General discussion

  • Creator
    Topic
  • #2191081

    Rock and hard place

    Locked

    by dv370 ·

    As the IT Director, I am responsible for security and integrity of the data on the network. Our CEO recently left (replacement has been here for 2+ weeks) but stays an employee through Nov. He doesn’t want e-mail access removed, even after that, since he is utilizing his address for “other deals” but not for our company business. CFO, my manager (different topic for another day) has told me this and now wants his mailbox monitored. Not to see WHAT is being sent but how much. I told the CFO that I thought this was NOT the right thing to do, however, I am being told to do it because of this “rock and hard place” the CFO is in. I will be monitoring usage myself instead of asking one of my associates do it. I believe that now I am being put in that same “rock and hard place” position and I am not at all pleased about it. I was hoping that someone could give me some advice on a similar situation they have been placed into and how they handled it.

All Comments

  • Author
    Replies
    • #3045572

      Tell the CEO and Do It

      by wayne m. ·

      In reply to Rock and hard place

      I presume the CFO is at the appropriate level to request this and I would say he is being very lenient to allow the CEO to continue using the corporate e-mail.

      If the CFO has not done this, send an e-mail to the CEO informing him of the level of monitoring you have been instructed to perform. Tell the CFO ahead of time and copy him on the message. You may want to clarify what the CFO means by monitoring for “how much”, whether that means mail box size or number of e-mails.

      I would find this a strange practice to allow a CEO to continue to use a corporate e-mail and you may want to suggest to the CFO that the company proceed with a phase out procedure. Perhaps 1 month of continued access, then having the company forward e-mail to a private address for 1 month, then having the company reply with the private address and not forward for 1 month, and then kill the account. I just pulled the 1 month out of the air, but this gives the CEO 3 months to get his act together and use his own e-mail account.

      Do what your boss says, but also let the CEO know. This provides the best solution all round and makes everyone aware of what is going on. If you receive complaints from the CEO, don’t comment, just forward them to the CFO. This is between them and you are only the messenger.

      • #3045536

        Unfortunately…

        by dv370 ·

        In reply to Tell the CEO and Do It

        I am not in a position to inform the old CEO of this level of monitoring, nor am I comfortable asking the CFO if that fact had been discussed. It’s more of a political issue, and one that I most certainly do not want to get involved in. I honestly think the CFO is just being nosey especially give the fact that I’m not supposed to monitor WHAT the e-mail system is being used for, only how many e-mails are being sent and received.

        • #3114426

          Check the security/email/acceptable use policies first

          by it security guy ·

          In reply to Unfortunately…

          I woudl first ask you if your company has written email security policies in place and does the outgoing CEO and current CFO know about them. If all employees know about them (and they should) you don’t have to tell the CEO about the monitoring since he/she should already know it is a possibility. You could also send an email containing the email use policies as a reminder.
          You should aks the CFO what the reasons for allowing the continued direct access to the corporate email and depending on the answer, suggest allowing forwarding of email and for a specified amount of time. If the CEO understands there is no expectation of provacy when using the company’s email, he/she can’t claim no knowledge.
          If the CFO is worried about legal concerns, then the full IT security staff should also be involved to ensure of proper forensic procedures are followed if any evidence is needed in court. if, as you say, this is politically motivated, check the exact wording of the email policy to ensure the circumstances for monitoring are stated. If what you are being asked to do is not stated in the policy, check with an HR person and read all the security policies to see if that type of monitoring is allowed. If it is not, you should say so to the CFO and explain it is against policy to do so. If there is continued pressure, you can say you can’t violate the policy even if it means collecting evidence for future use.

        • #3114324

          You always could …

          by too old for it ·

          In reply to Check the security/email/acceptable use policies first

          … getall the CxOs together, and have them sign off on an addendum to the policy.

        • #3114286

          Why is this a question?

          by davidj ·

          In reply to Unfortunately…

          If all you are being tasked to monitor is the number of messages being sent/received, I do not understand what your issue is. Paying attention to the volume of mail traffic, with regard to both size and number, is something you should be doing on an enterprise-wide level if you’re not already doing so, and taking the scope down to one user will not kill you, nor will it compromise any sensitive information. There is no need to inform anyone of anything, because you aren’t actually reading your ex-CEO’s mail. Additionally, once he’s truly “gone” from your firm, he should not still be able to access your email system. That is just asking for an issue later on down the road.

        • #3122285

          CYA

          by mary.shaw ·

          In reply to Unfortunately…

          Regardless of what else you do in this situation, you must get the CFO’s request in writing and save it – for your own protection! You don’t know what kinds of shenanigans are going on, you don’t want to know, but you especially don’t want this to come back and bite you in the butt if the CFO is being underhanded.

      • #3115943

        Modification of plan

        by pete1978 ·

        In reply to Tell the CEO and Do It

        Wayne M. suggested that, after a given time, the email be forwarded instead of continuing to allow access.

        Two slight modifications on this idea. There should be a limit to how long the mail is forwarded (say 30 days). I have many email contacts and I could update them on my new email address within 30 days easily.

        Second, the forwarding should be selective. The former CEO may be receiving email that should be forwarded to the current CEO instead. In fact, due to this possibility, the email should be monitored for content as well as size so that all CEO business email goes to the new CEO instead of going to the old CEO.

      • #3114364

        question

        by ou jipi je ·

        In reply to Tell the CEO and Do It

        did you actually enquire why CEO requires to use his e-mail? A simple question might have saved you the time typing in your problem here. Either he has a legitimate reason that is confirmed by e.g. board of directors (or who ever controls the company above the CEO) or he would not give you a legitimate answer in which case as he is no longer employed at the company it should be within your authority (as IT director) to cut him off. As a side note, how many asses did you need to lick to get the position of IT director? My apologies for my choice of words in this reply, it sem however that you posting your “problem” here from a postition of IT director, strikes me as a raging example of incompetence of todays leaders/ managers.

        • #3114282

          Uncalled for

          by dv370 ·

          In reply to question

          You know, I found this board and had been reading posts for quite some time and had hoped that professionalism in responses would be received. However, based upon your post, I was dead wrong. Thank you for your “input” but I will not defend how I received my professional position.

        • #3115094
          Avatar photo

          Don’t worry about that reply

          by hal 9000 ·

          In reply to Uncalled for

          Some people just have a chip on their shoulder and find it impossible to be civil to others. That kind of posting in no way reflects the many who contribute to these discussions and should be treated as the exception rather than the normal.

          Cheers

          Col

        • #3115022

          dv370

          by ou jipi je ·

          In reply to Uncalled for

          I don’t think I have anticipated you to defend your position, my comment was to merely remind you of your position.

          “As the IT Director, I am responsible for security and integrity of the data on the network.

          Fine, sounds good so far.

          Now, let’s get the summary of the rest:
          a.) “The CFO has _told me_ to monitor CEO’s mailbox”
          //CFO cannot _tell you_ to do so, he might officially request (in writting) such activity to take a place.

          b.) “I have _told him_ that _I thought this was NOT the right thing to do_, however (???)
          I am being told to do it because of this “rock and hard place” the CFO is in (???).”
          //Again, you have informed your CFO (verbally) that it is not right thing to do, but agreed to do this thing that is not right ANYWAY because CFO is in “rock and hard place” position.
          The question is also what does the “rock and hard place postition your CFO is in has to do with you? Does it implies that you don’t have to behave professionally?

          c.) “I will be monitoring usage myself instead of asking one of my associates do it.(???)”
          //Then you chosen to do the thing that is “not right to do” by yourself, although you were not asked to provide for content monitoring of the correspondence in question but merely the amount of correspondence (messages).

          At the bottom you mention that you are not _pleased about the situation_. My professional opinion is that you got yourself into it, and no website forum will bail you out. Howgh.

        • #3116729

          Bailing me out???

          by dv370 ·

          In reply to dv370

          I don’t recall any request to “bail me out”. I purely asked if anyone had been in a similar situation, and how they handled it. Honest question, in my opinion, given the nature of this forum.

        • #3114276

          Excuuuuse you?

          by nkc ·

          In reply to question

          You apologize for your “choice of words”? That’s a pretty mild interpretation of your extreme rudeness. It strikes me as similar to spitting on someone and apologizing for your “choice of phlem destination.”

        • #3114096

          Excuse my choice of words

          by muddywaters ·

          In reply to question

          I wouldn’t dare to post on this site my choice of words for you sir (or madam).
          Obviously you are not a leader or manager of competence. If you were, you wouldn’t be carrying that big chip on your shoulder. Who stepped on You?

        • #3116912

          Surprised at your conduct

          by aaron a baker ·

          In reply to question

          When one considers that the people who come to this board are the very best in their perspective fields and wonderful discussions take place exactly “Because” of that diversity, I’m a little surprised to see your need to inject venom and vulgarity where none should exist. You should consider yourself fortunate to have such a place as Tech Republic where some of the finest minds in the World come to share ideas, points of view and above all their integrity. There was absolutely no call to treat this gentleman this way and you now owe him one heck of a large apology for the crude, rude and calloused remarks made during your rant. After you’ve done that, consider this, what if ever, the almighty “You” needed help? where could you turn to that you could trust?
          RIGHT HERE is where, so don’t spout acid at someone that you might be depending on for and answer somewhere down the road.The Techs from all over the World that come here are the Finest, my friend, and they can think well above the gutter level that you so maliciously displayed with your discompassionate, calloused and verbal abuse.In short, grow up, learn how to live or adjourn.
          Just remember this, when you are here, you are in the company of the very best, so try to act in accordance with that.
          Notice I didn’t ask how you got you’re job? Wasn’t that nice? 🙂
          Thank you for your attention
          Aaron

        • #3116869

          Appreciation

          by dv370 ·

          In reply to Surprised at your conduct

          The manner in which the vast majority of professionals respond and assist with issues on this board, is exactly why I came here in the first place, to get advice. I do not expect an apology from the individual that posted the unnecessary comments. I am pretty thick skinned given that I am a female IT executive 🙂 and have had to handle much worse criticizm, albeit more “constructive”, in the last 7 years as a manager. Professionals are supposed to be just that, professional.

        • #3136135

          Re: Surprised at your conduct

          by vltiii ·

          In reply to Surprised at your conduct

          I’m sure this will be interpreted as rude or combative, but it is my opinion. I truly question if we’ve been following any of the same discussions here. The majority of the questions posted and many of the responses indicate to me that those that come here are not the very best in our fields as you claim they are, else most questions would not need to be asked. This is not to say that there aren’t some that participate here that certainly qualify as experts in their respective areas. To date, every discussion I’ve followed (and this is pretty much true everywhere, not just here at Tech Republic) withing 3 or 4 responses, they start to veer off topic. We all know there is more than one solution to many issues effecting IT, but the responses generally end up ranging from criminal recommendations, to unethical, to a few decent and respectable responses. I’ve seen more than a few post such as yours that portends to present ITs as great professionals, yet without fail there is a lack of respect and courteousness towards one another in groups such as this. That being the case, how are our customers supposed to perceive us as the professionals we claim to be?

        • #3117860

          Pot calling kettle ….

          by servicetech ·

          In reply to Re: Surprised at your conduct

          “To date, every discussion I’ve followed (and this is pretty much true everywhere, not just here at Tech Republic) withing 3 or 4 responses, they start to veer off topic.”

          And just what part of your reply was about the original question? 🙂

          “else most questions would not need to be asked.”

          Last time I checked, I haven’t found anyone, Myself included, that knew it all.

        • #3136201

          Re: question

          by vltiii ·

          In reply to question

          ouch!!! So painfully honest eh. 🙂

      • #3117170

        Dirty Deal

        by randy hagan ·

        In reply to Tell the CEO and Do It

        If the CFO of the company is “driving” this deal with the CEO, then asking you to map the course, it’s very fishy.

        The idea of a CEO leaving the company, but using the company email system for “other deals” is pretty suspect. The fact that the CFO is endorsing this, then trying to monitor it, makes him rather suspect as well. It’s commendable that you are taking this project on yourself, though it may leave you vulnerable to whatever skulduggery is happening up above your pay grade.

        Wayne M.’s answer is probably the best compromise available … do what the CFO wants, but inform the CEO. Email gives you a documentation trail that you may well need if things go horribly wrong at a later date.

    • #3045547

      Don’t worry

      by amcol ·

      In reply to Rock and hard place

      If the outgoing CEO is being kept on the payroll through November then for all intents and purposes he’s an employee. There’s no problem or impropriety with him maintaining his e-mail account on the company system.

      After that, once he officially severs, he should be removed from the system. You need to clarify more than you have why his e-mail account would remain on the system after November, especially if he’s working on deals not for your company. That’s personal business and opens your company up to potential liability if you allow continued e-mail use since he could be construed as acting as a de facto agent for your company.

      You’ve been asked to put in place a minimal, and appropriate, amount of monitoring. By measuring volume the CFO is trying to make sure the CEO doesn’t try to download the company database, and by not monitoring the actual trasmission transactions you’re avoiding ethical issues, if not legal ones.

      I wouldn’t worry about this. You’re doing the right thing acceding to your CFO’s request and you’re doing it the right way by doing it yourself (obviously you want to document everything you’re doing at a granular level every step of the way). It may be that your new CEO made this request to your CFO who handed it down to you, which is not something you should be concerned about. You just need to make sure your new CEO and your CFO are on board about cutting off your old CEO’s e-mail privileges the moment his employment status ends.

