Worst-Case Scenario

Federal investigators accuse a CEO of storing child porn on company computers. It's a situation no business wants to think about, but one for which every IT professional needs to be prepared.

John Foley, Editor, InformationWeek

July 8, 2005

6 Min Read

It's a long way from the Upscale offices of Bowne & co., a respected financial printing company with many blue-chip clients, to the tawdry Web-site operation in Belarus that served up child pornography for $49.95 a month. But if federal investigators are right, Robert Johnson brought those worlds together in the worst of ways. He's accused of downloading child pornography onto the PC and laptop he used as the chairman and CEO of Bowne, a New York City institution with 18th-century roots.

In some respects, Johnson's case is like hundreds of others pursued by Homeland Security's U.S. Immigration and Customs Enforcement division, which for the past two years has been tracking down customers of Regpay Co., a company in Minsk, Belarus, that operated child-porn Web sites and handled credit-card payments for other such sites. In the indictment, the U.S. Attorney for the Southern District of New York accuses Johnson of possessing at least two child-porn movies and deleting 12,000 other files when he learned about the investigation 14 months ago. Computer records obtained during the Regpay operation tipped off the feds to Johnson's alleged activity. One clue was an IP address that traced back to Bowne.

The indictment of a top executive on child-porn charges represents a worst-case scenario for any company and its IT managers. Bowne apparently was caught off-guard, reacting only after federal agents came knocking. Then the company unwittingly notified the alleged offender of the investigation, providing him with a window of opportunity to attempt to cover his tracks.

Former Bowne CEO Johnson denies charges he downloaded child pornography at work.Photo by Mantel/Sipa

Johnson's arrest on June 28 serves as a warning to others. In going after a CEO, the U.S. Attorney's Office is hitting the top of the org chart of a publicly traded company. It underscores the need to have systems and processes in place all the way up the corporate ladder to prevent child pornography at work--or any computer-assisted crime, for that matter--and react appropriately if necessary. Not only is a company's reputation at stake, but there's the risk of legal liability if officials fail to take action.

Johnson's pedigree makes him an unlikely suspect. Before joining Bowne 10 years ago, he was the publisher of Newsday, a major New York newspaper, and he served over the years as a member of the New York State Board of Regents, director of the New York State Business Council, and chairman of the Long Island Philharmonic. The married, 59-year-old father of two grown children (his 60th birthday is this week), Johnson is the kind of guy bestowed with honorary degrees from schools such as St. John's University.

Now the former CEO faces charges of receipt and possession of child pornography and destruction of records in a federal investigation, which is a violation of the Sarbanes-Oxley Act. The maximum penalty: 50 years in prison.

Johnson denies the charges. "Mr. Johnson wasn't involved in or with child pornography and didn't download child pornography on any computer," says Stephen Scaring, his attorney. "We're prepared to prove that in court."

Investigators and prosecutors have been working on the case for more than a year. Johnson is accused of accessing child-porn sites from Bowne computers over a two-year period, beginning around April 2002. Along the way, he bought "memberships" to such sites and downloaded at least two child-porn movies, the indictment says. An Immigration and Customs Enforcement agent informed Bowne officials of the agency's investigation on May 4 of last year, without telling them Johnson was a suspect.

It was only a matter of hours before one of the Bowne officials let the CEO know that something was up. Once that happened, Johnson used a PC program called Evidence Eliminator made by Robin Hood Software Ltd., a privately held U.K. company, to delete 12,000 files from the hard drives of his PC and laptop, the indictment charges. On May 10, Immigration and Customs Enforcement seized Johnson's hard drives. A few days later, Johnson abruptly retired, citing "personal reasons."

Bowne would like to distance itself from the controversy. "This is a matter between the authorities and Mr. Johnson as an individual," says a Bowne spokesman. "All inquiries should be directed to them."

Bowne's computer policy limits use to company business and gives it the right to "review all computer files and communications and monitor employees' use of the Internet," the spokesman says. But he declines to say whether the company did that on a regular basis. Bowne's CIO at the time of the alleged crimes, Ruth Harenchar, says the company had "various tools that could be used to enforce" its policy. She won't comment on the situation beyond that, citing Johnson's pending trial.

Harenchar lost her job in January, eight months after Johnson's resignation. Bowne's new CEO, Philip Kucera (who was general counsel under Johnson), has sold two divisions in the last eight months. The CIO job "was eliminated," Harenchar explains. "They chose not to have a CIO position anymore." Harenchar, a member of InformationWeek's editorial advisory board, now works as CIO of Hobart West Group, a legal-services and temporary-staffing company.

It's unclear the extent to which Bowne may have used Web-filtering technology. But Web filters aren't foolproof, anyway. The creeps who run child-porn sites change their URLs constantly to stay a step ahead of the databases used to recognize and block them.

Some companies don't use Web-filtering products at all. Only half of large companies and a quarter of small-to-midsize businesses have installed Web filters, estimates Gary Stowell, VP of business development and product management at St. Bernard Software Inc., which sells a Web-filtering appliance. Of those with filters, only half take the extra step of running reports that show who's getting blocked from unwanted sites. That makes it unlikely most companies would catch a wayward employee trolling for child porn.

Child pornography continues to be a growing problem. Reports of suspected child porn to the National Center for Missing and Exploited Children jumped 39% last year to 106,000.

Businesses and IT departments need to be prepared. Parry Aftab, executive director of WiredSafety.org and an InformationWeek columnist, recommends setting up a procedure for dealing with the stuff before it happens. Best practices include having up-to-date Web-monitoring software, letting employees know what to do if they encounter child pornography, and making it known that violations will be reported to law enforcement. If a senior executive is involved, managers should be prepared to approach another executive in a position of influence, such as the general counsel or director of human resources. "You set up a process," Aftab says, "in the same way you report sexual harassment."

One of the most effective measures is likely to be one of the least popular--random scans of employee computers for improper images. "You can let everyone know you're going to do a sweep from time to time," she says. And that would include the CEO's computer.

About the Author(s)

John Foley

Editor, InformationWeek

John Foley is director, strategic communications, for Oracle Corp. and a former editor of InformationWeek Government.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights