Monthly Bulletin

Employer Liability for Cyberthreats Limited Based on Good Policy

In a recent case (favorable to employers), a California court concluded that an employer could not be held liable for threats made by an employee using the employer’s computer system.  The case was brought by, Michelangelo Delfino, after he began receiving threatening emails as well as threatening and slanderous messages related to him posted on various Internet bulletin boards.  Delfino contacted the Federal Bureau of Investigation and learned that an employee of Agilent Technologies, Cameron Moore, admitted to using the pseudonym “crack_smoking_jesus” which was the screen name used in posting the remarks on the Internet.

Upon receiving this information, Delfino and his attorney sued Agilent alleging negligence by the employer, for failing to prevent its employee from posting these threatening and slanderous emails, some of which were sent during working hours.  (Delfino also sued Moore individually, and was awarded $587,323 in a separate trial). 

Agilent defended on the basis that it was not liable for Moore’s cyberthreats based on the Federal Communications Decency Acts of 1996 (CDA).  The court concurred that the CDA did,in fact, protect an employer who simply provided computer access and a computer network to its employees, and was not involved in the third party transmission of prohibited content.  The court also found that Agilent had appropriate Internet policies in place, and took reasonable action by placing Moore on administrative leave immediately and lterminating him a few days later, once it learned of Moore’s misconduct related to the company’s computer system.

Significance
This case is favorable to employers – provided they have appropriate electronic equipment and use policies and act on these policies promptly.  The court noted that while employers may be liable for an employee’s wrongdoing committed “within the scope of employment”, employers are not liable “if the employee substantially deviates from the employment duties for personal purposes.”  The court also ruled, “In applying these principles, we find that Moore’s conduct in sending threatening emails and postings through the Internet were plainly outside the scope of his employment with Agilent.  The fact that Moore may have been present at the workplace and may have been performing regular employment functions before or after transmitting one or more of the threatening messages do not transform his personal conduct into actions for which Agilent may be held vicariously liable.”

In short, if an employer has an appropriate policy limiting use of the employer's computers and systems for business purposes, it has a basis, like Agilent did, for terminating an individual who violated those policies.  In the absence of such a policy, it would have been more difficult for Agilent to terminate Moore and separate itself from his personal conduct.  While this may seem a fine point to some, it is critical to maintain appropriate policies so that an employer has the ability to distinguish business conduct from personal conduct which, in the case of computer activity, can almost never be monitored adequately at the workplace.

If your organization has not looked at its Internet and electronic communications policies in the past twenty-four months, we highly recommend you do so in order to protect your organization in 2007 and beyond.  Clients using sharedHR are advised to include the comprehensive Electronic communications/media policy in their handbooks.