      • #3045531

        I agree

        by dv370 ·

        In reply to Don’t worry

        Once November is gone, access should be removed. In the meantime, I don’t feel that I should be monitoring activity. I didn’t do that while he was physically located in the office. You are right…the new CEO may have requested it, but I highly doubt it. I will do as I am asked and document it along the way and see what November 30 brings. Thanks for the input!

        • #3045471

          Kill ’em with kindness

          by charliespencer ·

          In reply to I agree

          Send the CFO an update on the former CEO’s email activity every morning, showing number of messages and mailbox size, broken down by folder. Maybe he’ll get tired of receiving it and ask you to quit.

        • #3044309

          Good idea here

          by dmambo ·

          In reply to Kill ’em with kindness

          Also forward that report to the former CEO so he’s aware that his activity is under some level of scrutiny. This will probably hasten his finding a new address.

          I wonder what the big deal is. Why doesn’t this guy just start auto-replying now that by 1-Dec his new address will be weasel@….? Is he trying to save money? Is he trying to imply that he’s still affiliated with the company? Is he trying to get leads on new business that he can foist from the old firm? It seems to me that there is really no good reason for the company to allow this, unless he’s going to be working on a consulting basis.

        • #3044224

          Wondering

          by dv370 ·

          In reply to Good idea here

          You are I are both wondering the same thing. I have been told it’s a matter of “convenience” for him and that it would take too much time and effort to send out notifications of a new address.

        • #3136128

          Re: Wondering

          by vltiii ·

          In reply to Wondering

          …but he will have to do that anyway once he is no longer on the payroll. At this point he’s only delaying the inevitable and in my mind raising more questions.

        • #3115979

          Note to old CEO *not* a good idea

          by tg2 ·

          In reply to Good idea here

          A note to the old / outgoing CEO is *not* a good idea.

          You have to continue working with the company, the old / outgoing CEO does not. The CFO could make life miserable for you or at the very least fire you for violations of the original request.

          Documentation yes… inform CFO often, yes, I would also talk to HR … let them know that you are in a position and have been asked to do something that would be concidered contrary to established rules. At that point ask what steps HR would recommend.

          It might come down to having a chat with the new CEO since the CEO is usually the head of the whole company. If the CFO is the acting CEO, then you’ve no alternative but to do what you’re required to do, journal it so that you can back yourself up shoudl it come back to a firing.

          Also, I would change the deleted settings for the CEO’s email to be 30 or 45 days … so that the email is kept even when deleted. This allows recovery of anything at a later time that may be necessary.

        • #3115898

          HR! HR! HR! HR!

          by fooser dan the network man ·

          In reply to Good idea here

          It would be in your best interest to involve your HR Department. If you don’t have one, you should get the directive from your manager via email so that you have something in writing (then forward that email to a private email address for safekeeping).

        • #3115977

          Legality

          by gpartridge ·

          In reply to Kill ’em with kindness

          I don’t think it is actually legal to monitor user’s emails without informing them that you are.
          It is the same as call monitoring and video recording. You have to inform people thay are being monitored.
          This should be done by an email and web access policy and should be signed by all employees.

          The CEO has a right to know how company property is being used, including email. If the new CEO asked for the old CEO’s email to be monitored then do it and monitor it. Just make sure what you are doing is legal or things could get nasty.

        • #3115959

          Not so

          by amcol ·

          In reply to Legality

          Anyone who works for a company, irrespective of size, has no expectation of privacy. As your landlord, I can’t open your mail because you own it and I’d be committing a federal offense. As your boss, I CAN monitor your e-mail, because your e-mail doesn’t belong to you…it’s considered a corporate asset.

          It’s certainly good policy and practice to inform people in advance that monitoring is taking place, and it sure sends a poor message to the troops when monitoring is happening covertly. However, there’s nothing illegal about it.

          A lot of folks have gotten in a lot of trouble because they didn’t understand this. Word to the wise.

        • #3115893

          Monitoring activity is different than reading emails

          by eaglet3d ·

          In reply to Legality

          Monitoring activity is no different than knowing how much file space a user is taking on the corporate network. The company owns the resources and has a right to monitor its usage for making resource purchase decisions. In this case, there may be other reasons for monitoring the usage. However, that doesn’t matter. It is still the company’s right to do so.

          Monitoring usage will not stop unethical behavior by the previous CEO, but may provide indicators to the CFO that it is time to stop the exiting benefit that is being provided to the previous CEO.

          I recommend that you follow your CFO’s directions to monitor usage. Do not notify the former CEO unless instructed to do so by the CFO.

        • #3115887

          It is legal

          by keyguy13 ·

          In reply to Legality

          In most states surveillance is legal. Look it up

        • #3115784

          Email Monitoring is it legal?

          by jabamonte ·

          In reply to Legality

          According to the courts, use of business email does not carry the same protections as does US postal mail. This means that the employer can monitor email for content, how much, and/or how often. Check your employee handbook, it should have a section on email usage and what the company can and/or will monitor. If your employee handbook does not have a section on email usage, you as the IT Director should get one included in the handbook ASAP.

        • #3118587

          monitoring criteria

          by mudrick ·

          In reply to Email Monitoring is it legal?

          In case it legal, is there any email monitoring criteria?

        • #3045433

          No ethical problem

          by stress junkie ·

          In reply to I agree

          There’s no need to concern yourself about ethics. This request is completely ethical. The computers are owned and operated by the company. Everything that happens can ethically be monitored at the request of management. This isn’t like putting a camera in a person’s house. There is no “right to privacy” on company owned equipment.

          As far as the old CEO using the email after November I would agree with the other post saying that there could be legal ramifications. The use of the company email could be like using stationary with the company’s letter head. The old CEO may take a ream of company stationary and use the company email. This could make it appear that he is employed and is acting as an authorized agent of the company. It would probably be for the purpose of appearing to be employed while he is looking for work but who knows what evil lurks in the hearts of CEOs?

          Anyway I think that you should recommend that the email access be terminated the last day that the old CEO is paid or otherwise on the books as an employee.

        • #3044216

          Ethics

          by dv370 ·

          In reply to No ethical problem

          I completely agree that a request of this nature is purely ethical. I have been tasked with requests like this many times in my career. My issue with this one is that I believe the request is purely to serve the CFO’s desire to be nosey. Why not want to know WHAT he’s sending/receiving and not just the volume if there’s a question regarding his actions?

        • #3115883

          That’s the point I think

          by keyguy13 ·

          In reply to Ethics

          Obviously your CFO is NOT being nosey or he would be asking for the content as well. It’s obvious he is trying to make sure that large amounts of data are not being sent off premises. Seems completely reasonable and ethical to me.

        • #3115848

          I agree

          by eaglet3d ·

          In reply to That’s the point I think

          I agree. The CFO is just protecting the company’s interests.

