In the Trenches: Trouble brews over unauthorized access to confidential files

An Acme employee is fired for cause after snooping around some personal files of a manager and is denied severance benefits. She brings a civil lawsuit (Only the names are changed to protect the innocent).

Last June, Acme entered into negotiations with Nadir Corp. regarding the possibility of that company merging with or purchasing Acme outright. These preliminary discussions were a matter of common knowledge at both firms. The tentative nature of the low-key talks didn’t necessarily predict or guarantee any particular conclusion.

Universal employee uncertainty isn’t conducive to peak productivity. It was difficult at this stage for Acme to identify any particular job function as being critical and essential to the post-transaction organizational structure. The last thing Acme wanted is for any of its employees, now nervous, edgy and tense, to jump ship prematurely. So, Acme enrolled each of them in an ad hoc severance plan.

The terms of that plan promised generous severance benefits, including two years of full pay, if, as part of any subsequent reorganization, an Acme employee was terminated without cause within the 24 calendar months following the Nadir deal. The plan also withheld these benefits from any Acme employee who, during that period, was terminated for cause, which, according to the Acme employee handbook, was defined as gross and willful misconduct that violated company policy.

One of these policies concerned use of Acme’s computer network. The policy directed employees to access digital information only on a need-to-know basis and to access only that information needed to perform one’s job. The policy also directed employees to consider any job-related computer files they produce to be company confidential and to disclose the content of such files only on a need-to-know basis.

Then, in September, when it became obvious that the deal with Nadir was going to go forward within the very near future, Acme management got wind of some fairly accurate rumors circulating among the rank and file concerning the personnel changes that would need to occur. The ensuing sense of panic needed to be quelled, so Acme management called on the IT department to investigate immediately. After a delay of more than a week to solve some esoteric technical difficulties, Acme’s crack IT team was finally able to identify the employees who had accessed the only network directory that contained the only copy of the only Word document detailing the top-secret employee shuffle plan.

Acme wins this one, hands down, but only by sheer dumb luck.

To atone for its initial embarrassing display of digital ineptitude, the IT crew took it upon itself to expand its investigation in an attempt to reestablish a feeling of competence in the minds of the managers who control Acme’s post-Nadir technical staffing. Besides, taking their lead from governmental practices, such effort would give the Acme IT crew needed practice at thwarting future nefarious covert security incursions. This unsanctioned fishing expedition revealed a probability that some employees had been exploring the remote and obscure nooks and crannies of Acme’s network.

One such suspect was Misty Meener, who had a solid 20-plus year tenure with the company. The evidence the IT team gathered seemed to indicate that on at least one occasion Misty accessed the files on a certain unrestricted shared network computer drive allocated to Sam N. Lamenham, a manager.

The files in question included performance reviews for several of Sam’s former employees, strategic plans for his department and the invitations, guest lists, driving directions and other documents related to Sam’s forthcoming wedding and rehearsal dinner.

Hugh Blewitt Bigg, the director of Acme’s IT department, confronted Misty about her intrusion into Sam’s files. Misty had to admit that she had no real purpose in viewing Sam’s files other than merely being curious about the scope of the wedding plans for someone who earns about six times what she earns.

Thus began the chain of events in which Misty became the sacrificial lamb in Hugh’s campaign to rehabilitate his tarnished image as Acme’s prime computer know-it-all. In the end, Hugh arranged for Misty to be fired for cause and to be denied benefits, specifically the severance pay.

Nevertheless, Misty appealed the decision arguing that the files she accessed weren’t company confidential and that because the Acme-Nadir deal hadn’t yet been finalized, the ad hoc severance plan wasn’t in effect. When the appeal committee rejected her arguments, Misty filed a civil action claiming that Acme had abused its discretion and she should receive severance benefits.

How could this situation have been avoided? Should Sam have been allowed to use the corporate network to store personal files? Is there any rationale for configuring a corporate network so that one person can access another’s files? Did Misty’s activity constitute “gross and willful misconduct?” What obligation does Acme have to ensure that private computer files are kept private? Can one violation without a warning really be considered gross misconduct?

An attorney says:

Acme wins this one, hands down, but only by sheer dumb luck.

The severance plan provides for the payment of severance benefits if an employee is terminated “without cause within the 24 calendar months following the Nadir deal.” But the Nadir deal “was going to go forward in the very near future.” If the deal had not occurred, the condition precedent (as we lawyers like to say) to the payment of benefits had not been fulfilled. Put differently, the severance plan only applies to employees terminated because of the deal with Nadir. Misty’s termination had nothing to do with that deal, and she doesn’t qualify for benefits under the plan.

