by Jeremy Malcolm, Internet lawyer
A reader of this column recently wrote to me:
As the ISP of a company, if a staff member of a customer is breaking the law and using our network to do it, are we:
- Do we have a duty of care to notify our customer that one of their staff members is breaking the law?
ISPs are not automatically liable for what their customers do on the Internet. If a customer is hosting prohibited material such as child pornography on its network, the law provides that ISPs are not criminally liable unless they knew of the nature of the content. In the case of piracy of copyright material, the ISP may be liable if it knew or had reason to suspect that its network would be used to commit an infringement and it failed to take reasonable steps to prevent such misuse.
In the case of crimes not related to hosting of material, such as credit card fraud, the ISP's liability depends on the degree of its complicity in what occurs. If the ISP could be said to have purposely assisted the commission of the offence, there is a risk that it might be found guilty of being an accessory to that offence. On the other hand, simply standing by and doing nothing while an offence takes place does not make the ISP liable, unless the purpose of the ISP's failure to act was to assist the offender.
As for the ISP's customer, it can more easily become liable for what its staff members do on the Internet. A legal principle called "vicarious liability" essentially makes an employer liable for civil wrongdoings of its employees committed in the course of their duties. In addition, the employer can become directly liable if it was knowingly involved in what its employee did; for example, if it turned a blind eye to piracy of copyright material or allowed the posting of defamatory remarks on a company Web site.
The question of whether the company's ISP should inform the company about illegal conduct of a company employee, in order to protect the company from vicarious liability, is a difficult one. Normally there is no positive duty on anyone to protect other people from harm. Such a duty can however exist if it is stated or implied in a contract between the parties.
In my opinion, the contract between an ISP and its customer would not normally be enough to establish a duty for the ISP to warn the customer of the illegal activity of company employees on the Internet. On the other hand, such activity would normally be in breach of the ISP's terms and conditions of service, in which case it would be within its rights to report the activity to the company, if it is sure that it has its facts straight.
The case would probably be different in the case of a person or business that was retained (either as an employee or as a contractor) for the specific purpose of administering the company's network. In that case, monitoring the misuse of the network for illegal purposes would generally be within the scope of the duties of the network administrator to report.