Anyone deal with employee email monitoring and/or IT law here?

langenoirlangenoir Member Posts: 82 ■■■□□□□□□□
Question: Does your boss have a right to your third party email, social networking, etc passwords?

So my girlfriend is in an odd situation here. She was working for a lawyer who was a cheapo, made her work on 5 year old computers, no email servers or any on premises servers, and made her use her own personal email for work communications.

(Girlfriend’s interjection, she says her boss didn’t say explicitly she had to use her personal email, and that she could have set her own up but she says she wasn’t thinking. I’m of the opinion that if you’re a W2 employee that you should be provided work email if it’s required to email people for work.)

So my gf finds a new job, puts in her two weeks, her boss treats her badly (snide comments, blaming her for doing things she didn’t do, etc), then demands that my girlfriend give the boss her private Hotmail EMAIL PASSWORD so that she can look through her business emails. My girlfriend refused and her boss yells at her to delete her personal email and then everything will be kosher, no problem.

WTF… ?

Now I’m thinking, is this lady retarded (yes, she’s no computer genius, but still)? I’ll just do a pst backup of the email, delete the personal stuff and send it to her via dropbox.

She then threatens to SUE my girlfriend saying that she has every right to that email, which seems shaky to me at best.

At this point I’m more than a little upset. I email her the PST at 11:30 pm EST, still within the Wednesday window she originally demanded.

This lady has no servers, so I have no doubt that she wasn’t monitoring my girlfriend, but she has threatened to send forensic investigators to go over my girlfriends computer. I had my girlfriend change her email, facebook, linkedin, etc passwords.

So thoughts?

Comments

  • ande0255ande0255 Banned Posts: 1,178
  • da_vatoda_vato Member Posts: 445
    You're going to have to get some legal advise on this one.

    I can tell you there has to be legal binding contracts between your GF and her old boss. However!, with her being a lawyer you do not want to take this lady on as neither you nor your GF are as experienced in this realm as she is. She can exploit something neither of you thought about.

    Good luck.
  • wallpaper_01wallpaper_01 Senior Member Member Posts: 226 ■■■□□□□□□□
    Hmm, can you not just forward her the business emails sent? Why does she need control of the account? As your GF did not create this account at work, boss probably will find she can't really do a lot.

    Apart from the legal aspects, which im not sure about, she is off her rocker... What person in the right mind would try and seize control over someone else's personal email address and think she has that right?! Surely the court would just laugh at her?!

    Sometimes I send messages from my hotmail because work email is down, does this mean my boss has control over my hotmail account?! I'm pretty sure it doesnt... In my opinion the boss should have set up the email account for your Girlfriend, her mistake she didn't. Employees shouldn't really need to do that.
  • zxbanezxbane Member Posts: 740 ■■■■□□□□□□
    I agree, I don't see why your GF just forwarding the boss any relevant work emails isn't an option, as opposed to needing full control of her personal account. I am interested to see what others with more legal experience say.
  • langenoirlangenoir Member Posts: 82 ■■■□□□□□□□
    Well she has threatened to sue, but what lawyer doesn't go around threatening to sue people? If she doesn't do anything we're not doing to do anything. If she does sue, we'll get an employment lawyer. I was just wondering what you guys thought of all this.
  • wallpaper_01wallpaper_01 Senior Member Member Posts: 226 ■■■□□□□□□□
    You should just send her all the emails that are work related and be done with it. Because why would she need the account then?
  • da_vatoda_vato Member Posts: 445
    Make sure when you come to a solution that both of you agree to that she sends an email stating she is satisified. Lawyers do always threaten to sue but many are manipulative in my experience (thats what the job is, manipulate the law in favor of their client).

    If you guys can come to an agreement I don't see why not just make sure there is a paper trail (or email) stating she is satisified otherwise months down the road this can come back to bite you in the arse.
  • GAngelGAngel Member Posts: 708
    Get legal advice now. (My wife's advice - lawyer)

    You're going to lose either way if she sues, unless you meet a judge who practices common sense and not the law.
    She sounds like a real piece of work but technically she is right.

