How Far Must an Employer Go in Preventing Employee Internet Misconduct?
Employers often wonder how far they have to go in preventing employees from committing crimes or torts on the Internet. In a recent decision, the Wisconsin Court of Appeals found that an employer is only required to prevent on the job misconduct that is foreseeable. But "employers have no duty to supervise employees' private conduct or to persistently scan the word wide web to ferret out potential employee misconduct." Maypark v. Securitas Security Services USA, Inc., 2009 WI APP 145 (Sept. 1, 2009).
The Maypark case centered around a security guard named Schmidt who worked for Securitas, a security company. Schmidt was stationed at Polaris Industries, a Securitas client in Osceola, Wisconsin. Schmidt worked at a guard shack at the entrance to Polaris's parking lot, where he assisted in the control of visitor and employee access. Polaris employees wore photo identification badges, which Schmidt was responsible for producing.
Sometime during 2005, Schmidt copied photographs of some 50 female Polaris employees to a flash drive -- apparently from the guard shack computer. He took them home, performed unspeakable acts on them, and then posted pictures of the adulterated photos on adult blogs he created on Yahoo!.
When Polaris was alerted to the photos, its information systems department did a search of the guard shack computer and figured who the perpetrator was. Polaris informed Securitas, which immediately terminated Schmidt after he admitted posting the images. Polaris then demanded that Schmidt remove the images from Yahoo!, which he did.
Polaris notified the Osceola police, who declined to prosecute Schmidt. Ten plaintiffs then sued Schmidt and Securitas. After a bench trial, the judge found Schmidt liable for defamation and invasion of privacy and Securitas liable for negligent training and supervision. Securitas appealed.
The Wisconsin Court of Appeal reversed based on the "foreseeability" test. To find a defendant liable on a negligence tort, a court must find that the defendant owed the plaintiff a duty of care. A common test to determine if a duty of care exists is whether it was foreseeable that the harm caused to the plaintiff would be caused by the defendant's action. A party cannot be held to be negligent if it was not reasonably foreseeable that harm might result from its act or failure to act. Sigler v. Kobinsky, 2008 WI App 183. "Failure to guard against the bare possibility of injury is not actionable negligence." Grube v. Marks, 56 Wisc.2d 424 (1972) (emphasis added).
Here the Court of Appeal concluded that Securitas had not been negligent. Securitas had taken the correct precautions. It provided Schmidt with training on sexual harassment and employee theft. Polaris had informed Securitas that it could track internet usage by the guards and used a filter that would block inappropriate website, but Polaris had never reported that it had any concerns about the guards' internet use. The Court also noted that these is "nothing inherently dangerous about permitting employees to access the internet at work." As such, the Court concluded that it simply was not "reasonably foreseeable" that Securitas's letting Schmidt access the guard shack computer would probably result in harm to some person or thing.
The trial court had also observed that Securitas did not monitor Schmidt's access to the Polaris employee photos. But, the Court of Appeal stated that "in contrast to social security numbers or other personal information, it was not reasonably foreseeable that unsupervised access to photographs would result in harm." In addition, Schmidt was required as part of his duties to access the photos -- so there would have been nothing to alert Securitas that something was amiss, if it had been "alerted" that he was accessing the photos.
The Court of Appeal also found that public policy concerns also precluded finding Securitas liable. According to the Court, "Schmidt's actions were unimaginable" and employers don't have a duty to stop unimaginable (= unforeseeable) behavior. The Court concluded, "[w]ere we to allow the plaintiffs' claims here to proceed, this expansion of liability would be limitless and turn employers into guarantors or insurers."
As a result of this decision, the Court reversed the $1.4 million damages award against Securitas.
The Maypark decision represents a fair picture of the law of negligent supervision in most States. However, negligent cases are fact intensive. Small changes in the fact pattern can create vastly different results. If you have questions about employer liability for employee internet abuse, please feel free to contact me.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
