In the Trenches: Trouble brews over unauthorized access to confidential files
An Acme employee is fired for cause after snooping around some personal files of a manager and is denied severance benefits. She brings a civil lawsuit (Only the names are changed to protect the innocent).
Last June, Acme entered into negotiations with Nadir Corp. regarding the possibility of that company merging with or purchasing Acme outright. These preliminary discussions were a matter of common knowledge at both firms. The tentative nature of the low-key talks didn’t necessarily predict or guarantee any particular conclusion.
Universal employee uncertainty isn’t conducive to peak productivity. It was difficult at this stage for Acme to identify any particular job function as being critical and essential to the post-transaction organizational structure. The last thing Acme wanted is for any of its employees, now nervous, edgy and tense, to jump ship prematurely. So, Acme enrolled each of them in an ad hoc severance plan.
The terms of that plan promised generous severance benefits, including two years of full pay, if, as part of any subsequent reorganization, an Acme employee was terminated without cause within the 24 calendar months following the Nadir deal. The plan also withheld these benefits from any Acme employee who, during that period, was terminated for cause, which, according to the Acme employee handbook, was defined as gross and willful misconduct that violated company policy.
One of these policies concerned use of Acme’s computer network. The policy directed employees to access digital information only on a need-to-know basis and to access only that information needed to perform one’s job. The policy also directed employees to consider any job-related computer files they produce to be company confidential and to disclose the content of such files only on a need-to-know basis.
Then, in September, when it became obvious that the deal with Nadir was going to go forward within the very near future, Acme management got wind of some fairly accurate rumors circulating among the rank and file concerning the personnel changes that would need to occur. The ensuing sense of panic needed to be quelled, so Acme management called on the IT department to investigate immediately. After a delay of more than a week to solve some esoteric technical difficulties, Acme’s crack IT team was finally able to identify the employees who had accessed the only network directory that contained the only copy of the only Word document detailing the top-secret employee shuffle plan.
“Acme wins this one, hands down, but only by sheer dumb luck.”
To atone for its initial embarrassing display of digital ineptitude, the IT crew took it upon itself to expand its investigation in an attempt to reestablish a feeling of competence in the minds of the managers who control Acme’s post-Nadir technical staffing. Besides, taking their lead from governmental practices, such effort would give the Acme IT crew needed practice at thwarting future nefarious covert security incursions. This unsanctioned fishing expedition revealed a probability that some employees had been exploring the remote and obscure nooks and crannies of Acme’s network.
One such suspect was Misty Meener, who had a solid 20-plus year tenure with the company. The evidence the IT team gathered seemed to indicate that on at least one occasion Misty accessed the files on a certain unrestricted shared network computer drive allocated to Sam N. Lamenham, a manager.
The files in question included performance reviews for several of Sam’s former employees, strategic plans for his department and the invitations, guest lists, driving directions and other documents related to Sam’s forthcoming wedding and rehearsal dinner.
Hugh Blewitt Bigg, the director of Acme’s IT department, confronted Misty about her intrusion into Sam’s files. Misty had to admit that she had no real purpose in viewing Sam’s files other than merely being curious about the scope of the wedding plans for someone who earns about six times what she earns.
Thus began the chain of events in which Misty became the sacrificial lamb in Hugh’s campaign to rehabilitate his tarnished image as Acme’s prime computer know-it-all. In the end, Hugh arranged for Misty to be fired for cause and to be denied benefits, specifically the severance pay.
Nevertheless, Misty appealed the decision arguing that the files she accessed weren’t company confidential and that because the Acme-Nadir deal hadn’t yet been finalized, the ad hoc severance plan wasn’t in effect. When the appeal committee rejected her arguments, Misty filed a civil action claiming that Acme had abused its discretion and she should receive severance benefits.
How could this situation have been avoided? Should Sam have been allowed to use the corporate network to store personal files? Is there any rationale for configuring a corporate network so that one person can access another’s files? Did Misty’s activity constitute “gross and willful misconduct?” What obligation does Acme have to ensure that private computer files are kept private? Can one violation without a warning really be considered gross misconduct?
An attorney says:
Acme wins this one, hands down, but only by sheer dumb luck.
The severance plan provides for the payment of severance benefits if an employee is terminated “without cause within the 24 calendar months following the Nadir deal.” But the Nadir deal “was going to go forward in the very near future.” If the deal had not occurred, the condition precedent (as we lawyers like to say) to the payment of benefits had not been fulfilled. Put differently, the severance plan only applies to employees terminated because of the deal with Nadir. Misty’s termination had nothing to do with that deal, and she doesn’t qualify for benefits under the plan.
While an employer certainly may provide in its electronic communications policy that employees may not use the corporate network to store personal files, such a provision may be unrealistic. Certainly, it would be difficult to enforce without a whole new subgroup in the IT department to police documents stored on the system.