PDA

View Full Version : Possible Ethics Violation? Or Am I Overreacting?


Pedersen
04-10-2011, 03:51 AM
So, as I've posted elsewhere, my employer is merging. Thursday, something small, minor, almost invisible, happened. I didn't even notice it until Friday morning. It's been bugging me since.

One of the people from the other company (I'll call him G) tried to send me an email. As it turns out, he got my last name spelled wrong, so it didn't reach me. He was using our internal email server when he did so.

I called him an hour or so later, and asked where it was. When we figured out what happened, he told me to just go into his sent items on the server and get it. Technically, as an admin for that machine, I do have that capability, but I really don't like using it. I said so, and he said it was no big deal, he had only sent like three emails. I still asked him to re-send it when he had the time.

Then, on Friday, it dawned on me: He'd asked me to open up his email account, read his email to find what I needed, and take it. He'd also done so very casually, like this was no big deal.

To me, and to the users who use the services I manage, this is a big deal. I don't invade their space except under four very specific sets of circumstances:


They're having a problem, and ask me to look into it.
Something about their space is causing problems for others.
That user's manager (or someone higher up, but still in that user's management chain) provides a written request to pull the data on the grounds that the user is doing something against company policy. Even then, for this, I'll be running it by my immediate management for a final signoff.
ETA: If somebody leaves the company, and their job functions fall to me.


Outside of that, I don't go into it. It's all about trust. If my users can't trust that I'm not going to randomly read their private stuff, then they can't use those services to conduct the business they need to conduct.

The way in which he said this almost made it sound like a casual thing, not the major breach of ethics I would consider it to be.

So, my question to all of you: Am I overreacting? Should I comment on this? And, if so, to who? G? His boss? The new partner? The existing owners?

BTW, the new partner is the person overseeing all of IT. If I should approach him in particular, or G, or G's manager, I have to ask for some other advice; you see, the other company is almost entirely Jewish, and very much so. Is there any specific way I should address this due to that possible cultural difference?

Onlooker
04-10-2011, 04:14 AM
I'm not exactly sure why you'd have to address it differently since it is a valid business concern. You can look at this a couple of ways. One is that the merger is going so smoothly that the others are not worried about what you might do in their machines. Another is that they are used to handling things more casually. I'd probably see it as something that should be mentioned to whoever will be in charge (hubby's in IT) because big problems can come from small ones. You might want to write it up in a "Oh, by the way, this happened on date at time. I wanted to make sure you knew." Maybe they need to think about reviewing procedure and going over it with everyone.

Racket_Man
04-10-2011, 07:22 AM
not that I can offer any advise but,

it seems that the younger population seems to be somewhat casual about privacy these days esp in the face of FaceBook and other social media (that is until something nasty happens), so is this person on the younger side?????

I would say you are NOT overreacting and you have a good sense of personal and business ethics and morals. trust is something to be cherished and nurtured and worked at but something which can be broken and destroyed in less than a second.

since I do not know the dynamics of your new workplace and personel not sure who you could casually mention this to. I think this person trusts too much.

BlaqueKatt
04-10-2011, 02:55 PM
Outside of that, I don't go into it. It's all about trust. If my users can't trust that I'm not going to randomly read their private stuff, then they can't use those services to conduct the business they need to conduct.

The way in which he said this almost made it sound like a casual thing, not the major breach of ethics I would consider it to be.

any company I worked for had in their employee handbook that company assests(including computers and email licenses/accounts) were only to be used for company purposes and we had no expectation of privacy. At one employer IT would read emails at random, and it stopped a lot of shenanigans( people trying to sell company info/secrets).

I always assume my work email is not private and is likely being read, do I mistrust IT? Nope, I do my job and they do theirs, which may or may not involve reading my emails that should be related to work.

Sapphire Silk
04-10-2011, 04:29 PM
I don't think you are over-reacting, Pedersen. I also don't think it's a major sin specifically because you had permission to do what you did.

I think the real point here, is this incident has exposed a culture of casualness that may exist in the organization you are merging with. That culture, if real, presents a real security risk for the company.

I would look at this as an opportunity to improve IT security where you work. Talk to your colleagues about reinforcing security protocols related to email designed to discourage the kind of behaviors that G clearly thinks are OK. I don't think you need to point out the details of what happened; just use it as a red flag to reinforce good IT procedures.

Seshat
04-11-2011, 02:14 AM
I would deem that not overreacting at all.

If he's comfortable accessing another user's email, is he comfortable accessing other restricted areas of company data?

IT has a special duty of privacy that almost no other department has (possibly HR, but IT can access e-v-e-r-y-t-h-i-n-g). Yet so few IT courses address ethics!

lwb
04-11-2011, 05:25 PM
Yet so few IT courses address ethics!