    I'd just give her the account honestly a vindictive lawyer can make you pay big time.
  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youMod Posts: 2,779 Mod
    She should send all work related email. She does not have a right for control of her email account since its personal. She sounds (the boss) like a loon.
    Never let your fear decide your fate....
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Like others do, its best to get lawyer advise if you want the nitty detail. But unless your gf has signed a form as a formal agreement. It's against the law/ invasion of privacy to access another person emails/social account without any formal agreement.

    Title 18, 2510 et seq: Wire and Electronic Communications Interceptions
    - Prohibits unauthorized interception of electronic communication.
    Title 18 2710 et seq: Stored wire and Electronic Communications and Transactional Records Access
    - Prohibits access to stored information without permission of owner, exceptions for service provider and intended recipient.

    Do take note that the above laws only apply to US only, you had to double check your own state/country law for similar stuff above. And also when it comes to legal advice, the best answer would always be to contact the lawyer. But your gf should be most likely be able to leave without worries, but having a lawyer point of contact would be best in case anything happens.
  • bigdogzbigdogz Member Posts: 873 ■■■■■■■■□□
    Even though the lawyer is cheap she may win. This is what happens when someone uses personal email or resources for a business need. Your girlfriend should have setup another account which would have avoided all of this...She just did it for a lawyer which is one of the worst situations. Just make sure that she doe not do this in the future ;)

    Your girlfriend may have to forward to her boss's email account and delete them. Showing a print screen of deleted mail and having a copy of this for her records would also be a good idea. Your girlfriend should also inform her business contacts in an automatic response stating not to use her hotmail address for future business use.
    You may want to make sure that she does not use the company computer for ANY social media or anything not related to work.
    I think the both of you may have learned a lesson. If the supervisor or boss cannot provide an email address, make it the responsibility of management on how to perform these functions.
    Having a hotmail account used for business is another big hot mess that should be avoided.
  • jvrlopezjvrlopez Member Posts: 911 ■■■■□□□□□□
    If she doesn't care about the personal emails, you should be able to just forward them to her, burn them to a disc, or send her a PST.

    (hoping this reply sticks...this thread has come and gone like 3 times this morning...)
    And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high. ~Ayrton Senna
  • langenoirlangenoir Member Posts: 82 ■■■□□□□□□□
    da_vato wrote: »
    Make sure when you come to a solution that both of you agree to that she sends an email stating she is satisified. Lawyers do always threaten to sue but many are manipulative in my experience (thats what the job is, manipulate the law in favor of their client).

    If you guys can come to an agreement I don't see why not just make sure there is a paper trail (or email) stating she is satisified otherwise months down the road this can come back to bite you in the arse.

    Good idea. If I can get her to do that, I think she might be smarter than that.

    I've been doing all communication over email to leave no room to chance.
  • langenoirlangenoir Member Posts: 82 ■■■□□□□□□□
    LionelTeo wrote: »
    Like others do, its best to get lawyer advise if you want the nitty detail. But unless your gf has signed a form as a formal agreement. It's against the law/ invasion of privacy to access another person emails/social account without any formal agreement.

    Title 18, 2510 et seq: Wire and Electronic Communications Interceptions
    - Prohibits unauthorized interception of electronic communication.
    Title 18 2710 et seq: Stored wire and Electronic Communications and Transactional Records Access
    - Prohibits access to stored information without permission of owner, exceptions for service provider and intended recipient.

    Do take note that the above laws only apply to US only, you had to double check your own state/country law for similar stuff above. And also when it comes to legal advice, the best answer would always be to contact the lawyer. But your gf should be most likely be able to leave without worries, but having a lawyer point of contact would be best in case anything happens.

