Clm wrote: » They don't have a specific policy stated either way but the CEO gave him full control over all IT aspects. The issue to me is that the email and everything in O365 is company property the COO is second in charge and IT falls under his control so how can a service provider who is a third party contractor tell the business owner no to there own property.
Clm wrote: » employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
TechGromit wrote: » I think your missing my point, there was no explicit company policy stating management has the right to look at employees email, then former employees can assume that all there email is private and not subject to the company violating that privacy. You can't just say that I'm making a new company policy and have it apply to all former employees. That be like the government passing a no one is allowed to have tattoos and if you got them before this law was enacted, then your guilty of this new crime. In short the COO can dictate a new company policy that there no expectation of privacy when it comes to employees using company email, and it would apply to all employees email going forward, but NOT to emails that were sent in the past. That's invasion of privacy lawsuit territory. The service provider was well within there right to take away this guys admin access. The notice has to be clearly stated, usually when user log on to the system. A judge would have to issue a court order for a good reason to allow access to a specific employees email at this point. If it became publicly known this guy was reading private emails, CEO or not, it's potentially a huge Lawsuit liability for the company. This has to be explicitly stated, it's not a blanket policy that applies automatically to all employees at all companies. The short answer to your question is yes, you are Crazy is you believe the COO has unrestricted access to former employee's private emails.
paul78 wrote: » Just my two cents - but I personally find the COO's actions to be distasteful. Granted, in the US, the organization could claim a legitimate business reason. But IMO - going through emails to "catch up" and get a sense of the organization demonstrates poor judgement and leadership.
paul78 wrote: » That said, I'm not aware of any case law in the US where snooping on work emails which is on the business's infrastructure has tested. To my knowledge, the line is broken only if the employer reaches into the employees personal messages.
ITHokie wrote: » Even if there were legal issues pertaining to employers accessing current or former employee email accounts, I'm unsure how an MSP would have the standing to enforce or adjudicate the particulars.
JoJoCal19 wrote: I've worked at a couple of Fortune 50 financial firms and it is common practice for management to submit a formal request for access to the email of a leaver (at one company my team was the one who granted the access). Most often it was when an employee was terminated so that management can find what all the person was working on and assign out work or respond accordingly. Of course in these situations the email was was internal Exchange so no issues requesting and granting access. And of course being such large companies they have the obvious disclaimers about no right to privacy and all work and communications belonging to the company. So no gray areas there. Maybe it's because most of my work has been for large corporations where it's commonplace, but I'm a little surprised that people act like they're surprised this practice happens.
paul78 wrote: » Likewise - you may recall that my own background is in financial services. You probably also know that communications monitoring in certain financial services segments is mandated to detect insider trading and inappropriate customer solicitations. But that monitoring is typically automated and doesn't result in management access to employee mailboxes. And if an investigation is warranted, there is typically a process that involves legal support. As head of security at several of financial services companies, I have never ever approved access to an employee mailbox for a manager simply because an employee leaves. Frankly, it's just not worth it. A manager that needs access to an employee's mailbox because the manager needs to know what work that employee was doing is a manager that is not managing the team. Email is not a project management tool or a contracts database. That's just a bad excuse from a line manager. If the employee was involuntarily separated, I have even less sympathy since that manager should have prepared for the separation by understanding the work of the employee. Typically, what I would approve is to have future inbound emails forwarded to the manager. If there is something in the mailbox that really needs to be retrieved, then I would approve having the forensics team perform a keyword search on the mailbox to extract a specific email or set of emails. I would never risk having some manager (and I don't care if that manager is the CEO) learn of some private detail of an employee's personal affair and repeating it. Or risk an accusation from an employee that the company violated some right - especially in a cross-border situation if the employee was a resident/citizen outside the US where privacy rights are stronger.
infosecs wrote: » There has to be proper audit trails, permissions from CEO etc. so that it meets legal obligations. But MSP is a separate business entity, it needs to protect itself as well.
infosecs wrote: » I think clm is missing a basic point - MSP is not a part of the company. If the email is handled by the company, sure they can allow someone to look at the past emails just as jojocal mentioned in his post. There has to be proper audit trails, permissions from CEO etc. so that it meets legal obligations. But MSP is a separate business entity, it needs to protect itself as well.
