Company sued for firing obscene Web browser
November 10, 2009 by Sam NarisiPosted in: Regulations & Compliance, Special Report
When an employee’s caught looking at offensive Web sites, the person’s usually fired. But it’s not always that simple. Take this recent case, for example:
An oil field operator was fired after he was accused of downloading pornography at work. About 200 field employees shared a computer located in their break room.
Each worker was given a unique username and password, and told to sign in only under their own names and sign out when finished.
While running a virus scan, an IT staffer discovered porn sites had been accessed under the employee’s username, including “hundreds of prohibited websites” over the period of two days. The staffer notified the employee’s boss, who verified the employee had been at work on those two days.
He was fired for violating the company’s computer use policy, which strictly prohibited the downloading of any obscene content.
The employee, 57 years old at the time, sued for age discrimination after he learned his replacement was 43.
He claimed he was innocent — he got access to the company’s log of his alleged Web activity and pointed out that many of the sites were visited during times before and after his shifts or on days we wasn’t scheduled to work.
The judge didn’t buy his argument and ruled in favor of the company. Why? Two reasons:
First was the way the computer policy was written. It expressly forbid users from sharing or even writing down their passwords and said that “System Users are responsible for all transactions made using their passwords.”
Second, there was no evidence the company was discriminating. Even if they were wrong, the manager and the IT department reasonably believed the employee had been viewing pornography at work and fired him for that, not because of his age.
The lesson: When employees share computers, it can be tough to monitor improper usage. But one good way to make it easier is to write a policy prohibiting password sharing and behaviors that make them easy to steal.
Cite: Cervantez v. KMGP Services Company, Inc.
Tags: computer use policy, fired, pornography
November 11th, 2009 at 9:38 am
If you have a quality oil field operator, you should probably keep him, and not fire him, unless he’s not good at being an oil field operator.
Firing someone over this, is absurd. How about a written warning.
Obviously he was fired for other reasons, probably age discrimination. However, that does not mean, he will win that case. The laws are very employer friendly. The advice in the article, I agree with. A little due diligence and you can use any excuse to terminate someone.
November 11th, 2009 at 10:11 am
Problem is that there was no evidence shown thatthe PC were set to log off a user after a cerrtain period of inactivity. Also was there a scan done for Keylogger apps that can easily be placed on a device? Alot of unknowns in the article.
November 11th, 2009 at 3:00 pm
I agree with Robert Dupuy. Give the guy a warning and a stern talking to, pointing out that if he does it again he will be immediately dismissed. And make sure every other employee is a fully aware of the situation, and what happened. Surely that would provide a twofold solution to what happened, would save the company a lot of money, and suitably punish the offender, in this case the oil field operator.
November 12th, 2009 at 3:58 am
Got what he deserved really didn’t he?
November 12th, 2009 at 5:07 am
@ Jon : It’s normally the employeees responsibility to ensure the computer is secured after they have used it. If they haven’t then they’ve probably breach confidentiality guidelines too.
@ Robert & Mike : Completely agree, moderation and education is more important than being seen to follow the letter of the law. While the ex-employee was foolish in that they allowed the comptuer to be used while logged in as them it’s not something I would advocate firing someone over.
November 12th, 2009 at 8:16 am
The problem with the common sense advice to give the guy a ticking off not to do it again is that this advice voids the policy of firing anybody who downloads pornography. If you do it for this man, you’ll be sued by the next person who is fired and is not worth keeping.
Since the company must protect itself from law suits, it has no choice but to fire a probably excellent worker for nothing that did anybody any harm. The real answer here is to install proper logging software and TELL people what you’ve done.
November 12th, 2009 at 8:44 am
There are two things at work here – visiting inappropriate sites, which is against company policy, and allowing others access to his credentials. The former is an HR issue that could be addressed with a warning. The latter, allowing others access to his account, is the more serious offense in this situation and I agree that a more serious penalty should be enforced. Firing? That may be extreme, but it’s obviously the company policy. If there is a possiblity that sensitive data could be accessesd by using another’s credentials, then a serious penalty has to be enforced.
Maybe the policy should be changed so that a probationary period be implemented on the first offense and termination on the second.
November 12th, 2009 at 10:05 am
Also, if they were “prohibited” sites, why wouldn’t the company, or their IT staff, have those sites blocked? We(in IT) do our best to protect users/associates from themselves by locking down rights and permissions on their computers, why leave this open? Feels like entrapment. A warning and a black mark on his record should have been enough.
November 12th, 2009 at 12:07 pm
What this sounds like is we have an unethical company in a witch hunt to fire this guy.
I have seen this many times in my career in the IT department.
There is no way to prove this oil field operator is at fault.
The log says it all. Even a 12 year old kid can figure this out.
Here are some of the problem I see
1. This is a shared Computer where all employees that have access to it should be held accountable.
2. A self replicating worm that is not prejudice on which login profiles it uses, is designed to go to pornography websites to drive hit counts up for advertisement profit.
I could go on for hours on this subject.
Conclusion:
If no one physically saw this oil field operator going to these pornography sites then he cannot be held
accountable.