    Oh that's great thanks LionelTeo and my GF said thank you as well. She's being a nervous wreck. We're in the US, btw, NYC.
  • ousebgousebg Member Posts: 5 ■□□□□□□□□□
    1. If your GF used the email address for business transactions, the lawyer boss has a right to that address.
    2. If your GF hypothetically "forgets" her password, and no medical surgery in the world can make her remember it, its her lawyer boss's negligence and stupidity. She'll have to deal with Microsoft's privacy terms to get access ;)

    You know what to do next.
  • TeKniquesTeKniques OSCE, OSCP, CISSP, CISA, SSCP, MCSE (03), Security+, Network+, A+, Project+ Member Posts: 1,262 ■■■■□□□□□□
    The place to start here would be to review all documentation that was signed before starting the job. I'm assuming that since this is a lawyer your GF was working for, there will be some sort of contract that was executed before she began the job. If so, your GF should have a copy - review that and take it to your own lawyer (if it gets that far) for review.

    Second, those emails actually don't belong to the lawyer or your GF - they belong and are property of Microsoft. Microsoft owns the equipment that stores and processes the emails so your GF's employer (the lawyer) does not have a legal claim on any of it. Collection of this data will and should be outlined in the contract between your GF and her boss.

    Good luck, sounds like it's going to be a roller coaster of a battle.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    As far as protecting your girlfriend's computer, have you encrypted the hard drive yet? My understanding is that memorized encryption keys are considered a product of the mind, and she cannot be forcibly compelled to divulge them.
  • langenoirlangenoir Member Posts: 82 ■■■□□□□□□□
    TeKniques wrote: »
    The place to start here would be to review all documentation that was signed before starting the job. I'm assuming that since this is a lawyer your GF was working for, there will be some sort of contract that was executed before she began the job. If so, your GF should have a copy - review that and take it to your own lawyer (if it gets that far) for review.

    Second, those emails actually don't belong to the lawyer or your GF - they belong and are property of Microsoft. Microsoft owns the equipment that stores and processes the emails so your GF's employer (the lawyer) does not have a legal claim on any of it. Collection of this data will and should be outlined in the contract between your GF and her boss.

    Good luck, sounds like it's going to be a roller coaster of a battle.

    Well there was no contracts signed what so ever. That's why I think the Lawyer is all huff and bluster.

    I told my gf the second point about MS owning the account and the content. I was going to throw that at the lawyer, but she believes that since the emails were composed on her equipment, in her office, on her time they belong to her. Guess she never heard of dumb terminals, I wasn't going to try and explain web SaaS to her...

    I'm not too worried, but I'm just checking to be sure. Never good to be too over confident when dealing with lawyers. Thanks TeKniques.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Hello and sorry to read about such a distressing ordeal for your gf.

    I work with these types of issues on a fairly regular basis. And unfortunately, your gf isn't quite in a good spot. When these issues occur, I work with an army of attorneys that specialize in privacy and HR law.

    A couple of questions, are you certain that your gf was permitted to use her personal email for business purposes? Was she ever explicitly in either writing that it was permissible to conduct business using her personal email? Did she receive or does the former employer have any type of acceptable use policy or confidentiality statement that she may have signed or acknowledged as condition of employment?

    What @ousebg stated is accurate - there could be a case where the former employer has the right to review or request access to the email.

    However, most employers who value their reputation or understand privacy law would ever try to simply request full access. The employer could risk violating for example HIPAA if the emails contained protected health information. And frankly, it's unnecessary.

    At my current employer, if I have a situation where an employee is suspected of having confidential business files or emails in their own personal email or computer system, we will simply issue a stern letter asking for either the data or media to be returned or destroyed. And we would request a signed acknowledgement. We never threaten legal action because that's just mean-spirited.

    If the material that is taken is highly confidential or potentially belonging to one of our customers, we may send a forensics analyst to the individual's home to look over their shoulder to assure that all our sensitive information is removed. And in all cases, we terminate employment.

    If the issue is egregious, we do sometimes press charges - but that is very very very rare.

    One thing to note - be very cautious about deleting material that belongs to the employer. Under federal law, charges could be levied under the Computer Fraud and Abuse Act.
  • langenoirlangenoir Member Posts: 82 ■■■□□□□□□□
    Thanks paul78, that gives some things to think over.
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,309 ■■■■■■■■■□
    The last thing I would do is hand over a personal account password to a spiteful boss.

