Defeating Liability For Employees' Off-Duty Internet Activity

Posted on November 30, 2009 by Privacy and Data Protection Practice Group

Sometimes cases with disgusting facts provide good law for employers. A case recently decided by the Wisconsin Court of Appeals proved that point in reversing a $1.4 million judgment on claims for negligent training and supervision against a security company based on the off-duty Internet activities of one of its employees.

As security manager at a Polaris Industries facility, Troy Schmidt an employee of Polaris’ security provider, was responsible for creating identification badges of Polaris employees using photographs stored on a Polaris database. Schmidt copied the photographs of approximately thirty, female Polaris employees to a flash drive, printed them at home, ejaculated on them, and posted the adulterated photographs on an adult website that he created through Yahoo!.

Polaris promptly took control of the efforts to reverse the harmful effects of Schmidt’s bizarre conduct. Polaris took the following steps:

  • Investigated and determined that Schmidt was the likely perpetrator;
  • Contacted Yahoo! to request the removal of the photographs;
  • Met with Schmidt and obtained his admission to the conduct;
  • Obtained Schmidt’s agreement to de-activate the website;
  • Obtained confirmation from Yahoo! that Schmidt had de-activated the website;
  • Met with police personnel (who declined to prosecute).

After learning of the matter from Polaris, Schmidt’s employer, the security company, offered to provide assistance, participated in the interview of Schmidt, and fired him shortly after hearing his admission. Notably, the ten plaintiffs sued only the security company and not Polaris.

In reversing the large judgment against the security company, the Wisconsin Court of Appeals pronounced a rule that should provide a measure of relief for all employers: “[E]mployers have no duty to supervise employees' private conduct or to persistently scan the world wide web to ferret out potential employee misconduct.”

Beyond that pronouncement, the court emphasized several other factors. Schmidt’s conduct was “bizarre and unexpected,” indeed “unimaginable.” The security company had trained Schmidt in sexual harassment, employee theft, and his duty to comply with Polaris’ computer usage policy. The security company had no reason to know that Schmidt might engage in Internet abuse. The security company cooperated in Polaris’ response to the incident to the extent permitted by Polaris.

The court’s rejection of a duty to monitor employees’ off-duty Internet activities appears to provide employers with an unbeatable defense in cases like this one. Still, the result might have been different had Schmidt’s employer not provided training, or if Polaris and the security company had not acted promptly once the offending conduct became known. Consequently, when there is a tight nexus between an employee’s job duties and an employee’s off-duty Internet abuse, employers should consider taking some of the proactive measures that Polaris and the security company took. Such measures might not only help to defeat liability but prevent the filing of a lawsuit in the first place.

This entry was written by Philip L. Gordon.

Photo Credit: Matthew Bowden
Tags: , , , , ,
  • Print
  • Trackbacks
  • Share Link

N.J. Supreme Court Seals the Door to Internet Service Providers' Voluntary Disclosure of Information About "Cybersmearing" Employees

Posted on April 22, 2008 by Philip Gordon

Even though people surfing the Internet often leave a trail of data on the web sites they visit, the New Jersey Supreme Court has found a constitutionally protected privacy interest in their anonymity. Rejecting uniform federal court precedent holding that Internet users do not have a reasonable expectation of privacy under the U.S. Constitution in subscriber information stored by their Internet Service Provider (ISP), the state Supreme Court held on April 21 that New Jersey’s Constitution does protect this information against unreasonable searches by law enforcement authorities. While focused on criminal enforcement, the decision most likely will make it even more difficult for employers to identify employees and former employees who anonymously use the Internet to damage companies.

The case arises out of a run-of-the-mill employee vendetta. After defendant Shirley Reid had an argument with the owner of Jersey Diesel, where she was employed, Reid allegedly tried to sabotage the company’s operations. Using her home computer and the unique user ID and password that she had established as part of her job, Reid accessed the web sites of Jersey Diesel’s suppliers and changed the company’s shipping address to a non-existent address. One of Jersey Diesel’s suppliers reported the change to Jersey Diesel and gave the company’s owner the Internet Protocol (IP) address assigned to the computer used to access the supplier’s web site. Jersey Diesel, apparently using an IP Address Locator web site (which is similar to a reverse telephone directory), determined that the IP address was registered to Comcast. Comcast, however, refused to disclose the identity of the subscriber to Jersey Diesel’s owner. The owner then reported the activity to local police. In response to a municipal subpoena served by the local police, Comcast disclosed that Reid was the subscriber associated with the IP address. The local prosecutor indicted Reid on charges of criminal theft.
 

The New Jersey Supreme Court ruled that Reid had a reasonable expectation of privacy in the subscriber information that Comcast turned over to the local police. The Court reasoned that Internet use is integral to daily life and reveals substantial information about an individual’s private life, making ISP subscriber information similar to telephone billing records and bank records. Because New Jersey’s Constitution recognizes a reasonable expectation of privacy in both of those categories of records, ISP subscriber information also should be constitutionally protected. Given this constitutional protection, ISP subscriber information may be produced to law enforcement only in response to a grand jury subpoena. The Court, therefore, affirmed the suppression of Reid’s ISP subscriber information because Comcast had produced it in response to a municipal subpoena.

Jersey Diesel’s situation has become all too common for employers. Employees and former employees, hiding behind the anonymity offered by the Internet, are damaging their employers by posting defamatory or confidential information on the Internet or by engaging in more injurious conduct, such as that alleged against Reid. Like Jersey Diesel, employers typically receive a frosty reception when trying to obtain subscriber information from ISPs. After the Reid decision, ISPs almost surely will refuse to voluntarily disclose any information about New Jersey subscribers out of fear of being sued for invasion of privacy. Although the New Jersey Supreme Court’s decision applies only in New Jersey, employers can expect the decision to have a broader impact.

Notably, the New Jersey Supreme Court expressly refused to address the standard for issuing a civil subpoena that requires an ISP to disclose subscriber information. However, both New Jersey’s intermediate appellate court and California’s Court of Appeal have ruled that an employer has to satisfy a heightened burden before such a subpoena can be issued. The Reid decision most likely will be used in other jurisdictions to lend further support for this heightened standard.
 
Tags: , , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link