        • #3114769

          If I know CFO’s …

          by mborgen ·

          In reply to I agree

          He’s looking for a way to “charge back” for the use of company assets.

        • #3114345

          Usage = Chargeable?

          by deadly ernest ·

          In reply to Ethics

          Could be that the request to monitor usage is related to an agreement that the ex CEO can use the system but has some usage limits that he can be charged for if and when he exceeds them. In such a case knowing the usage level would be required.

        • #3136117

          Re: Usage=Chargeable

          by vltiii ·

          In reply to Usage = Chargeable?

          You would think in a situation such as this that the CFO would explain his/her rationale behind making the request instead of having the IT Director essentially working in the blind.

        • #3135945
          Avatar photo

          When was the last time that someone in upper Managment

          by hal 9000 ·

          In reply to Re: Usage=Chargeable

          Told you why they wanted something done and not just told you to do it?

          Face it we are the service side of any industry we are a necessary evil that they would dearly love to do without but can not do without because they need us. I’ve never known any Upper Managment person to justify their demands to me they just make them and expect them carried out. 🙂

          Col ]:)

        • #3114793

          Why volume?…A Thought

          by bluegiant ·

          In reply to Ethics

          Some posters already mentioned that the CFO may be looking at volume to be sure that large amounts of data are not being e-mailed some place else.

          Another thought is that the CFO wants to be sure the outgoing CEO is not sending large volumes of e-mails to current customers attempting to get them to follow him to his future employer/company.

          I guess I’m wondering where the new CEO stands on all of this. If it were me, I would be monitoring for content too…an outgoing CEO with full system and e-mail access and a chip on his shoulder can do ALOT of damage to a company in one month.

          Good luck with this,

          Mark

        • #3114047

          Your motive for monitoring is what matters

          by nelsonm ·

          In reply to No ethical problem

          I worked for a company with another IT person who was reading a users email because of personal interest in that particular person. This is completely improper. Upon request by management however it is the correct thing to do. I had a user get upset with me because I copied a system file from her compter that I needed. I had stopped by her desk to look for her and ask if I could get on her computer to get the file but could not find her. I got it thru the network from my computer instead. Later, someone who knew that I was looking for this user informed her that I had been looking for her so she asked me what I had needed from her. I told her I had already copied the file thru the network. I considered this person a friend and didn’t think it would be a big deal. The next thing I know I’m in an argument with her and the other women in her department defending myself against a charge that I had somehow violated her. Their argument was that it was as if I were her landlord and gone into her apartment, opened her refrigerator, and takend a sandwich. I had to point out that it is not her apartment(computer) and not her sandwich(file) and that unlike the limitations of a sandwich (cannot be copied), the file was copied and not moved. The other point I had to stress was that all the files on a computer in a company belong to the company and if you have personal information on the computer you had better get it off if you don’t want anyone to see it. My boss stood by me on this and it was resolved by me apologizing for hurting her feelings and explaining that I never intended to do that – even though I would not apologize for my actions. She and I are back to being good friends now and I think she has a better understanding of the IT/user/computer relationship.

      • #3115975

        First things, first…..

        by lederhoden ·

        In reply to Don’t worry

        Decide exactly how you’re going to perfom the surveillance – what procedures, tools, etc..
        Then send an email to the CFO and the CEO, stating that, in accordance with the wishes of the CFO, you’re putting this procedure into place. Ask whether they see any shortcomings or problems with this.
        Then add a proposal for phasing the email address out, as has already been mentioned.
        Make sure the mail goes BEFORE implementing anything and, preferably, AFTER receiving replies from both CEO and CFO.

      • #3115957

        Fuzzy Employee

        by greenpirogue ·

        In reply to Don’t worry

        Monitoring level of emails seems fairly harmless. But I would inform the CFO that if the former CEO maintains an email acount after he has left the company, he could appear to be an employee and continue to obligate the company to “deals.” If someone reasonably believes he is an employee (and the email account would do that), there have been cases that hold the company to deals that they were not aware of. This could be a big legal issue.

      • #3114284

        Get it in writing

        by blu97ram ·

        In reply to Don’t worry

        I would recommend that you politely ask the CFO to put the request in writing,and give you a copy. Then do as you are asked. If the situation should blow up at least then you have documentation to show that you are only doing as requested by your supervisor. That way the attention will be directed the CFO’s way not yours. Good luck.

    • #3044344

      where are you based?

      by gadgetgirl ·

      In reply to Rock and hard place

      You don’t have a location specified in your profile – I’m just hoping you’re in the US – if you’re UK based, or working in the US for a UK company, you have legal problems right now and need to rapidly CYA!

      If you’re in the UK, pm me – quick!

      GG

      • #3044226

        US

        by dv370 ·

        In reply to where are you based?

        I am based in the US.

      • #3115915

        more info about UK

        by jhogue1 ·

        In reply to where are you based?

        Could you give us all some more info about how the laws in UK make this a different problem. I am sure a lot of us are not aware of the differences.

        • #3114860

          Uk

          by maurice ·

          In reply to more info about UK

          You normaly have a resonable expectation of privacy – laos in the US as they come from the same legal source Masters & Servants Act ..

          It also depends on policy but it does have to be reasonable.

          I know it a large company i used to work at monitoring was for cases where serious ofences where being investiagted and they had some scary security people IB or SD which should tell you which company it is.

          I suspect that the origaol post doesnt want to get caugt in a catfight beween the CEO and CFO.

          CEO’s have th emony to employ Laawyers wheres as a lowleave call centerworker you could get away with more.

    • #3045044

      Company email belongs to the company

      by bschaettle ·

      In reply to Rock and hard place

      Why do you think you have an ethical dilema? The CEO’s email belongs to the company, just like that of any other employee, regardless of the content. When using company hardware and software for email there is no reasonable expectation of privacy. Management has every right to have the CEO’s email account monitored. You may find this work assignment unsettling, but that’s beside the point.

      A simple solution may be to inform the CEO that his company email is being monitored, and then offer to show him how to set up a hotmail account.

      • #3115266

        The company

        by dv370 ·

        In reply to Company email belongs to the company

        I guess that I haven’t explained myself very well. I work for a small company and the CFO and ex-CEO were very tight. E-mail monitoring around here isn’t “normal”. In a larger company, yes, it would be. In a different smaller company, maybe it would be as well. Not this one.

        I cannot inform the ex-CEO that this is happening. That would be political suicide for me.

        It’s an ethical dilema for me because I think the request is ill-motivated. And I am being brought into it.

        • #3115994

          E-mail still belongs to the company

          by richard_p ·

          In reply to The company

          The service belongs to the company, the corporate (OK, small company) image belongs to the company, the lawsuits that follow any problems derived from the e-mails belong to the company, and the good name of the company that the ex-CEO is using belongs to the company.