    I would agree to comply with requests to delete and foward any company related materials upon written request.

    I would also point out she has right to that account as well since she likely used it professionally outside of her current work, ie tied to LinkedIn, on resumes ect.. that would do her damages in giving it up.

    The best advice of all in this tread is to talk to a lawyer (this not her former boss!).
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • tprice5tprice5 Member Posts: 770
    paul78 wrote: »
    And in all cases, we terminate employment.

    Paul sounds like someone you DO NOT want to mess with.
    Certification To-Do: CEH [ ], CHFI [ ], NCSA [ ], E10-001 [ ], 70-413 [ ], 70-414 [ ]
    WGU MSISA
    Start Date: 10/01/2014 | Complete Date: ASAP
    All Courses: LOT2, LYT2 , UVC2, ORA1, VUT2, VLT2 , FNV2 , TFT2 , JIT2 , FMV2, FXT2 , LQT2
  • JoJoCal19JoJoCal19 California Kid Mod Posts: 2,829 Mod
    Why not just have your g/f delete the email account. Then there is nothing the lawyer can do to access it.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • MrJimbo19MrJimbo19 Member Posts: 49 ■■□□□□□□□□
    I'd like to add to this with just a simple make sure your GF has 2 factor authentication enabled on the account and is watching for foreign access. I have known some lawyers in the past who have been extremely questionable in what they consider fair. Hope it works out for you, tough place to be trapped in.
  • MTciscoguyMTciscoguy Member Posts: 552
    As the information is stored on a Microsoft server and not her personal computer, they would have to go to Microsoft to retrieve the information, this I know for a fact, as My wife also owns an internet company that does email services, we have been subpoenaed a couple of times in the last year, once that happened we had to provide the emails in a non-encrypted fashion, they were then reviewed by the court with both parties present to agree that the requirements had been fulfilled and that agreement was entered into the court record. Check with the state agency that handles employment matters in your state, some states have really cracked down on this type of stuff and others, not so much. Where I live and we have our business, the employer has to show cause and suspicion that damage "MAY" have occurred before they will get to this point, they can't just automatically demand access to the account. One of the city governments in the state that I live in tried to make people disclose passwords to social media accounts before they were hired so they could monitor what is being said about the company and it didn't stand up in court. When it was all said and done, they stopped that practice.

    But as has already been posted, get a hold of an attorney well versed in this type of law as well as the state employment agency that handles disputes.

    And next time, don't use a person email for company business, if your job requires electronic communications make sure the company you are working for provides a company email address and never use that address for personal communications! Never mix business and personal communications, Never!
    Current Lab: 4 C2950 WS, 1 C2950G EI, 3 1841, 2 2503, Various Modules, Parts and Pieces. Dell Power Edge 1850, Dell Power Edge 1950.
  • xenodamusxenodamus Member Posts: 758
    Although "forgetting" the password seems like a fun way to proceed.....I would go with Paul's advice.

    Come to an acceptable agreement agreement with her, if at all possible. I know I would feel a good deal of personal indignation if presented with the same situation. Try to overcome that and do what it takes to appease her - maybe offering to sit down with her and forward/delete all business emails while she oversees.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,916 Mod
    Just wondering is this ended up in an amicable fashion.
  • langenoirlangenoir Member Posts: 82 ■■■□□□□□□□
    We haven’t heard anything. I left the pst up on my dropbox for 30 days like I said I would and deleted it. Some of the lawyers we contacted said she didn’t have a case so we just stopped talking to her.

    The irony of this situation is the lawyer is a family “friend.” Has known my girlfriend since she was little. I guess she was at some sort of Christian adult camp, got drunk, had a talk with someone else who works in the office about how she’s being ridiculous, and I haven’t heard anything. Good riddance.

    But again, thanks for all the input guys.
Sign In or Register to comment.