Child Pornography on Workplace Computers

Federal law (18 U.S.C. ' 1466A) criminalizes the knowing production, distribution, receipt or possession with intent to distribute “a visual depiction of any kind, including a drawing, cartoon, sculpture or painting of child pornography ' ” No evil intent or bad motive need be shown to obtain a conviction. Mere knowledge is sufficient. First-time offenders for possession face up to 10 years in prison, and repeat violators face a mandatory minimum sentence of 10 years.

Once a company knows that child pornography is on its servers, it must take action, because it is a federal crime to “knowingly possess ' any ' material that contains an image of child pornography,” 18 U.S.C.A. ' 22552A(a)(5)(B). As a practical matter, the corporation can't destroy the images because that could (except for limited circumstances discussed below) arguably constitute knowing destruction of contraband, a different, independent federal crime under 18 U.S.C. ' 4 (“Whoever, having knowledge of the actual commission of a felony ' conceals and does not as soon as possible make known the same to some ' authority under the United States, [shall be guilty of a felony]“). Further, any such destruction could violate Sarbanes-Oxley's anti-shredding laws. See, e.g., United States v. Russell, 639 F. Supp.2d 226 (D. Conn.).

Additional Corporate Liabilities

Beyond the potential for criminal liability, if the corporation knows it has child pornography on its system and another employee sees the material, the corporation could face civil liability for sexual harassment. See Patane v. Clark, 508 F.3d 106 (2d Cir. 2007) (employee stated sexual harassment claim against corporation for being forced to handle supervisor's pornography). And the corporation could face civil liability under 18 U.S.C. ' 2252A(f), which provides a civil remedy to victims of the child pornography able to show by a preponderance of the evidence that the defendant committed the acts described in any of the listed offenses (including possession). See Smith v. Husband, 376 F. Supp. 2d 603, 613 (E.D. Va. 2005). Finally, the corporation could face civil liability under a state's sexual harassment laws and common-law tort laws if a child is victimized by the continued possession after the corporation knew of the existence of child pornography on its computers, but did nothing. Doe v. XYC Corp., 382 N.J. Super. 122, 887 A.2d 1156 (App. Div. 2005).

Thus, knowingly leaving child pornography on a corporation's system is not a viable option. However, can a corporation destroy the offending images?

What the Corporation Can Do

Under very limited circumstances, there is an affirmative defense to possession for the person who discovers child pornography and destroys it, but only if the destruction is done quickly, in good faith, without allowing anyone (except law enforcement) to access or copy the material, and then, only if there are fewer than three images. See ' 18 U.S.C. 2252A(d); United States v. Hilton, No. 97-70-P-C, 2000 WL 894679, at *6 (D. Me. 2000). But an affirmative defense is available only at trial, and continues to leave open a risk of conviction.

So, if a corporation that suspects possession of child pornography cannot sit idle but also effectively cannot destroy the images, what can it do? The best answer is to report it to law enforcement. Usually, when a company finds evidence of a crime, the prudent course is to investigate it internally before reporting to law enforcement. However, what a corporation usually does may not apply to child pornography.

If, while an investigation is underway concerning whether an employee possessed child pornography, the employee again views child pornography (or distributes it, or creates more of it) on the company's computer, the company potentially: 1) was on notice at the time of the act but did nothing to stop a child from being harmed; 2) knowingly possessed the existing child pornography; and 3) knowingly possessed (and even created or distributed) the new child pornography. Therefore, the risks of investigating before reporting are great.

Furthermore, in some states, IT employees themselves are required to bypass management and report suspicions of child pornography directly to law enforcement. If IT employees do not do so, they face possible fines or incarceration. See Joanne Deschenaux, Experts: Employers Must Have Policies in Place Regarding Child Pornography, 9/30/2009 (citing National Conference of State Legislatures).

Working with the Authorities

Once law enforcement is alerted, prudence dictates that corporations should work in conjunction with the efforts of authorities to further investigate their network and systems and institute proper discipline for the involved employee(s), up to and including immediate termination. See, e.g., Muick v. Glenayre Elecs., 280 F.3d 741, 742-43 (7th Cir. 2002) (suggesting that no corporate punishment, including termination, is too harsh for the child pornography possessor); Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996) (no violation of public policy for terminating employee for transmitting unprofessional e-mails over a corporate network).

Unless corporate policies are directly contrary, after notifying law enforcement and with its approval, a corporation's search for additional violative material is virtually unfettered by privacy concerns of affected employees. See, e.g., United States v. Angevine, 281 F.3d 1130, 1135 (10th Cir. 2002) (no reasonable expectation of privacy in relation to the computer employee used at work); United States v. Simons, 206 F.3d 392 (4th Cir. 2000) (remote, warrantless searches of office computer by public employer did not violate employee's Fourth Amendment rights).

