Child Pornography On Workplace Computers

Possessing child pornography is such a potentially serious crime that institutions take pains to keep it off their premises. e-Commerce firms, whether they have significant physical premises or not, are no different.

In businesses, IT personnel usually discover child pornography. Sometimes, a system search for responsive material can uncover child pornography stored on corporate servers or a person's hard drive.

What can/must/should be done?

The Law

Federal law (18 U.S.C. '1466A) makes the knowing production, distribution, receipt or possession with intent to distribute “a visual depiction of any kind, including a drawing, cartoon, sculpture or painting of child pornography” a felony.

No evil intent or bad motive need be shown for conviction; mere knowledge is sufficient. First-time possession offenders face up to 10 years in prison; repeat violators face a mandatory minimum 10-year sentence.

Once company officers know child pornography is on their servers, action is paramount, because it is a felony to “knowingly possess ' any ' material that contains an image of child pornography.” 18 U.S.C.A. '22552A(a)(5)(B). The corporation can't destroy the images ' that could (except for circumstances discussed below) constitute knowing destruction of contraband, which is a different, independent federal crime under 18 U.S.C. '4. Further, such destruction could violate Sarbanes-Oxley's anti-shredding laws. (See, e.g., United States v. Russell, 639 F. Supp.2d 226 (D. Conn.).)

Additional Corporate Liabilities

Beyond potential for criminal liability, another employee who sees the material the company knows is there could file a sexual-harassment action. (See, Patane v. Clark, 508 F.3d 106 (2d Cir. 2007).) And the corporation could face civil liability under 18 U.S.C. '2252A(f), which provides a civil remedy to victims of the child pornography who show by a preponderance of the evidence that the defendant committed the acts described in any of the listed offenses (including possession). (See, Smith v. Husband, 376 F. Supp. 2d 603, 613 (E.D. Va. 2005).) Finally, the corporation could face civil liability under a state's sexual harassment laws and common-law tort laws if a child is victimized by the continued possession after the corporation knew the child pornography was on its computers, but did nothing. (See, Doe v. XYC Corp., 382 N.J. Super. 122, 887 A.2d 1156 (App. Div. 2005).)

Companies can't keep the material, but can they destroy it?

What the Corporation Can Do

Under very limited circumstances, an affirmative possession defense for someone who discovers child pornography and destroys it is possible, but only if destruction is:

• Quick;
• In good faith;
• Doesn't allow anyone (except law enforcement) to access or copy the material; and then
• Only if there are fewer than three images. ( See, '18 U.S.C. 2252A(d) and United States v. Hilton, No. 97-70-P-C, 2000 WL 894679, at 6 (D. Me. 2000).)

But an affirmative defense is available only at trial, and continues a conviction risk.

So, if possession of child pornography is suspected, a company cannot sit idle, but also, effectively, cannot destroy the images. What can it do? The best answer is to report it to law enforcement. Usually, prudence dictates a company investigate a discovered crime internally before reporting to law enforcement, but the usual does may not apply to child pornography.

If, when investigating whether an employee possessed child pornography, the employee again views child pornography (or distributes or creates more) on the company's computer, the company potentially:

• Was on notice but did nothing to stop a child from being harmed;
• Knowingly possessed the existing child pornography; and
• Knowingly possessed (and even created or distributed) the new child pornography.

So, don't risk investigating before reporting.

And in some states, IT employees themselves are required to bypass management and report suspicions of child pornography directly to law enforcement, or face possible fines or incarceration.

Working with the Authorities

Once law enforcement is alerted, corporations should work with authorities to investigate their network and systems, and institute proper discipline, including immediate termination. (See, e.g., Muick v. Glenayre Elecs., 280 F.3d 741, 742-43 (7th Cir. 2002) and Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996).)

Unless corporate policies contravene, after notifying law enforcement and with its approval, a corporation's search for additional violative material is virtually unfettered by employee privacy concerns. (See, United States v. Angevine, 281 F.3d 1130, 1135 (10th Cir. 2002) and United States v. Simons, 206 F.3d 392 (4th Cir. 2000).)

So what steps should a corporation take?

First, avoid the situation if possible:

• Hire experts to install software to ensure access to pornography sites is blocked on company networks and computers.

Second, create clear usage policies:

• State that under no circumstances may corporate property be used to view, possess, maintain, create or distribute inappropriate material, including, but not limited to, child pornography.
• State that the corporation has unfettered access to all corporate-owned computer systems and content, and monitors regularly.
• Give notice that any suspected use of company property for inappropriate purpose may immediately be reported to law enforcement.
• Give notice of company's unlimited right to discipline employees to the full extent of the law, including immediate termination, for suspected inappropriate and/or unlawful use of company property.

Third, monitor company property:

• Monitor employee technology use with a random monitoring program that not even savvy users can anticipate.

Fourth, create and disseminate clear reporting procedures:

• These should state that any suspicion of workplace child pornography must be reported immediately to management, and will be reported to federal and/or state law enforcement. Procedures should account for circumstances where the individual to whom such reports ordinarily are made is the alleged perpetrator.
• Advise IT employees ' often the first responders ' to avoid actions that could bring obstruction charges, tainting evidence, “leaking” facts to other employees or other acts that might increase risk to the individual or corporation.

Fifth, respond immediately to suspected child pornography:

• Notify law enforcement.
• If policies and law enforcement allow, hire forensic consultants to search network, servers, backup tapes, and home-office hard drives the company owns for additional illegal material.
• Institute disciplinary measures against the alleged offending employee.

Conclusion

Lawyers must stay ahead of the curve in addressing technology-related problems ' e-commerce counsel included.

