornography to Law Enforcement - No Exceptions.
There may be reluctance to report the discovery of child pornography due to any number of reasons, such as potential embarrassment or because it belonged to a key employee or executive. In addition to the potential criminal liability discussed above, a recent decision from the Sixth Circuit Court of Appeals (the federal circuit that Michigan is in) offers a cautionary illustration why employers must resist this temptation.
In Doe v. Boland (2011) an attorney was acting as defense expert witness in a child pornography prosecution. As part of the defense, the expert morphed, i.e. digitally altered, non-child pornography images into images seemingly depicting actual child photography. The attorney/expert - after having his home searched and computers seized by the FBI - was eventually charged with possession of child pornography. As part of a pretrial diversion agreement with the US attorneys office, the attorney/expert admitted criminal wrongdoing for possession of child pornography. The take-away from this case is that there is no exception - even in a judicial setting - making the possession of child pornography acceptable.
In addition to the criminal prosecution, the Court held that the defendant in Boland could be civilly liable to the minor children whose images were altered. Other courts have also concluded that a company could be liable for damages suffered by innocent third parties where the company failed to investigate reports that an employee was viewing child pornography online at work. See Doe v. XYC Corp. (New Jersey 2005).
An employer's Computer/Internet Use Policy should also specifically explain to employees their obligations when it comes to reporting suspected child pornography or other inappropriate computer/Internet usage and that failing to do so is subject to discipline.
6. Do not overlook offensive content that does not meet the definition of child pornography.
Additionally, it is important for employers to proactively respond to offending material that does not meet the statutory definition of child pornography. This is because employers still run the risks of not properly responding or failing to take appropriate steps when it comes to such material found in the workplace. For example, in a 2009 case out of the Sixth Circuit (Gallagher v. C.H. Robinson Worldwide, Inc.) the decision to dismiss a sexual harassment claim by the trial court was reversed (The court noted that Plaintiff testified that co-workers used Internet to view sexually explicit pictures on their computers, along with other conduct compared to a “guy’s locker room.”). See also a 2007 case (Avery v Idleaire Technologies Corp.) out of Tennessee, where the Court allowed a plaintiff’s hostile work environment claim case to go to a jury because a jury “could find it to be objectively offensive for an employer to permit employees to use a company computer terminal on company time to actively seek pornographic material ... to be left for the plaintiff and other employees to see.”
7. Closing Recommendation
For any employer responding to the discovery of pornography, especially child pornography, in the workplace, the preceding points should be discussed with competent legal counsel. Beyond my pitch for job security, legal counsel will be critical for evaluating and explaining the company's legal obligations, meeting those obligations, and implementing a workable strategy to minimize the interruption to the business operations.
Again, a special thanks to Detective Thomas Kish of the Michigan State Police Department's Computer Crime Unit for his insight. The public and employers are certainly better off having dedicated, experienced individuals like Detective Kish and his colleagues who are willing to share their experience in order to protect children from being exploited.