Employer Liability When Employees Use Internet Communications For Offensive Purposes

What happens when you have a rogue or even out of control employee that uses an office computer to send or even post threats of great bodily harm or uses an office computer to generate other highly offensive communications? Can an employer who ends up being sued for such conduct assert a defense of immunity under the provisions of the Communications Decency Act of 1996 (CDA), 47 U.S.C. 230. This particular federal law defense of immunity actually does preempt inconsistent state law that might otherwise impose liability in certain circumstances. The Act immunizes "provider[s]... of an interactive computer service" (the employer) where "another information content provider" (the employee) has initiated the offending activity.

While the facts considered recently by a California Court of Appeal in Delfino v. Agilent Technologies, Inc. (2006) 145 Cal.App.4th 790 are unquestionably extreme and will not likely be encountered in garden-variety employment situations, the CDA immunity defense could well apply in more benign or commonplace circumstances as a result of the court's ruling in this particular case.

In the Delfino case, the court considered a situation in which unbeknownst to his employer, a very angry and upset employee sends anonymous emails to various adversaries. He also created posts on Internet bulletin boards, threatening great bodily harm and death to these various individuals.

In making this illicit communications, the employee used the computer systems of his employer. The victims of these horrible threats and postings ended up contacting the FBI. The FBI in turn traced the emails and postings to the employee's office computer. This was accomplished by by tracking the emails and postings back through the originating IP address.

The employee admitted that he engaged in the in the conduct of which he was accused. In the end, criminal charges are filed against him.

The employer terminated the employee. The victims of the employee's threats sued the employee and the employer for intentional and negligent infliction of emotional distress, and negligent supervision or retention. The plaintiffs in the lawsuit claimed the employer was aware that the employee was using its computer system to threaten them. The further argued that the employee took no action to prevent the co-defendant employee from continuing to make threats over the Internet.

The ultimate question before the court in the case was: Can the employer be liable under these circumstances?

Some may consider this particular scenario far fetched. The case was presented as one of first impression in Delfino v. Agilent. The California appellate court determined that an employer could in fact assert the immunity defense under the Communications Decency Act of 1996 (CDA), 47 U.S.C. 230.

In asking the court to dismiss the plaintiffs' case, the employer filed a motion for summary judgment, in which it asserted that the employer was a "provider... of an interactive computer service", and therefore entitled to complete immunity under the CDA. Section 230(c)(1) states that "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." The statute also preempts inconsistent state law that would impose liability, saying: "Nothing in this section shall be construed to prevent any State from enforcing any State law that is consistent with this section. No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section." Section 230(e)(3), italics added.

The primary goal of the CDA has been to control the exposure of minors to indecent material over the Internet. Nonetheless, one of its other important purposes is "to encourage [Internet] service providers to self-regulate the dissemination of offensive materials over their services." This was determined in the case of Zeran v. America Online, Inc. (4th Cir. 1997) 129 F.3d 327, 331, cert. den. (1998) 524 U.S. 937.

The CDA also been enforced in a manner so as to avoid the chilling effect on Internet free speech that would occur if tort liability ended up being imposed on companies that do not create potentially harmful messages but are simply intermediaries for their delivery. Id. at 330-331.

Accordingly, Section 230(c)(2) immunizes from liability an interactive computer service provider or user who makes good faith efforts to restrict access to material deemed objectionable. However, the provider must make a good faith effort to restrict access to material that is deemed objectionable.

Drawing on prior CDA cases that actually were beyond the employment context, the Delfino court ruled that there are three essential elements that a defendant must establish in order to claim section 230 immunity. These three elements are determined by the court are:

(a) the defendant is a provider or user of an interactive computer service;

(b) the cause of action treats the defendant as a publisher or speaker of information; and

(c) the information at issue is provided by another information content provider. Gentry v. eBay, Inc. (2002) 99 Cal.App.4th 816, 830.

In considering the first element (whether the employer was a provider or user of an interactive computer service), the court ruled the question a matter of first impression. In its judgment, the court specifically held: "We are aware of no case that has held that a corporate employer is a provider of interactive computer services under circumstances such as those presented here. But several commentators have opined that an employer that provides its employees with Internet access through the company's internal computer system is among the class of parties potentially immune under the CDA." Delfino, 145 Cal.App.4th at 805.

Prior courts had interpreted the term "interactive computer service" broadly in their own decisions and rulings. (For example, in Batzel v. Smith (9th Cir. 2003) 333 F.3d 1018, 1030, fn. 15, cert. den. (2004) 541 U.S. 1085), the court held that the employer was a "provider of interactive computer services" under the CDA. Id. At 806.

Considering the second element of the test, (whether the cause of action treated the defendant as a publisher or speaker of information), the court found that plaintiffs, in alleging that the employer was liable for the employee's cyber threats, sought to treat the employer "as a publisher or speaker" of those messages. (sec. 230(c)(1).) Id.

On the last element of the test, (whether the information at issue was provided by another information content provider), there was no dispute that the employee was the party who had authored the offensive e-mails and postings. Moreover, there was no evidence that the employer played any role at all in "the creation or development" of these threatening and offensive messages and postings. Id. at 807-08.

In the end, the court concluded that the employer satisfied all three of the elements necessary to establish immunity under the CDA. Therefore, the court of appeal did affirm the trial court's grant of summary judgment in favor of the employer. The court of appeals agreed that the grant of immunity under the CDA was proper pursuant to the terms and conditions of that law.

In its decision, the court also noted that, even if plaintiffs' claims had not been barred under section 230(c)(1), granting summary judgment to the employer was nonetheless proper. The court reached this conclusion because plaintiffs failed to establish a prima facie case on their claims against the employer. Id. at 808. In this regard, the court specifically held that there was no indication that the employer ratified in any manner the employee's conduct, and that the employer could not be liable under theory of respondeat superior. Id. at 810-12. In addition, there was not even any evidence that the employer was even aware of the employee's conduct. Id. at 815.

In its holding and order, the court affirmed the long established principle that an employer will not be held vicariously liable for an employee's malicious or tortious conduct in a situation in which the employee substantially deviates from his employment duties for personal purposes. The court additionally offered what can be considered an important teaching point on the theory and principle of ratification under California law.

The court noted that imposing derivative liability on the employer for an employees actions need not be founded on respondeat superior. Such liability can also be based upon the doctrine of ratification as discussed in Murillo v. Rite Stuff Foods, Inc. (1998) 65 Cal. App.4th 833, 852). In that case, the court observed that an employee's actions may be ratified after the fact by the employer's voluntary election to adopt the employee's conduct. This is done, in essence, by treating the conduct as that of the employer's own. Id. at 810.

In considering what evidence can support the ratification theory, the Delfino court cited the California Civil Code 2339. The court, in citing that provision, determined that an employer's failure to discharge an employee after knowledge of his or her wrongful acts may be used as evidence that can support ratification of that employee's conduct.

In the end, there were a number of lessons that have been learned in the aftermath of Delfino. This includes the fact that although employers can take some degree comfort that the CDA can offer them immunity if out of line employees make offensive or threatening Internet postings or emails, conservative employers should take corrective actions immediately against offending employees when such conduct is discovered. This action potentially should include termination, if the circumstances so warrant. Employers should institute certain policies and procedures that prohibit employees from using the employer's computers to post or send threatening or offensive information. Moreover, since CDA immunity will be lost if the employer cannot establish that the information at issue was "provided by another information content provider", cautious employers will also need to avoid any conduct that would suggest the employer has promoted, sponsored, initiated, or ratified the offending material in any way, shape or form.