Child pornography and network servers at work...what to do when the unthinkable happens

Child pornography images are showing up in the most unlikely places – such as on the desktops of professors and senior executives, lawyers, teachers, and others you would never have suspected – like your trusted employees . How what would you do if the police heard about this before you did –directly from another one of your employees?

Suddenly your carefully crafted Internet use policy doesn’t give you the coverage you expected. How should you deal with criminal activities that implicate your company and the contraband you discover on your company’s computers? How should you handle the police, the employee who is implicated and the employee who called the police?

The time to think about these questions is BEFORE they happen. Being prepared, and preparing your employees can make the difference between a difficult situation and a public relations and legal disaster. To do that, you need to have a policy in place and procedures that implement that policy. Then you need to make sure that those policies and procedures are communicated to your employees so they too are prepared. The last thing you want is an employee taking the matter into their own hands.

Start off by reviewing your existing Internet use policy. (If you don’t have an Internet use policy in place, this is the time to get one.) Does it already contain a provision dealing with criminal activities, or does it just deal with inappropriate workplace activities? What about pirated software, music and intellectual property? Have you created a procedure where people can report abuses of the policy?

Next comes the hard part. You have to make some important policy decisions. Should you report criminal activity you discover, or handle it as an internal matter?

Many companies elect not to report employees’ criminal activities to law enforcement. They handle these activities as a violation of company policy. Often, fearing adverse publicity, companies merely terminate the suspected employee without pressing charges. Unfortunately this means that the criminals just change jobs, not their conduct.

Should your decision for handling discovered criminal activity depend on the type of criminal activity involved? Are you more likely to forgive music pirating or unlicensed software than child pornography or attempts to lure a child into an offline sexual encounter? These difficult issues need to be worked out in advance, not in the heat of the moment. And consult with your legal advisors. Failure to take action when you discover criminal activity may result in the company itself facing liability and even criminal charges.

Once the parameters are decided, you can create written policy and procedures that deal with criminal activities that are discovered on your computer system. (You may want to broaden this to deal with all types of criminal activity, not just those connected with technology.)

Your policy on illegal behavior can be added to your existing Internet use policy, or produced as a standalone policy. Make sure that it is signed and acknowledged by everyone. It should include a description of the kinds of actions that are illegal, as well as a statement that the list is not exclusive. It should also include to whom and how violations should be reported. Make sure they know that ignoring procedures and calling the police directly is a violation of company policy and can be disciplined as such.

Then establish methods of investigation. These methods will differ depending on the type of suspected criminal activity.

Investigating child pornography is especially tricky. It doesn’t take much for the investigator to violate the law during the course of an investigation. Possession, downloading, printing or saving child pornography images, in any format, or delivering it to anyone else is illegal, even when you investigating a potential crime and intend to report it to legal authorities. When child pornography is suspected, law enforcement or private consultants trained in this area should be called, and the computer isolated immediately. Note that if law enforcement is involved, the equipment will be seized and may be held for more than a year.

There are no easy answers here. Balancing your desire to see justice done, your need to protect the company and the shock of having a trusted employee violate your trust is a difficult task. That’s why advanced planning and communication of your policies can make all the difference in the world. When the unthinkable happens, the best reaction is one you have already thought about.