Child-pornography images are showing up in the most unlikely places--the desktops of professors and senior executives, lawyers, teachers, and others you would never have suspected, even your trusted employees. What would you do if the police heard about this before you did, directly from another one of your employees?

Suddenly, your carefully crafted Internet-use policy doesn't give you the coverage you expected. How should you deal with the contraband you discover on your company's computers? How should you handle the police, the employee who is implicated, and the employee who called the police?

The time to think about these questions is now. Being prepared, and preparing your employees, can make the difference between a difficult situation and a public-relations and legal disaster. To do that, you need to have a policy in place and procedures that implement that policy. Then you need to make sure that those policies and procedures are communicated to your employees.

First, review your existing Internet-use policy. Does it contain a provision dealing with criminal activities? What about pirated software and music? Have you created a procedure through which people can report abuses of the policy?

Next comes the hard part. You need to decide whether to report criminal activity to authorities or handle it as an internal matter. Many companies elect not to report employees' criminal activities to law enforcement. They handle these activities as a violation of company policy. Should your decision for handling discovered criminal activity depend on the type of activity involved? Are you more likely to forgive music pirating than child pornography? You need to work out these issues in advance and consult with your legal advisers. Failure to take action when you discover criminal activity may result in the company itself facing criminal charges.

Once the parameters are decided, create written policies and procedures that deal with criminal activities that are found on your computer system. They should include a description of the kinds of actions that are illegal, as well as a statement that they are only some examples. They should also include to whom and how violations should be reported. Make sure employees know that ignoring procedures is a violation of company policy and can be disciplined as such. Make sure the policy is signed by everyone.

Then you need to establish methods of investigation. Investigating child pornography is especially tricky. It doesn't take much for the investigator to violate the law. Possession, downloading, printing, or saving child-pornography images, in any format, or delivering it to anyone else is illegal, even when you intend to report it to legal authorities. When child pornography is suspected, law enforcement or private consultants trained in this area should be called, and the computer isolated immediately.

For a checklist on preparing an appropriate policy, see "Tips For Writing A Criminal-Activity Policy".

Parry Aftab is a cybercrime expert and a privacy and security lawyer. She can be reached at http://www.aftab.com.