California Court Of Appeal Holds Employers Immune For Employee's "Cyberthreats"
Employers never seem to get a break from having to play the role of parent or "big brother" to their employees in an effort to minimize the risk of liability for their employees' actions. Monitoring the conduct of employees on the Internet is no exception and can constitute a large part of employee oversight because of the Internet's easy accessibility, privacy concerns, and free speech implications. A recent California court of appeal decision, however, has held that certain employers may be entitled to immunity for the Internet-based conduct of their employees.
Recently, the court of appeal in Delfino v. Agilent Technologies, Inc. held a corporate employer was entitled to immunity under the Communications Decency Act from a lawsuit based on "cyberthreats" sent by an employee. In Delfino, the plaintiffs sued Agilent Technologies and its employee claiming they were damaged when the employee used Agilent's computer system and Internet access to threaten them and claiming Agilent had been aware that the employee was making those threats. The "cyberthreats" at issue not only included threatening emails, but also threatening messages the employee has posted to message boards about plaintiffs. For example, an email the employee sent to the plaintiffs read, "It's coming . . . and you won't see it. I seriously hope you have health insurance because your going to get . . . stomped by me and some friends."
The Communications Decency Act ("CDA") was enacted in 1996 with a goal to control minors' exposure to indecent material on the Internet. It also is intended to serve Internet related free speech concerns which arise when tort liability is imposed upon Internet service providers who are simply the intermediaries of harmful messages. Section 230(c)(1) of the CDA provides, "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." Agilent argued it was immune from liability under this section.
In order to determine if Agilent was entitled to immunity under the CDA, the court applied a three prong test. First, the court determined whether Agilent was a provider or user of an interactive computer service. Second, the court analyzed whether the plaintiffs' claims in the lawsuit treated Agilent as a publisher or speaker of information. Third, the court evaluated whether the information at issue was provided by an individual or entity other than Agilent.
In holding that Agilent was a provider of an "interactive computer service," the court noted Agilent's centrality in providing the Internet to multiple employees. The court also found that the plaintiff's legal allegations treated Agilent as a "publisher of information" because the lawsuit claims were based on Agilent's passive role of simply enabling its employee to send cyberthreats by providing computer and Internet access. Finally, the court held it was the employee who was the "provider of information," and not Agilent, because of the very active role the employee played in sending and concealing the cyberthreats.
While the Delfino decision may allow some employers to avoid liability for the Internet-based actions of their employees, the true scope of this new-found immunity is unclear. Significantly, the Delfino court made special note of the fact that Agilent was ignorant of the employee's action despite its conducting meaningful investigations and that it was the primary means of access for thousands of employees, as well as the absence of facts showing Agilent to be culpable of any wrongdoing. These factors likely make Agilent's actions in Delfino easily distinguishable from the actions of other employers who do not concern themselves with the Internet-conduct of their employees, do not provide Internet access to a large number of employees, or whose extreme passiveness could amount to culpability. Consequently, employers are encouraged to continue to develop, implement and enforce policies and procedures regarding appropriate computer and Internet use by employees.