So what are the steps a corporation should take?

First: Avoid the situation if possible:

• Hire experts to install software programs to insure that access to all pornography sites are blocked on company networks and company computers.

Second: Create clear usage policies:

• State that under no circumstances may corporate property be used to view, possess, maintain, create or distribute inappropriate material of any kind, including, but not limited to, child pornography.
• State that the corporation has unfettered access to all corporate-owned computer systems and their content and monitors them regularly.
• Give notice that any suspected use of company property for an inappropriate purpose may immediately be reported to law enforcement.
• Give notice of company's unlimited right to discipline employees to the full extent of the law, up to and including immediate termination for suspected inappropriate and/or unlawful use of company property.

Third: Monitor company property:

• Monitor employee technology use with random monitoring program that cannot be anticipated by savvy users.

Fourth: Create and disseminate clear reporting procedures:

• Reporting procedures for all employees should state that any suspicion of child pornography in the workplace must be reported immediately to management and then will be reported to federal and/or state law enforcement. Procedures should account for circumstances where the individual to whom such a report ordinarily would have been made is the alleged perpetrator.
• Advise IT employees ' often the first responders ' to avoid actions that could result in obstruction charges, tainting evidence, “leaking” facts to other employees or other acts that might increase risk to the individual or corporation.

Fifth: Respond immediately to any indication of child pornography:

• Notify law enforcement (state and/or federal).
• If corporate policies and law enforcement allow it, hire forensic consultants to search the entire network, servers, backup tapes, and home office hard drives owned by the company, etc. for additional illegal material.
• Institute disciplinary measures against the alleged wrongdoing employee.

Conclusion

In short, the brave new electronic world brings with it new problems. As lawyers, we must strive to be ahead of the curve in addressing them. This summer, NYU did not need to address these issues because it avoided any possession of arguably illicit material. Your client or company may not have that option.

Possessing child pornography is potentially such a serious crime that institutions take pains to keep it off their premises. New York University, for example, decided last summer not to accept the archives of artist Larry Rivers after it became public that the collection included films and videos of Rivers' two adolescent daughters, naked or topless, being interviewed by their father about their developing breasts. Without deciding whether the films were in fact pornographic, the university played it safe.

So what are the implications of having child pornography on the premises? In businesses, child pornography generally is discovered by IT personnel. Or, if a corporation undergoes an unrelated internal investigation in which all computers, hard drives, e-mail servers, etc. are frozen and searched for responsive material, such a search can to lead to the discovery of child pornography stored on the corporation's server or on an individual's hard drive. What can/must/should be done as a result?

The Law

Federal law (18 U.S.C. ' 1466A) criminalizes the knowing production, distribution, receipt or possession with intent to distribute “a visual depiction of any kind, including a drawing, cartoon, sculpture or painting of child pornography ' ” No evil intent or bad motive need be shown to obtain a conviction. Mere knowledge is sufficient. First-time offenders for possession face up to 10 years in prison, and repeat violators face a mandatory minimum sentence of 10 years.

Once a company knows that child pornography is on its servers, it must take action, because it is a federal crime to “knowingly possess ' any ' material that contains an image of child pornography,” 18 U.S.C.A. ' 22552A(a)(5)(B). As a practical matter, the corporation can't destroy the images because that could (except for limited circumstances discussed below) arguably constitute knowing destruction of contraband, a different, independent federal crime under 18 U.S.C. ' 4 (“Whoever, having knowledge of the actual commission of a felony ' conceals and does not as soon as possible make known the same to some ' authority under the United States, [shall be guilty of a felony]“). Further, any such destruction could violate Sarbanes-Oxley's anti-shredding laws. See, e.g., United States v. Russell , 639 F. Supp.2d 226 (D. Conn.).

Additional Corporate Liabilities

Beyond the potential for criminal liability, if the corporation knows it has child pornography on its system and another employee sees the material, the corporation could face civil liability for sexual harassment. See Patane v. Clark , 508 F.3d 106 (2d Cir. 2007) (employee stated sexual harassment claim against corporation for being forced to handle supervisor's pornography). And the corporation could face civil liability under 18 U.S.C. ' 2252A(f), which provides a civil remedy to victims of the child pornography able to show by a preponderance of the evidence that the defendant committed the acts described in any of the listed offenses (including possession). See Smith v. Husband , 376 F. Supp. 2d 603, 613 (E.D. Va. 2005). Finally, the corporation could face civil liability under a state's sexual harassment laws and common-law tort laws if a child is victimized by the continued possession after the corporation knew of the existence of child pornography on its computers, but did nothing. Doe v. XYC Corp. , 382 N.J. Super. 122, 887 A.2d 1156 (App. Div. 2005).

Thus, knowingly leaving child pornography on a corporation's system is not a viable option. However, can a corporation destroy the offending images?

What the Corporation Can Do

Under very limited circumstances, there is an affirmative defense to possession for the person who discovers child pornography and destroys it, but only if the destruction is done quickly, in good faith, without allowing anyone (except law enforcement) to access or copy the material, and then, only if there are fewer than three images. See ' 18 U.S.C. 2252A(d); United States v. Hilton, No. 97-70-P-C, 2000 WL 894679, at *6 (D. Me. 2000). But an affirmative defense is available only at trial, and continues to leave open a risk of conviction.

So, if a corporation that suspects possession of child pornography cannot sit idle but also effectively cannot destroy the images, what can it do? The best answer is to report it to law enforcement. Usually, when a company finds evidence of a crime, the prudent course is to investigate it internally before reporting to law enforcement. However, what a corporation usually does may not apply to child pornography.

If, while an investigation is underway concerning whether an employee possessed child pornography, the employee again views child pornography (or distributes it, or creates more of it) on the company's computer, the company potentially: 1) was on notice at the time of the act but did nothing to stop a child from being harmed; 2) knowingly possessed the existing child pornography; and 3) knowingly possessed (and even created or distributed) the new child pornography. Therefore, the risks of investigating before reporting are great.

Furthermore, in some states, IT employees themselves are required to bypass management and report suspicions of child pornography directly to law enforcement. If IT employees do not do so, they face possible fines or incarceration. See Joanne Deschenaux, Experts: Employers Must Have Policies in Place Regarding Child Pornography, 9/30/2009 (citing National Conference of State Legislatures).

Working with the Authorities

Once law enforcement is alerted, prudence dictates that corporations should work in conjunction with the efforts of authorities to further investigate their network and systems and institute proper discipline for the involved employee(s), up to and including immediate termination. See, e.g., Muick v. Glenayre Elecs. , 280 F.3d 741, 742-43 (7th Cir. 2002) (suggesting that no corporate punishment, including termination, is too harsh for the child pornography possessor); Smyth v. Pillsbury Co. , 914 F. Supp. 97 (E.D. Pa. 1996) (no violation of public policy for terminating employee for transmitting unprofessional e-mails over a corporate network).

Unless corporate policies are directly contrary, after notifying law enforcement and with its approval, a corporation's search for additional violative material is virtually unfettered by privacy concerns of affected employees. See, e.g., United States v. Angevine , 281 F.3d 1130, 1135 (10th Cir. 2002) (no reasonable expectation of privacy in relation to the computer employee used at work); United States v. Simons , 206 F.3d 392 (4th Cir. 2000) (remote, warrantless searches of office computer by public employer did not violate employee's Fourth Amendment rights).

So what are the steps a corporation should take?

First: Avoid the situation if possible:

• Hire experts to install software programs to insure that access to all pornography sites are blocked on company networks and company computers.

Second: Create clear usage policies:

• State that under no circumstances may corporate property be used to view, possess, maintain, create or distribute inappropriate material of any kind, including, but not limited to, child pornography.
• State that the corporation has unfettered access to all corporate-owned computer systems and their content and monitors them regularly.
• Give notice that any suspected use of company property for an inappropriate purpose may immediately be reported to law enforcement.
• Give notice of company's unlimited right to discipline employees to the full extent of the law, up to and including immediate termination for suspected inappropriate and/or unlawful use of company property.

Third: Monitor company property:

• Monitor employee technology use with random monitoring program that cannot be anticipated by savvy users.

Fourth: Create and disseminate clear reporting procedures:

• Reporting procedures for all employees should state that any suspicion of child pornography in the workplace must be reported immediately to management and then will be reported to federal and/or state law enforcement. Procedures should account for circumstances where the individual to whom such a report ordinarily would have been made is the alleged perpetrator.
• Advise IT employees ' often the first responders ' to avoid actions that could result in obstruction charges, tainting evidence, “leaking” facts to other employees or other acts that might increase risk to the individual or corporation.

Fifth: Respond immediately to any indication of child pornography:

• Notify law enforcement (state and/or federal).
• If corporate policies and law enforcement allow it, hire forensic consultants to search the entire network, servers, backup tapes, and home office hard drives owned by the company, etc. for additional illegal material.
• Institute disciplinary measures against the alleged wrongdoing employee.

Conclusion

In short, the brave new electronic world brings with it new problems. As lawyers, we must strive to be ahead of the curve in addressing them. This summer, NYU did not need to address these issues because it avoided any possession of arguably illicit material. Your client or company may not have that option.