Forums

BLUF: have you ever had a situation where you knew something was wrong but could not put it into words?

A friend of mine was given 60 days notice in May. He used that time to finish up projects and look for a new job. He has not drawn a paycheck from his old company for at least a month. They have not turned off his e-mail and he still has access to it. I found this out when he recently forwarded an e-mail to me.

I called him to ask him why he is still checking that e-mail. He stated that he was checking so that he could forward anything important to whomever needed to get it. He also felt he could get some industry insight for his new job in this way as well.

I told him that since he was no longer employed by the company it was wrong, unethical and perhaps illegal to be reading those e-mails and he should have set up an out of office message when he got his last paycheck that would forward the messages to whoever is responsible now. He seems to feel that since the company left him with access to the account there is nothing wrong with him checking it.

During our conversation he wanted me to state some of the reasons why it was wrong. I was rather angry and just said 'is it really necessary to have this conversation, your 40 yrs old you should be able to figure out right from wrong'

Anyway, ethics and integrity is important to me. I would like to hear what others think of this issue. To M&M ethics would make a great podcast topic.

David

RichRuh's picture
Licensee BadgeTraining Badge

Just talk to your IT manager, and explain the situation.

I would do so without bringing up ethics, or otherwise accusing your former co-worker of anything but the best of intentions.

You might say something to your IT manager like "I know he means well, but I'm concerned that he could receive confidential information by mistake."

Any IT manager worth his salt would scramble to shut off access ASAP.

--Rich

sadicarnot's picture

Rich; We don't work for the same company. We are in different industries all together I am in Power Plant Operations and he is in the Hospitality industry.

We are friends from college that kept in touch thru the years. My concern is more for the ethics or lack thereof for someone I have known for over 20 years.

I suppose the question could be what do you do when a close friend is doing something you know to be wrong.

jhack's picture

Your friend should send an email to his former boss, informing him that you still have an active email account which should be shut down, and he should refrain from accessing it from that point forward.

There are legal issues - accessing data for which you have no authorization is now a serious federal offense. It also raises liability issues for him if he sees information which could even be PERCEIVED as a conflict of interest.

John

RichRuh's picture
Licensee BadgeTraining Badge

Ah, sorry, sadicarot, I didn't realize that you both didn't work for the same company.

Well, you've told him what you think. I'm not sure what else you could or should do. You're not responsible for his behavior.

--Rich

TomW's picture
Training Badge

Why do YOU think it's an issue?

I'm more intrigued that he "was given 60 days notice", which sounds as if he was let go, and now he is doing the company a favor.

sadicarnot's picture

He was let go. He is a case of playing the Horstman's wager poorly and losing. He went from sales to operations at a hotel company and it turned out he did not have the experience and background to be successful in the role.

I think it is an issue because he can be perceived as representing the company who he no longer works for. Also there may be information in the e-mails that management would only want internal persons to know.

Personally I deal with environmental and operational issues in the operation of water and power plants. Much of the compliance is self reported and it is incumbent on the operators to act ethically and the highest standards for the protection of the public and compliance with the law. I have experienced management pressure to always be in 'compliance' but sometimes it is necessary to stand up and prevent stuff from getting swept under.

stephenbooth_uk's picture

He should notify his former management and stop accessing the account.

Interestingly, if he were in the UK he may not have committed an offense by accessing the data (I'm not sure). His former employer, however, would have committed a major offense and if it came to light would be in a serious whole heap of pain. Leaving a big hole in security like that can get you seriously fined.

Stephen

garyslinger's picture
Licensee BadgeTraining Badge

[quote="jhack"]There are legal issues - accessing data for which you have no authorization is now a serious federal offense.

John[/quote]
Only if they're in the USA...

G.

dhkramer's picture

Interesting; I don't see any ethical issue here at all.

How is this any different than mail being forwarded to him?

stephenbooth_uk's picture

[quote="dhkramer"]Interesting; I don't see any ethical issue here at all.

How is this any different than mail being forwarded to him?[/quote]

A company has a reasonable expectation of privacy in its internal communications. It's possible that this person may be on an internal mailing list that may be sent confidential information. By accessing that information, as a non-employee, there is a risk of such information being leaked.

If someone forwarded the information to him then that would mean that they had taken a decision to do so, something for which they could be held accountable. There may also be something in the company's Email AUP that tells them not to forward confidential information outside the company. It's an extra layer of protection, ephemeral as it may be.

The core problem, as I see it, here is not that he is accessing the mail but that when he left the access was left open (and presumably has been for other people as well). That points to a major hole in their IT procedures relating to hiring and firing (often called SLAM procedures, "Starters Leavers And Movers"). When I worked in my first IT job one of the first things I had to do was develop procedures for finding out what accounts people had (this was before Single-Sign-On really came into the mainstream) and for turning off their access when they left. I also enacted those procedures when people left, if you left that company whilst I was there by the time you walked out the front door all your access was turned off (indeed one time someone stepped out the door and just as it closed behind them remembered they had left something in their desk and turned around to get it, only to find that their swipe card no longer worked). Very often I would know someone was leaving before they did, they'd walk into the MD's office (it was a small company) to be told they were being dismissed or made redundant and before they sat down their accounts would be locked.

That may seem draconian but, aside for the potential loss directly resulting from IP leakage or vandalism, the penalties for the release of personal information can kill a small company.

These days the ideal is to use a HR/Payroll system that has an LDAPv3 interface and so can feed into your IT security systems and use that for everything. As soon as someone leaves HR just have to lock their HR record and in one stroke their access is also locked out.

Stephen

TomW's picture
Training Badge

[quote="dhkramer"]Interesting; I don't see any ethical issue here at all.

How is this any different than mail being forwarded to him?[/quote]

Mail being forwarded is intentional. In this case, it's more like sneaking back into the mail room because he still has the key.

I'd say your friend is a bit odd for volunteering to help the company that let him go, but I can hardly call this unethical. It's possible that he could come across something confidential internally, but as a recent employee it's probably all something that he was already aware of.

I think the company (and especially its IT manager) are the ones most at fault for not cutting off his access the day he was done working there. Heck, at my company if you even stay late on your last day you will have your access cut off.

HMac's picture

[quote="sadicarnot"]I told him that since he was no longer employed by the company it was wrong, unethical and perhaps illegal to be reading those e-mails and he should have set up an out of office message when he got his last paycheck that would forward the messages to whoever is responsible now. He seems to feel that since the company left him with access to the account there is nothing wrong with him checking it.[/quote]

David:

He's wrong.

Say so.

I think you're right. But more to the point, I think you're right to express your opinion to him, and then put it behind you.

He gets to choose his behavior, and any consequences that may come from it.

-Hugh