|August 17, 2011|
Previously published on August 3, 2011
Misbehaving by sending inappropriate text messages, or by striking up inappropriate internet relationships is not limited just to politicians. A hazard of our ever-present connection to the internet is the flood of information to our computers, not all of which we’ve invited or requested. Malware, mis-directed internet searches, and unauthorized users of computer equipment can put all computer users in the position of receiving, even unintentionally, offensive, obscene, even illegal material. Then there are always those who reach out purposefully to view such materials with intent.
Employers, and IT companies who support business computer systems, are likely to find this sort of information in their possession or custody in the course of working on their own systems, or, if the company is in the IT industry, while working on customers’ computers. Businesses and IT companies may also find this material in a specific search of an employee’s computer based upon a report of misconduct.
Two major questions facing business are (1) when can you legally search an employee’s computer? and (2) what do you do when you find child porn on the employee’s computer?
Neither federal nor Virginia state law prohibits employers from searching an employee’s computer in the non-governmental context. (Employees of the government are protected by the 4th Amendment right against unlawful searches or seizures. A different topic for another day.) In general, best practices require that the employer have employee permission and recognition that the computer is the property of the employer’s and subject to search. (For example, this would be included in the Handbook receipt acknowledgment document.) The extent of the employer’s rights remains somewhat cloudy absent such permission.
When a business does find inappropriate material involving children, the law is very clear that the employer or IT consultant has a duty to report the child pornography to the cyber tip line at the National Center for Missing and Exploited Children.
The federal law that mandates this duty to report specifically requires that “electronic communication service providers” report child pornography. (18 USC § 2258A. Reporting requirements of electronic communication service providers and remote computing service providers.) An “electronic communications service” means “any service which provides to users the ability to send or receive wire or electronic communications.” The term “electronic communication,” for purposes of the reporting requirement, means “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.”
All of which is to say that both the business/employer that provides the computer or phone system over which the data is communicated, as well as the IT company that helps the employer maintain those systems, are covered by this law.
A business or IT service company ignores child porn at its peril. Failing to report the information to the National Center for Missing and Exploited Children violates the Section 2258A reporting requirements. Deleting the material might make the company an accessory to the underlying crime of possessing the information in the first place. Making copies of the material and then transmitting the copies, except at the direction of law enforcement officials or as required by section 2258A, also runs afoul of the laws proscribing possession of child pornography. A first violation of Section 2258A carries a penalty of up to a $150,000 fine. A second violation can be penalized by up to $300,000.
What if an IT company’s client insisted on a confidentiality agreement to prevent the IT company from sharing information it finds on the client’s hard drives? Does that agreement trump the disclosure obligation in Section 2258A? Nothing in the statute itself creates such an exemption. Generally, private parties cannot contract to consent to criminal activity, especially criminal activity that affects third parties who are not parties to the agreement.
Section 2258A also requires electronic communications service providers to preserve the report they make to the National Center for Missing and Exploited Children, and to preserve and safely store the images they find that triggered the NCMEC report in the first place. They may not share the fact of the report with others except for law enforcement purposes. If the pornography the provider reports is commingled with other images, even inoffensive images, the provider must preserve those images as well.
The boundaries describing private individuals’ and companies’ obligations to monitor and report possible criminal behavior in the electronic era continue to expand. Legislation currently pending in Congress would require internet service providers to log users’ IP addresses for 18 months so as to better identify which internet users connected to what internet sites and when. That tool would aid law enforcement in proving a particular user accessed particular pornography. Some privacy advocates have objected to the log requirement. Some companies are concerned that they are being enlisted into increasingly broad law enforcement roles.
Protecting children from sexual exploitation remains a top law enforcement priority. That effort will likely only grow with the broad proliferation of internet connected electronic devices. The law can be expected to change to try and keep pace with the technology’s capacity. An IT service provider who encounters child pornography should first act to secure and preserve the data, and second very quickly get competent advice regarding to whom it may, to whom it must, and to whom it must not, make an appropriate report.
What do you think about this obligation as a business? Will you find it difficult to comply?