Possessing child pornography is such a potentially serious crime that institutions take pains to keep it off their premises. e-Commerce firms, whether they have significant physical premises or not, are no different.

In businesses, IT personnel usually discover child pornography. Sometimes, a system search for responsive material can uncover child pornography stored on corporate servers or a person's hard drive.

What can/must/should be done?

The Law

Federal law (18 U.S.C. '1466A) makes the knowing production, distribution, receipt or possession with intent to distribute “a visual depiction of any kind, including a drawing, cartoon, sculpture or painting of child pornography” a felony.

No evil intent or bad motive need be shown for conviction; mere knowledge is sufficient. First-time possession offenders face up to 10 years in prison; repeat violators face a mandatory minimum 10-year sentence.

Once company officers know child pornography is on their servers, action is paramount, because it is a felony to “knowingly possess ' any ' material that contains an image of child pornography.” 18 U.S.C.A. '22552A(a)(5)(B). The corporation can't destroy the images ' that could (except for circumstances discussed below) constitute knowing destruction of contraband, which is a different, independent federal crime under 18 U.S.C. '4. Further, such destruction could violate Sarbanes-Oxley's anti-shredding laws. ( See , e.g. , United States v. Russell , 639 F. Supp.2d 226 (D. Conn.).)

Additional Corporate Liabilities

Beyond potential for criminal liability, another employee who sees the material the company knows is there could file a sexual-harassment action. ( See , Patane v. Clark , 508 F.3d 106 (2d Cir. 2007).) And the corporation could face civil liability under 18 U.S.C. '2252A(f), which provides a civil remedy to victims of the child pornography who show by a preponderance of the evidence that the defendant committed the acts described in any of the listed offenses (including possession). ( See , Smith v. Husband , 376 F. Supp. 2d 603, 613 (E.D. Va. 2005).) Finally, the corporation could face civil liability under a state's sexual harassment laws and common-law tort laws if a child is victimized by the continued possession after the corporation knew the child pornography was on its computers, but did nothing. ( See , Doe v. XYC Corp. , 382 N.J. Super. 122, 887 A.2d 1156 (App. Div. 2005).)

Companies can't keep the material, but can they destroy it?

What the Corporation Can Do

Under very limited circumstances, an affirmative possession defense for someone who discovers child pornography and destroys it is possible, but only if destruction is:

• Quick;
• In good faith;
• Doesn't allow anyone (except law enforcement) to access or copy the material; and then
• Only if there are fewer than three images. ( See, '18 U.S.C. 2252A(d) and United States v. Hilton, No. 97-70-P-C, 2000 WL 894679, at 6 (D. Me. 2000).)

But an affirmative defense is available only at trial, and continues a conviction risk.

So, if possession of child pornography is suspected, a company cannot sit idle, but also, effectively, cannot destroy the images. What can it do? The best answer is to report it to law enforcement. Usually, prudence dictates a company investigate a discovered crime internally before reporting to law enforcement, but the usual does may not apply to child pornography.

If, when investigating whether an employee possessed child pornography, the employee again views child pornography (or distributes or creates more) on the company's computer, the company potentially:

• Was on notice but did nothing to stop a child from being harmed;
• Knowingly possessed the existing child pornography; and
• Knowingly possessed (and even created or distributed) the new child pornography.

So, don't risk investigating before reporting.

And in some states, IT employees themselves are required to bypass management and report suspicions of child pornography directly to law enforcement, or face possible fines or incarceration.

Working with the Authorities

Once law enforcement is alerted, corporations should work with authorities to investigate their network and systems, and institute proper discipline, including immediate termination. ( See , e.g. , Muick v. Glenayre Elecs. , 280 F.3d 741, 742-43 (7th Cir. 2002) and Smyth v. Pillsbury Co. , 914 F. Supp. 97 (E.D. Pa. 1996).)

Unless corporate policies contravene, after notifying law enforcement and with its approval, a corporation's search for additional violative material is virtually unfettered by employee privacy concerns. ( See , United States v. Angevine , 281 F.3d 1130, 1135 (10th Cir. 2002) and United States v. Simons , 206 F.3d 392 (4th Cir. 2000).)

So what steps should a corporation take?

First, avoid the situation if possible:

• Hire experts to install software to ensure access to pornography sites is blocked on company networks and computers.

Second, create clear usage policies:

• State that under no circumstances may corporate property be used to view, possess, maintain, create or distribute inappropriate material, including, but not limited to, child pornography.
• State that the corporation has unfettered access to all corporate-owned computer systems and content, and monitors regularly.
• Give notice that any suspected use of company property for inappropriate purpose may immediately be reported to law enforcement.
• Give notice of company's unlimited right to discipline employees to the full extent of the law, including immediate termination, for suspected inappropriate and/or unlawful use of company property.

Third, monitor company property:

• Monitor employee technology use with a random monitoring program that not even savvy users can anticipate.

Fourth, create and disseminate clear reporting procedures:

• These should state that any suspicion of workplace child pornography must be reported immediately to management, and will be reported to federal and/or state law enforcement. Procedures should account for circumstances where the individual to whom such reports ordinarily are made is the alleged perpetrator.
• Advise IT employees ' often the first responders ' to avoid actions that could bring obstruction charges, tainting evidence, “leaking” facts to other employees or other acts that might increase risk to the individual or corporation.

Fifth, respond immediately to suspected child pornography:

• Notify law enforcement.
• If policies and law enforcement allow, hire forensic consultants to search network, servers, backup tapes, and home-office hard drives the company owns for additional illegal material.
• Institute disciplinary measures against the alleged offending employee.

Conclusion

Lawyers must stay ahead of the curve in addressing technology-related problems ' e-commerce counsel included.