While an employer certainly may provide in its electronic communications policy that employees may not use the corporate network to store personal files, such a provision may be unrealistic. Certainly, it would be difficult to enforce without a whole new subgroup in the IT department to police documents stored on the system.

Misty’s snooping on the computer didn’t amount to “gross misconduct” under the legal definition of the term. “Misconduct” normally means a willful act in disregard of the employer’s interests. “Gross misconduct,” as it’s usually defined for legal purposes, requires something more than that, usually an act that merits immediate termination, such as fraud, theft or assault.

“Cause,” on the other hand, normally means a good business reason, usually after the employee has been given one or more warnings. Acme, in drafting its severance policy, virtually equated this term with “gross misconduct.” Certainly, Acme was entitled to define the terms in its severance policy any way it wished.

Perhaps the real target of Acme’s ire should have been its IT director.

Julie Badel, partner
Epstein Becker & Green, P.C.
(312) 499-1418
jbadel@ebglaw.com

A corporate consultant says:

Realizing that Misty's offense was revealed through an “unsanctioned fishing expedition,” that she wasn't the only offender, and that Sam's use of company time and equipment isn't appropriate, doesn't make what she did any less wrong. Further, it's not clear whether Sam engaged in personal use of the computer during lunch and breaks, or had been putting in lots of additional hours, in which case, his activity seems acceptable.

We're all aware that there are circumstances that justify termination based on “one violation without a warning:” embezzlement, abuse, drunkenness, etc. We wouldn't balk at the immediate dismissal of such offenders, not only because their behavior is litigious, but also because their behavior is likely to be repeated. How is Misty's offense any different? She was snooping. Spying. Invading the privacy of another. And she was doing so with the knowledge that it was against company policy. Is this litigious? Potentially, yes. She could have seen private medical information. Is she likely to do it again? Of course. Her decision to snoop is grounded in values and character, neither of which is likely to change. I don’t think a warning is appropriate in this case. As for IT's expanded search, let's be clear. They were searching for violations of company policy in the form of unauthorized access to Acme's network, not snooping out of mere curiosity.

For years now, technology has enabled virtual access to the files of other computers, and this is a wonderful convenience that increases productivity. Again, though, this isn’t what Misty did. She accessed Sam's computer to snoop — not to work collaboratively or to increase efficiency, but to snoop.

If Acme fired Misty without also firing those who IT identified as having accessed the “employee shuffle plan,” then Misty has indeed been a sacrificial lamb, and should sue on the basis of being unfairly treated — not on the basis that what she did was “OK” simply because the files weren't confidential.

On a separate, but related, topic: In most of my client companies, folks are working longer hours than ever. Whether scope of work has expanded, positions remain unfilled or poor performance is being tolerated, the bottom line is that long hours at work are increasing, and this erodes work life balance. In such cases, it seems appropriate for employers to allow employees to establish password-protected files. Although it might be necessary to have IT monitor URLs visited and e-mails sent over the employer's server, this would at least acknowledge the increasing encroachment of work into personal life, and would ease the strain just a bit.

Francie Dalton
Dalton Alliances Inc.
(410) 715-0484
fmdalton@daltonalliances.com

An academician says:

I think the issue of Acme’s merger with Nadir is irrelevant in this case. The case is really about whether Misty illegally or unethically accessed the confidential files of another employee. In other words, was she a “hacker?”

I assume that Sam’s computer files are password-protected, and that only someone with the password could access the file, and I am assuming that Sam is the only one with the password (ignoring for a moment the skills of sophisticated hackers). The fact that the files are password-protected means that they are confidential.

If Misty did access Sam’s confidential files, for whatever reason, she goes. I see no reason to retain such an employee. She knew that accessing a confidential file was illegal or unethical.

A couple of recommendations: First, Acme’s IT department needs to figure out how to protect confidential files and do it rather quickly. Second, I have an issue with wedding plans and performance reviews being part of the same cluster of files. I don’t think Sam’s wedding plans should be on the Acme computer, and the performance reviews (probably) should be kept somewhere in Human Resources.

Professor Homer H. Johnson, Ph.D.
Loyola University Chicago
(312) 915-6682
hjohnso@luc.edu