Which is why my students hear about ethics in EVERY STINKING CLASS they take from me :)

Shalom
04-11-2011, 05:25 PM
the other company is almost entirely Jewish, and very much so. Is there any specific way I should address this due to that possible cultural difference?

Yes, in fact, and it's in favor of your position.

There is a specific prohibition in Jewish custom, if not exactly law, against reading private mail intended for others. See, for example, this (http://ohr.edu/ask_db/ask_main.php/67/Q1/), or that (http://www.torah.org/advanced/business-halacha/5757/vol2no17.html).

Whether this custom is overridden in a situation where no expectation of privacy is in effect, which does presumably cover business e-mail accounts, is still up for debate. Section D of the second link I provided seems to indicate that it is permissible.

My own opinion is that IT should be allowed to look at business e-mail, but only when necessary to the performance of the job. I guess it's like my situation with patients' med profiles: I can look at them when it's necessary to the performance of my job, but not for idle curiosity. Basically you have to make those decisions on a case-by-case basis. In the present case, you did have the guy's permission, so it was probably OK.

I would try to get a specific policy decision as to what is acceptable in terms of the level of privacy expected. Your own position would seem to be that a higher level of privacy is more desirable; if so, you might use arguments from the above links, or find others (search term is "Cherem d'rabbeinu Gershom", with or without the initial C depending on regional pronunciation) to bolster your arguments. Here's another one (http://www.myjewishlearning.com/practices/Ethics/Business_Ethics/Contemporary_Issues/Privacy/A_Responsum.shtml) that might help.

Imprl59
04-11-2011, 11:11 PM
I've been in IT for 25 years and seen security implementation from one extreme to the other.

When I was in banking the security was extreme. They closely monitor everything! While I had password and key card access to anting I had better have a damn good reason for being in that file or that office when asked. People were fired on the spot for giving other associates their passwords.

Now I deal with smaller business and I would say an easy 90% just don't care about internal security. They all have each others passwords. They are all in each others files and e-mail. As the economy has slipped and business has downsized more people are doing more different job functions so the pitiful amount of security has slipped even further.

In your situation I would ask your direct supervisor what should be done if presented with this situation in the future. You always want to follow the chain of command on this type thing. Let your boss be the bad guy if someone has to be. Be preapared... you are going to see a lot more of this kind of thing as your companies come together and the different cultures clash.

Steve B.

surreal20
04-12-2011, 04:59 AM
Since i am not jewish, i can't really call on that. I would be under the assumption that when in business, you really don't judge on other's based on their religion. Or rather, you aren't supposed to, it's bad ethics.

However, when you know a large amount of individuals are from a certain religion, you are also aware that some things done or said would be highly offensive to them on a personal level and can be considered a bad work environment for them.

So that is a tough call. It's nice to know, though, that Shalom (and i could presume to be Jewish because of his Hewbrew originated user name) has pointed out some very helpful information that you may want to be sure to look over, or at least glance over. And i would also hope that he can be very trustworthy on this call because he is accustomed to the lifestyle and culture.

You're best bet is to first inform a higher up, and also explain to them that you would also like to talk to G about it. He may just be blind to the idea that it's rather wrong. Or for that matter, wrong to you and you would feel very un-just doing so.

It may really not be a large deal, but if you conduct it too lightly, it may hit you back in the butt. Perhaps the best action is to make it aware to higher officials, council the individual on proper work practice with emails and if you see or hear it happen again, do more "harsh" levels of training.

thansal
04-12-2011, 01:38 PM
To me, and to the users who use the services I manage, this is a big deal. I don't invade their space except under four very specific sets of circumstances:


They're having a problem, and ask me to look into it.
Something about their space is causing problems for others.
That user's manager (or someone higher up, but still in that user's management chain) provides a written request to pull the data on the grounds that the user is doing something against company policy. Even then, for this, I'll be running it by my immediate management for a final signoff.
ETA: If somebody leaves the company, and their job functions fall to me.



My question would be this:
Is that list actually written down some where? If it isn't, it probably should be. Having something like that clearly defined is probably worth while, especially as your company grows. I mean, it should be known by the people working there what level of privacy they should expect, and IT/management should then stick to those rules.

I would say you should approach your direct manager (and if that's the new partner as head of IT, then him) and bring it up as a "Look, this situation came up, and I'm not sure what our stance is on this and would like a clarification".

Pedersen
04-14-2011, 04:14 AM
Until today, I was ready to actually tackle this. I hadn't had a good time to do so, but I knew what I was going to do. I was going to sit down with the new partner, and ask about the corporate culture, find out if this was acceptable or just a misunderstanding.

After today, though, there's just no point. I'm not going to stay. So, between now and my last day, I'll let them do what they want, and I'll do my very best to ignore them.