          If the company (i.e. shareholders/owner, not anybody else!) wish to grant the ex-CEO use of the company name, that’s their prerogative, but they certainly have a right to know what is being said in their name. If it were me, I’d withdraw the account immediately and set up a redirect, most especially if the ex-CEO doesn’t want people he is “doing deals” with to know that he’s no longer working there.

        • #3114277

          right, company email belongs to the company

          by todd.harvey ·

          In reply to E-mail still belongs to the company

          I’m amazed that so many posters are so free with legal advice when they are completely ignorant.

          Althought this guy is apparently not in the US, his title expresses the state of US law in ever state I checked, a few years ago.

          If you have questions, best check a lawyer to see what the law is for the state that would be applicable. (for example, company headquarters in X, you are in Y, servers are in Z might be more difficult).

          One of my friends who is a lawyer described a case in which an email system of message storage was likened to corporate file cabinets, rather than to corporate phones, and there was no issue related to wiretapping whatsoever.

          One thing you might do is make sure that the CFO knows you are doing him a special favor and get brownie points out of this.

          And on a sideline, you might note that Oliver North was brought down, in part, because he was such a jerk to his email administrators, requesting and requiring them to delete all his top-secret emails covering his extra-legal shenanigans. The admins got suspicious and made double sure to save copies, which were later given to Congress.

          So , email admins can be VIP’s too. Why don’t you see if your CFO won’t buy you a Coke or lunch or something? It might be worth it to him to keep you discreet.

        • #3115992

          Time to change default working practices?

          by coll_coll ·

          In reply to The company

          You say you’re a small company. How about bringing in some ‘large’ company behaviour? I put large in quotes because I think this should apply to a two-person setup just as well.

          Create an Acceptable Use Policy for your systems, blame SOX, whatever. (Caveat I am UK based so we have things like RIP, Data protection, EU privacy etc to work with.) As part of that AUP, include the fact that all employees’ use of systems will be monitored and reported. Also include the fact that email accounts etc will be terminated after termination of employment.
          Present this to your CFO as a solution which meets their needs to ‘covertly’ acquire the information, and meets your needs to be fair and transparent to all employees.

          If that or similar is not possible, you have to choose between keeping your principles and meeting the CFO’s needs.

          Lastly, I am not aware of the US legal implications in carrying out any or all of these actions, you should consider consulting an HR or legal IT professional, especially if you are a company with shareholders.

        • #3114281

          Danger, Will Robinson!

          by mgordon ·

          In reply to The company

          Check the ECPA (Electronic Communications Privacy Act). You *might* be permitted to spy on company email and report it *only* to authorized executives of the company *if* you follow certain procedures.

          However, let’s say the ex-CEO sends a message bad-mouthing the new CEO to someone else, maybe a newspaper, via your corporate email server. Even though the message traverses your server, that fact is not quite enough to permit revealing what you see. The ECPA recognizes that administrators must sniff the traffic and make measurements, but does not permit administrators to reveal third-party communications (neither originated from, nor destined to, a corporate server) except to the state attorney general (or as directed by the state attorney general). It is unclear whether this includes mere counts and destinations.

          In other words, if your server is merely a relay for the ex-CEO, then you can spy (in your role as administrator) but you cannot reveal.

          If the CEO has a “courtesy account”, but he is not an employee, then he is not bound by employee rules, but rather is a customer and the company acting in the role of ISP with regard to the ex-CEO. As such, I believe the full force of the ECPA can be brought to bear on his email account.

          I host a few courtesy accounts for charitable organizations in my local community; I treat them with the same protections and privacy that a paid customer would receive.

        • #3115093
          Avatar photo

          Well in that case

          by hal 9000 ·

          In reply to The company

          Ask for the direction in writing so that if anything does go wrong you have covered yourself in the process.

          But I honestly do not see a problem in monitoring the amount of E-Mail that is going through the system as you need to know this for the next round of upgrades or replacements that are due not because the hardware is old and decrepit but because the hardware is now devalued to piratically nothing so it isn’t the Tax Break to the company that it should be. Most business systems have a life expediency of about 5 years or so before they start costing the company money in lost Tax Breaks so you need to know just how much e-mail is going through the place to plan for your next Mail Server.

          Besides for Legal Reasons all of this should be getting backed up and archived so that in the event of something going wrong you have the originals to go back to, to prove that any offending E-Mail did or Did Not originate from your company.

          Lets face it it’s extremely easy to change the contents of a transmitted E-Mail and then make out that it is as sent from the original source.

          Col

    • #3115996
      Avatar photo

      Well that’s simple

      by hal 9000 ·

      In reply to Rock and hard place

      All you need do is monitor the amount of E-Mail going through that account. It should be an easy process particularly as you have not been asked to actually monitor the e-mail content just the usage.

      I would hope that the Departing CEO is using this time to contact everyone in his address book to inform them of his new E-Mail address and picking up any stragglers who contact him personally. I would think that the usage would be minor and tapper off as time goes by as all of the old CEO’s contacts learn of his new address.

      If the CFO has the Authority you have to follow his instructions and since he has been quite specific follow them to the letter and just monitor the actual usage and don’t take note of anything else. While this is unusual I take it that the CEO is leaving on good terms so I would see this as a period of time where he can get his personal contacts converted to his new E-Mail address.

      Just do as you are told nothing more and nothing less. If you just monitor the throughput of that particular E-Mail account you are not really invading any ones privacy as you are not actually reading any of the e-mail just seeing how much it is being used and I wouldn’t even monitor it to the stage of seeing how much is incoming and how much is outgoing just the total through put.

      Col

      • #3115871

        Listen to Hal

        by arjee63 ·

        In reply to Well that’s simple

        This is right on. If all he wants it amount of traffic – only report amount of traffic. If the CFO really wants more than that – and yet isn’t comfortable stating it – then he’ll have to give you explicit instructions to do so.

    • #3115995

      There is a Limit

      by muthukumar.g ·

      In reply to Rock and hard place

      I think there is a limit for everything. The basic system, which i follow in my office is, after a employee’s resignation, we will block his email id. but monitoring a mailbox is not a adwiseable idea from my point of view. we will inform to the particular employee about not to use the email id for personal usages. we will give time to change his contact information / registration inforamtion from office id to personal id after a simple verification. i suggest to inform your CEO regarding this issue and do your assigned work….

    • #3115988

      given what you’ve said here …

      by hmx ·

      In reply to Rock and hard place

      i’m almost inclined to agree with your cfo. folks who leave the company don’t get to use company resources for any purpose, and management is always responsible to ensure that company resources are used judiciously … it sounds (to me) like your outgoing ceo is putting you in a difficult spot by asking for access above and beyond what he’s entitled to (and admitting to use that doesn’t support the firm’s business), and it sounds like the cfo may be aware that the outgoing ceo is using the firm’s resources for other business.

      so: do what your boss asked you to do … and keep track of what you report to the cfo just in case. at least in the u.s., email content and email access belongs to the firm (as much as a laptop does), and it sounds like management is doing their job here.