Also it looks like the IT dep.t is not qualified to make these statements or assumptions and the Judge well we won’t go there the article says it all.
November 12th, 2009 at 12:16 pm
While I have no problem giving the guy a warning, I also feel that the company can terminate anyone if it finds a violation from any employee. This is what an employee manual is for. You read it and you follow the rules and guidelines. Haven’t we heard enough in the news that people get in trouble for surfing porn at work? Is he too stupid to think it won’t happen to him?
November 12th, 2009 at 2:11 pm
I see numerous problems here: #1, the oil field operator did not hire an attorney saavy in the ways of computers.
#2 – It’s hard to believe that the company has a “1 strike and you’re out” policy on this kind of thing. As another observed, allowing the userid/password to get out would be a more severe issue in my book than downloading some nudies or visiting adult sites. But with 200 hundred people using the same machine in a BREAK ROOM??, surely his lawyer could cast some kind of reasonable doubt. Besides, it was in a break room, what are these people supposed to look at while on break? Company profit and loss statements for the last 99 quarters? The Disney Channel on line? Get real.
#3 – As yet another person noted: if the company has a policy against visiting certain sites, then they should make an effort to restrict all computers on the network from visiting those sites. Anyone in their IT department so much as ever heard of a locally stored HOSTS file? If the computer was not part of such a restricted network, I’d be tempted to say “the rules don’t apply, the computer was outside of the area of control and thus not affected by company policy”.
#4 – Age discrimination? Possbily, but most likely not, unless of course by firing this guy the company managed to save a lot of $$ by cutting him off from company paid retirement benefits.
November 13th, 2009 at 7:39 pm
And when someone forgets to log out after their shift, then what?
What if the password was cracked? If there are logins when he was not on-site, where was their security to prevent it? Most LDAP tools can set login timeframes.
November 16th, 2009 at 2:52 pm
Be an adult.
If company policy is to not share user information and that each user is responsible for actions taken with his log-in and specific sites (or types of sited) are prohibited – then choosing to violate policy is a choice to accept whatever the company consequences are.
If inappropriate sites were accessed then policy was violated.
If user information was shared then policy was violated.
Sometimes it’s just a matter of rules are rules.
If you can’t follow the rules with simple things, then how can you be trusted in an area that could harm or kill someone?
Accept resposibility for the choices you make.
November 17th, 2009 at 1:26 pm
I would put the onus on the employer to prove that the password had been shared. I manage the security for my employer and we use two factor authentication. You have to have your employee badge and a password to logon to a PC after you have badge through a door. It makes it much harder for an employee to claim someone else used their password as they would also have to have their badge.
November 17th, 2009 at 2:26 pm
Slacking off by looking at porn is just as bad as slacking off using MySpace. The fact more than one person is obviously using the system inappropriately means more than one person should have been fired. That’s what I feel the lawsuit is based upon.
If you are going to enforce the policies, do so equally, including management.
If you go and conduct a proper and full security search, and start firing all of the employees who have done exactly what the rules state in the employee handbook, you’ll find about 30-50% smaller workforce at a minimum. My biggest abusers have been Executives, not the worker bees.
Now, do you risk your job reporting it, or do you “shut up and color?”
November 20th, 2009 at 6:46 am
[...] I agree with Robert Dupuy . Give the guy a warning and a stern talking to, pointing out that if he does it again he will be immediately dismissed. And make sure every other employee is a fully aware of the situation, and what happened. …Page 2 [...]
November 24th, 2009 at 1:32 pm
I’m an IT guy. I’ve had users who opened emails that seemed legit, but contained a worm that started hitting porn sites. I’ve also had users who performed a legitimate search on Google, clicked a link to a promising website only to be automatically redirected to a porn site and then dozens of browser windows started popping up going to other porn sites. We also have an issue with an employee who likes to covertly watch other people log into their computers, so he can get their passwords. He then comes into the office after hours or on weekends and uses the stolen credentials to login and do a little Internet gaming without fear of getting in trouble. What if he also decides to look at some porn? This guy is a highly valued employee who would be very difficult to replace. He gets away with pretty much anything and the boss doesn’t want to hear about him logging in as other people. Our employer’s policy on visiting porn sites at work is fire at will. What if our employer decided to fire people based on network logs? What if they decided to fire people whose credentials were “shared” unknowingly with the cred-thief/gamer? How can any employer legitimately fire any employee for violating these policies without someone witnessing the violation? I’m strongly in favor of a 2 or 3 strike policy. If you get warned for something you didn’t do, then you at least know to watch your back.
November 30th, 2009 at 4:05 pm
Hey Gary, that is ridiculous to hear that your company has a “highly valued employee, who would be very difficult to replace” getting away scot free with what he is doing. If what you say is definitely true, and beyond proof, then hat guy needs to be severely disciplined, even if it meant he might leave because of it. If it was me, I would not hesitate to fire him immediately, for being so dishonest.
January 5th, 2010 at 12:34 pm
[...] Company sued for firing obscene Web browser [...]