Sadly, as an information security professional, we are sometimes engaged with clients who either suspect or have discovered the presence of child pornography in their computing environment. Another way that such materials come to our attention, is during pen-testing or incident response work, we may discover the materials on a system and be forced to bring the materials to the attention of law enforcement.
In many cases, clients ask us why we are required to notify law enforcement, and/or why they are required to notify law enforcement about this material. Perhaps your organization has struggled with this in the past. In any case, we hope the following information helps organizations understand the US legal requirements for handling such materials. (If you live outside of the US, please consult local legal assistance for your laws and procedures.)(NOTE: MSI is not providing legal advice of any kind, consult your attorney or council for legal advice. This material is simply meant to be a pointer for education. MSI is NOT qualified to offer legal advice under any circumstance.)
The Department of Justice lists the following federal statutes for online child pornography:
- 18 U.S.C. § 2251- Sexual Exploitation of Children (Production of child pornography)
- 18 U.S.C. § 2251A- Selling and Buying of Children
- 18 U.S.C. § 2252- Certain activities relating to material involving the sexual exploitation of minors(Possession, distribution and receipt of child pornography)
- 18 U.S.C. § 2252A- certain activities relating to material constituting or containing child pornography
- 18 U.S.C. § 2256- Definitions
- 18 U.S.C. § 2258A- Reporting requirements of electronic communication service providers and remote computing service providers
- 18 U.S.C. § 2260- Production of sexually explicit depictions of a minor for importation into the United States
A summary of these laws is that it is the federal law that mandates this duty to report specifically requires that “electronic communication service providers” report child pornography. (18 USC § 2258A. Reporting requirements of electronic communication service providers and remote computing service providers.) An “electronic communications service” means “any service which provides to users the ability to send or receive wire or electronic communications.” The term “electronic communication,” for purposes of the reporting requirement, means “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.” All of which is to say that both the business/employer that provides the computer or phone system over which the data is communicated, as well as the IT company that helps the employer maintain those systems, are covered by this law. A business or IT service company ignores child porn at its peril. Failing to report the information to the National Center for Missing and Exploited Children violates the Section 2258A reporting requirements. Deleting the material might make the company an accessory to the underlying crime of possessing the information in the first place. Making copies of the material and then transmitting the copies, except at the direction of law enforcement officials or as required by section 2258A, also runs afoul of the laws proscribing possession of child pornography. A first violation of Section 2258A carries a penalty of up to a $150,000 fine. A second violation can be penalized by up to $300,000.
A full summary of other elements of Child Pornography laws from the Department of Justice website is here.
According to the Department of Justice website, to report an incident involving the production, possession, distribution, or receipt of child pornography, file a report on the National Center for Missing & Exploited Children (NCMEC)’s website or call 1-800-843-5678. Your report will be forwarded to a law enforcement agency for investigation and action as detailed here.
It may be required or optional to report to local law enforcement as well, and is dependent on state and local laws and statutes.
According to the National Conference of State Legislatures website, the state of Ohio does not have explicit state policies requiring businesses to report the incident, as detailed here (as of Sept 2013), though again, local statutes may vary by location.
We also found this article, which might be helpful in understanding risks from a legal perspective for businesses who might find child pornography on their server, as it lays out a process for organizations to follow.
Lastly, this white paper from the American Bar Association may also prove useful for organizations.