    • #3115983

      Contact HR

      by pbg_61 ·

      In reply to Rock and hard place

      I work also for a large comapny and we have in place a strick policy for such things. In a nut shell contact your HR dept. and ask them if this has been approved it will save you a ton of headachs down the road. In these cases even our legal dept. is involved.

    • #3115978

      A balancing act

      by ffarjad.farid ·

      In reply to Rock and hard place

      In my view the new CFO should have the courage to tell the old CEO not to use the company?s resources for personal gain as other people’s livelihood is involved.

      • #3115973

        Reply To: Rock and hard place

        by frank askins ·

        In reply to A balancing act

        I think you have a bigger problem than you realize! Has the CFO put this request in writing? If not, you’re headed for potential problems when/if the relationship between the two individuals turns south! It will be your word against the CFO if this happens. You do the math!If there’s a legal department, talk to them not HR.

        It’s one thing to monitor network activity for the entire organization but a different story when you start “targeting” one individual. I gather the company has no written policy covering a situation of this nature. Without knowing how small the company is it’s difficult to suggest a fix.

        I have faced this situation several times and have refused to provide information on an individual until I discussed it with our legal department. Their advice to me was to have someone of “authority” sign the request. Depending on what his full responsibilities are, the CFO may/may not have that authority.

        The CFO may only be asking for numbers today, but once the pattern/practice has been established and is unchallenged, I have no doubt it will grow from there.

        On the ethics issue, I see nothing wrong with providing network statics UNLESS it’s targeted at one individual. You have a legal and ethical responsibility to protect the information entrusted to you. I believe you stated the individual was using his email for “other than company business”. If the company has approved this practice, they may have forfieted some of their rights to inspect the email, especially since they are allowing this individual to continue the use of the account after he/she has left their employment. If the individual is already “working” with his new company, there’s the possibility of corporate espinoge if some of the information fell into the wrong hands. Did I mention talk to your legal department?

        In my opinion, this is a lose/lose situation for both parties. More than likely, the individual will move on to another company. I agree you are caught in the middle and should take steps to PYOA!

        • #3115850

          Resource usage at any level is ok

          by eaglet3d ·

          In reply to Reply To: Rock and hard place

          It is my opinion that resource usage at any level is acceptable business practice and necessary for identifying problem individuals who misuse resources. This is entirely different than reading a file or email which would constitute an ethical/legal issue. Knowing the resource usage is just a metric that tells how much of the resource was used, not why it was used or how it was used. The latter would present an ethical issue where additional input from your legal/hr representative would be advised.

          Resource usage at the individual level is a necessary metric that should be monitored by any IT department for network planning purposes. Without this metric being captured over time, it is impossible to know how much of the mail resources are being used and by whom.

          For example, lets say that a mail server is being taxed by an individual that is using 90% of the mail resources of a given server. Knowing who is using the server and how much it is being used will help management to develop strategies for how to handle it.

          Let’s say the individual who has a high usage is the top salesman of the company. Management may decide to just get a bigger server.

          If the individual is an administrator for a particular department, management may decide to get that department a separate server or decide to investigate the

          The bottom line is that collecting an individual’s usage information is normal and necessary as part of the entire information needed for the proper managing of company resources.

    • #3115972

      Not a Lawyer but…

      by purecoffee ·

      In reply to Rock and hard place

      I have to do this with all of our employees. Not a very comfortable position. However, as explained to me by our retained Law Firm, we had to post this in our Employee Handbook as well as declare it on our Log In Screen. Futhermore, targeting one individual vs ALL employees seems a bit unethical, aside from the fact that E-Mails, correspondence etc belongs to a company when done on Company equipment. Politics aside, you need to stand up to your CFO and tell him how you feel about it. If for nothing more than to clear the air and get the burden off your back. I can see and Understand the stress you are going through. For what?! Is your CFO going to be there wiping the drewl off your chin when you are 95 yrs old? Life is too short man! Reach down, grab a hold, and tell him what you think. If he doesn’t respect you for it, then it is probably someone you don’t want to work for. Next thing you know, he will be asking you to do other things that are a little grey. Then what..
      My opinion. I am sure not everyone agrees, but I have been there, am there and done that.
      Cover yourself first and make sure you are within the legal limits of the law in all aspects.Good luck hombre.. I feel for ya.

    • #3115966

      I have been in same situation.

      by tech ·

      In reply to Rock and hard place

      I am Lead Network Admin for a major corp. I deal directly with the President of corporation, and he has made requests in the past after a employee has quit or been terminated. I currently have six ex-employee company emails being redirected to him, they arrive neatly in labeled folders if outlook. I have asked him to email me the request to do so for each instance. So not only am I not looking at the emails personally, but I have written documents of the request to redirect them. I agree it does not seem ethical, however the emails are property of the corporation as far as I know and anyone not smart enough to use a personal email for personal reasons deserves to get spied on.

    • #3115964

      Chain of Command

      by rnackerman ·

      In reply to Rock and hard place

      Not all companies have a clear chain of command. If your company does, and your CFO is not directly above you, be sure your supervisor is aware of this new requirement. Also, be sure to document the request, all reports, and other comments or discussions on this topic. Personal logs, notes and documentation may be helpful if this task turns into a problem for you.

      Finally, in the banking business we have an internal auditor that employees can go to and discuss job tasks that the employee feels may violate laws. If your company has this type of audit control, it may be good to consult their advise.

    • #3115962

      Protocol

      by r.de.koster ·

      In reply to Rock and hard place

      I’ve been through (almost exactly) the same. It was a stressful experience because spying on another employee is not the primary task of a sysadmin. It was against my (personal) principles to do it but I wasn’t left any other alternative. And I was afraid my colleagues would avoid me like the plague when it became known I spied on a colleague.
      Over here (The Netherlands) there are tougher laws on privacy which prohibits actions like these. Furthermore, after my experience I made a protocol in which the role of the sysadmin is cleared in these circumstances. Also, the exact procedures which must be followed for such an action were written down (subsidiarity rules). It was eventually accepted by the works council. Since sept 2003 such a protocol is mandatory by Dutch law. And I was backed by Dutch law in case this protocol wasn’t conclusive.
      The only advice I can give you: suggest a protocol and talk about it with your CFO and get it accepted and published company wide. Also announce every x weeks/months there will be a random sample taken from the network traffic. This way you make sure colleagues won’t use the excuse they didn’t know of any sampling.

