EMPLOYERS GAIN IMMUNITY FROM EMPLOYEES' MISUSE OF COMPANY'S INTERNET ACCESS
By Jennifer Brown Shaw
The Daily Recorder
Advances in technology, particularly the Internet, continue to influence employment law. The new ways in which employees obtain information and communicate with others have revolutionized the workplace. Change has come so fast that employers, legislators, and the courts are playing an increasingly challenging game of catch-up. The desire to manage risk via control of employees' activities not only is hampered by the ingenuity of new technology, but also by the desire not to impair the free flow of ideas and information that have made these advances possible.
Where competing interests collide, litigation often ensues. The tension between employment law and technology came to a head in a recent decision of the California Court of Appeal, Delfino v. Agilent Technologies, Inc. In a first-of-its-kind opinion, the Court decided that employers cannot be held liable for employees' use of the employer's internet connection to post threatening comments on Internet bulletin boards.
Prequel: Varian v. Delfino
Some years ago, Michelangelo Delfino and Mary Day were embroiled in a very public dispute with their former employer, Varian. Delfino and Day took the term "disgruntled" to a new level. They posted insulting and vulgar comments about certain Varian managers on the Internet, and Varian sued them for defamation. Varian eventually obtained a verdict in its favor. Delfino and Day appealed, however, and ultimately won a reversal from the California Supreme Court on a technical point unrelated to the merits.
Employee Makes Threats Using Company's Internet Connection
The Varian dispute was covered by the press and engendered significant third-party interest. Like many organizations, Varian was the subject of a number of Internet bulletin boards. An Internet bulletin board allows users to "post" commentary about the organization and its employees. Varian bulletin boards were abuzz with comments about the ongoing dispute between Varian and its former employees.
Cameron Moore was an employee of Agilent Technologies in Silicon Valley. Like many employees, Moore used Agilent's network to access the Internet while at work. Moore used Agilent's gateway to post on the Varian bulletin board located at the Yahoo financial site. In the dispute between Delfino and Varian, Moore sided with Varian. So, using the moniker "crack_smoking_jesus," Moore posted messages on Varian's Yahoo message board in which he threatened Delfino with physical harm. Under a different pseudonym, Moore also sent Delfino threatening emails from a Yahoo email account.
The FBI traced "crack_smoking_jesus" to Agilent's "IP address." Agilent's internal security in turn traced the activity to Moore. After further investigation, warnings, and other proceedings too numerous to mention, Agilent fired Moore and the FBI arrested him, albeit for conduct in which he engaged away from Agilent's network.
Delfino sued Moore for his threats on the message boards and via email. He alleged causes of action for "intentional infliction of emotional distress" and several negligence theories. Delfino also named Agilent as an additional defendant, claiming the company knew about Moore's activities and failed to stop them.
The Employer's Immunity from Liability
In 1996, Congress passed the "Communications Decency Act." ("CDA"). This law was intended in part to protect minors from indecent material on the Internet by encouraging content providers to self-regulate and develop filtering technology. The law also ensured that passive providers of Internet access were not subjected to liability for the content posted.
Section 230(c)(1) of the CDA provides broad immunity to those who provide access and facilitate Internet content. Section 230(e)(3) preempts all state laws that would result in liability.
No court had ever held the immunity conferred under section 230(c)(1) applied to employers who provide employees Internet access. However, in other contexts, courts developed a three-factor test to determine whether the immunity provisions apply: (1) the defendant is a provider or user of an interactive computer service; (2) the cause of action treats the defendant as a publisher or speaker of information; and (3) the information at issue is provided by another information content provider. The Court of Appeal in Delfino used this analysis and determined Agilent was immune from Delfino's lawsuit.
By holding that the CDA applied, the Court exempted Agilent from liability for Moore's conduct on the Internet. Of course, had Agilent condoned or assisted Moore in some way, the analysis could have come out differently under factor (3) above. The evidence, however, was that Moore acted on his own.
Liability for Internet Activity Absent CDA Immunity
As an alternative holding, the Court of Appeal analyzed whether Agilent would have been liable for Moore's conduct under state law and in the absence of CDA immunity. The Court first held that those who make threats of bodily harm on the Internet may indeed be engaged in "outrageous conduct," an element essential to a claim of intentional infliction of emotional distress.
The Court then turned to whether Agilent could be held responsible for Moore's postings. Delfino argued that Agilent "ratified" Moore's conduct; in essence, that Agilent's conduct adopted Moore's posts as its own. However, the Court noted that Agilent fired Moore immediately upon learning that Moore had used Agilent's systems to make threats.
Delfino also argued that Agilent should be held responsible under "respondeat superior," a theory under which an employer is liable for employees' acts performed within the course and scope of employment. The Court rejected this contention as well. Under California law, an employer's respondeat superior liability does not extend to all acts performed at work. Rather, the issue is whether the conduct is sufficiently related to the employer's business enterprise to require the employer to bear the cost of the conduct.
Finally, the Court held that Agilent could not be held liable for "negligent" supervision of Moore. Using a multi-factor test, the Court analyzed whether Agilent owed a "duty" to Delfino, and concluded that it did not. Without such a duty, there can be no claim for "negligence."
Unless the CDA is amended or the Delfino decision is overturned, employers now enjoy broad immunity from lawsuits based on employees' misuse of the employer's Internet connection. But the Court's opinion in Delfino raises important questions regarding the extent of employers' liability for employees' conduct on the Internet. For example, Delfino does not address whether an employee's claim of "harassment" exclusively based on a co-worker's conduct on the Internet would be actionable against the employer. After all, Delfino did not work for Agilent. Yet, it would not seem to make a difference if he had. The CDA's immunity provision does not appear to carve-out exceptions for lawsuits by an employee against his or her own employer.
Of course, most claims of harassment are based on more than just Internet postings by the alleged harasser. So, immunity under the CDA likely will be moot in most cases. Moreover, if an employee is spending work time defaming or otherwise engaging in misconduct on the internet, the employee is not performing his or her duties. Therefore, even if employers are not held liable for employees' Internet activities, it behooves employers to have strong policies regarding use and misuse of its Internet connection.