      • #3115955

        Don’t ALL e-mail get spied on?

        by michael_orton9 ·

        In reply to Protocol

        I see no problem. All e-mails are open to be spied on if not by collegues then MI5 or FBI.
        If you want provacy get a free copy of PGP5, stick it on a USB keyring (disguised as a lighter if you must), generate 2018 digit keys and give the evesdropper a headache.
        I always assume that my unencrypted mails are read and probably the encrypted ones too as they do rather draw attention to ones activities.

    • #3115956

      Is it different in the US

      by yellowcave ·

      In reply to Rock and hard place

      In the UK, the email system etc is owned by the company. Permission may be given for private usage, but as company property it remains within the power of the authorised personnel to check all mail not marked obviously as personal.
      I have always told my users that all their mail including personal is monitored by default as part of company policy. It isn’t but the very believe affects the quantity and quality of messages, it also saves arguments later.

      We had various management changes in a short period of time and some were allowed to keep the address active and some weren’t, but we had to keep tabs on them to make sure they were not “landing the company in it” as emails from a company are legal contracts to a degree.
      If the company has seen fit to give overall control of IT to the CFO then he has the ability to issue relevant instructions as part of his remit.

      • #3115947

        Different laws

        by gadgetgirl ·

        In reply to Is it different in the US

        – that’s the reason I asked (further up the discussion) where the poster was based.

        Without having a justifiable (legal) reason for entering the users mailbox, he would be going against RIPA, and if he actually read the content, including those marked/denoted personal, he’d be contravening the EU Privacy and Monitoring Directives.

        These Yanks may not be able to spell properly, but at least their laws are a little more applicable and readable than ours!!

        GG

    • #3115949

      Not an Ethical Problem

      by business guy ·

      In reply to Rock and hard place

      As a civil libertarian by conviction, I usually support privacy issues very strongly, but not in this case. As internet usage has grown in the workplace, it has become evident that there really is no privacy available to anyone who uses the internet as a practical matter. Therefore, everyone is already forewarned. If one has secrets to transfer, then I would suggest Certified Mail Return Receipt Required by Recipient. As far as ethics go, now that all businesses of import use the internet to conduct B2B transactions and communications, it is even more important that security concerns be paramount. To this end all employee inter/intranet activity, including the content of email should be subject to random oversight. There are trade secrets, fiduciary responsibilities, monetary transactions, and other sensitive matters that are subject to actionable consequences if security is breached. Since all responsible computer usage policies usually state that personal use of the companies’ resources is either prohibited or subject to inspection, the idea of personal privacy is ludicrous. Now your former CEO, who is no longer employed, but maintains his email address as a courtesy and not for your company’s business cannot expect privacy. A good sense of ethics, which you obviously have, precludes spying just for the sake of it, but former employees do not enjoy that as a right. Your CFO’s request is actually benign. Monitoring the volume of use should be standard anyway. If he had a suspicion that it might be used as a portal or some such nefarious reason, then detailed monitoring would be in order. In cases where there are real ethical concerns, you would be correct to ask for a written order detailing the extent to which monitoring takes place. In fact, if there is no policy for just such a circumstance, you as IT Director should create such a policy and have it signed off on by the executives. In this case, I wouldn’t even bother to ask for the order in writing. Believe me, the former CEO already knows that he could be monitored for content. And all you are doing is seeing if he is using excessive amounts of resource. You are already an ethical person who can obviously be trusted not to snoop for pleasure. Don’t give it another thought.

    • #3115938

      A Matter of Policy and CYA

      by pete1978 ·

      In reply to Rock and hard place

      I think that you are looking at a situation that is a matter of corporate policy. In short, exactly what is the corporate policy on the monitoring of email? Is there one and, if so, does this situation fall within the parameters of that policy? Also, if there is a policy, the policy should outline the procedures to follow (who to contact, who may initiate the request, etc.) If there is no policy in writing, get details on exactly how the boss wants this handled in writing then get a policy put into place ASAP.

      What I have not found in your message is the manner in which you were given this request. I would insist on having the request in writing. The simple reason is CYA. If a question is raised later regarding why you were monitoring the ex-CEO’s email, what proof do you have that you were following the request of you boss? Have the request in writing and you have proof.

      Finally, on the issue of allowing a former employee to maintain an email account with the corporation, many have raised liability issues. This is very true. But again, exactly what is the corporate policy on ex-employee email accounts? If there is no policy stipulating what to do, then someone needs to establish one. HR may have some generic information that covers this (for example a broad statement that an ex-employee will stop enjoying corporate benefits — except retirement — 30 days after seperation … such a policy would cover email accounts as well).

      CYA. Find out what the corporate policies are regarding the situation and follow them. If there are no policies that cover this, then get someone higher to put something in writing, follow that written directive and then encourage them that a corporate policy needs to be established.

      Good luck!

    • #3115932

      CYA

      by old guy ·

      In reply to Rock and hard place

      I would ask the CFO to send you a written request with his name on it for this either an email or an inter-office memo. Especially since you have expressed your concern to him and was told to do so anyway.

      • #3116658

        Reply To: Rock and hard place

        by cks ·

        In reply to CYA

        yes, but not a email we all know how easily they can be put together.

        Make it a signed paper memo

        Keep the original safe at home and a copy on you.

    • #3115930

      What are your values/beliefs and do you have an AUP

      by phuah ·

      In reply to Rock and hard place

      You have an ethical delimma in your hands and it depends strongly on your personal values and beliefs. If these say it is wrong to do what you are tasked to do, then you need to voice it up. It could cost you your job, but you will feel good about it, since your values and beliefs have not been violated.

      On the other hand, if you have an ‘Acceptable Use Policy’ (AUP) in place, then you should read it and determine if what you are tasked to do is in the prints. I have one in place and I monitor Internet/e-mail usage of all my users. I report irregularities and excessive usage to higher management, leaving them to decide the actions. I have no guilt because it is my job and the AUP, which forms part of the HR manual, warns all employees of where the company stands on this polcy. If you are in this situation, and you have an AUP in place then you should not feel guilty about performing your task even if it means someone will loose his/her job.

    • #3115923

      Common Sense and Prudence

      by guy_warwick ·

      In reply to Rock and hard place

      dv370,

      You’re being asked to do something distasteful but within the rule of law (I believe). Unless expressly stated, it’s my understanding that employees have no expectation of privacy with respect to telephone or email communication using company facilities.

      That said, given the nature of what the CFO is asking for he/she should be prepared to make such a request in writing and sign it. It’s not unreasonable for you to ask for specific names of people on the board of directors who authorized such actions and have the letter cc’d to one of those board members.

      FWIW

    • #3115920

      Rock and hard place

      by wkarumba ·

      In reply to Rock and hard place

      Inform theCEO and Go a head and do what the CFO wants you to do that way you have applied your cord of ethics.

    • #3115917

      Tough Spot

      by jrapoport ·

      In reply to Rock and hard place

      You are in a tough spot my friend. I would recommend that you document everything, because this is likely to go bad for you. If you refuse the CFO, you could get fired on the other hand, if you don’t refuse you could get fired too. Document everything! Good Luck!

    • #3115905

      CYA Suggestion

      by mccmike45 ·

      In reply to Rock and hard place

      Based on your heiarchy, you supposedly report to the CFO. Since he is your superior, I would do as he requested. However, I would send the CFO an email with what he requested in the email to verify that what he requested is what you understood his request to be. I would also do a blind cc to your email address for your records. This will get it in the email system so that you can have something to fall back on in the event of a finger pointing match.

    • #3115891

      You are within the law

      by mhasf ·

      In reply to Rock and hard place

      I would not worry about it… The company e-mail system is for company use only and it is open to examination. I am certain you are ok since a CFO is usually an officer (not just by title) of the company.

    • #3115882

      No problem…

      by reconlabtech ·

      In reply to Rock and hard place

      You have not been asked to monitor the “contents” just the volume. Go to the management tool for you email server and make a note of the mailbox volume size and number of messages. Then note daily/weekly or wahtever the change in the volume and number of messages. You don’t need added access or violate any privacy.

    • #3115875

      Inform HR and CFO

      by warpindy ·

      In reply to Rock and hard place

      I do think that you are in “rock and a hard place” but not one that you can get out of with careful wording. If you have a company policy that all employess sign about the usgae and moniter of company equipment, email and software then you might want to remind the CFO of that, in a nice way of course. You might what to inform the CFO of what you can do to either move all incoming mail to the new CEO and somekind of filtering method that your email systems can handle. I donot think you should tell the old CEO of this but advise the CEO that he shuold start using another acount for his transactions soon. Why inform HR is this just to cover your put in all of this, but I would tell the CFO that you have or are going to inform HR of what is going on.

    • #3115857

      Take a step back

      by mikebytes ·

      In reply to Rock and hard place

      There are really 2 issues here. One is the use of the email and the other your need to CYA.
      Let’s deal with the CYA first. Try and get the direction in writing if you can. If not document the meeting with time and date as well as contect information. Do not leave this at work or on the company computer system. That is all you can do for this one.

      Now on to the request of the CFO. First what is your company policy concerning using company resources for non-company work? I know rank has its priviledge but the other side of the coin is an out going CEO puts his slacks on one leg at a time just like the rest of us. Use your policy as further CYA. The company email system belongs to the company and is not subject to privacy concerns. As a result I would do what the CFO directed and go on about my job.

      • #3115839

        You’re doing the right thing, but just…

        by nsim3008 ·

        In reply to Take a step back

        take a few extra steps to cover yourself.

        The way I see it, you will be monitoring this account for no more than 30 days at the request of your supervisor. If the CFO doesn’t feel comfortable with the stuff the former CEO is during and they are friends then I would suspect something may be wrong and the CFO doesn’t want the company to get in trouble.

        Send the CFO an e-mail with the first monitoring log and in the message state something like at your request here are the monitoring logs for former CEO please reply back with the date of when the monitoring should crease and the mailbox deleted. His reply will be him acknowledgment that he knew and requested what was taking place.

    • #3115836

      Just Do It!

      by dgrissom01 ·

      In reply to Rock and hard place

      1) The following is predicated on the assumption that, regardless of your company size, you DO have a company computer use policy stating somewhere in the document that all computer files belong to the company and that monitoring is a distinct posibility. If you don’t have a computer use policy — get one. NOW! Then have it reviewed by an attorney or minimally by an IT HR professional before having each and every computer user sign a copy to be kept in their personnel file. This is a common Best Practice!

      2) It sounds to me like your CFO didn’t agree with the new CEO’s decision to let the outgoing CEO use corporate email. Having lost the argument the CFO is now trying to establish his case (ie: You monitor quantity of useage. CFO takes usage quantity to CEO and says, “See? He’s using too much of our company resources!” Or some such thing. Whatever the case you DON’T want to get tangled up between these two! You report to the CFO. He gets to tell you what to do.

      3) Whatever the CFO’s motivation you have been instructed to monitor. Just Do It! Only be sure you CYA with your own documention of who, what, when, where, and why. Leave the rest of the ethical and legal issues to the CFO and to the new CEO. No matter how you “feel” about the CFO’s motivation you’re not the company policy maker. In the event trouble brews, and you have CYA well enough, you can prove that you’re just doing what you were told to do.

      4) Number three is one excellent reason to have a computer use policy.

      Good Luck!

    • #3115835

      Tough Spot

      by fairplay ·

      In reply to Rock and hard place

      A tough spot that you find yourself in. The CEO will no doubt be offended that he is being monitored, however, would understand the critical nature of the company information that could flow outside. Personally, being a CEO myself, I would suggest that the CFO approach the subject with the CEO and have the conversation that it is a requirement for legal purposes and for useage purposes, prior to placing you in this position.

      If the CEO wishes to use the address for Other opportunities, why not have him setup a new account on a separate server in some other company and notify all the people that the account will be changing in 30 days. Direct all incoming mail to that account for a specified time frame that is agreed upon by both the CFO and CEO as a parting gift and that way the forwarded messages only go on for so long as well as the monitoring.

      Best of Luck

    • #3115816

      Cover your ass!

      by opiate ·

      In reply to Rock and hard place

      In any way you can think of CYA!

    • #3115814

      DO IT!

      by lew ·

      In reply to Rock and hard place

      Tough sistuation but if he is still an employee through November you will need to keep his email around and treat it according to company policy. Our policy gives us unlimited access to emails because the company owns the email box, system, etc. So if the new CFO wants to monitor for traffic or content you should be fine if it is covered under your acceptable use policy for email.

    • #3115809

      Rock and hard place

      by mollybigd ·

      In reply to Rock and hard place

      Basically you do what you’re told whether it goes against your ethics, etc. The CFO has the right to give you that directive. If you feel it goes against your ethical thinking then you would simply tell your boss that although you don’t like it, you will follow his directive, and monitor. Since you’re between a rock and a hard place, yourself, I would also get, in writing, from him that this was a directive from him. By doing this, it will cover your rear end should anything come of this. I hope this helps, and I simply would do the same thing.

      • #3117702

        Have you considered…

        by gardoglee ·

        In reply to Rock and hard place

        There seem to be two fundamental misconceptions implicit in most of the responses here.

        First, everyone seems to think that if you have an email system, then evey employee will ahve email, so the CEO should have email so long as he is an employee, or a contractor. that is not implicit in your situation as you have described it so far. In many situations not all empoloyees have email, voice mail, or even access to a phone.

        Second, it is clear from your description that you really have two separate problems. One is what to do while the ex-CEO is still an employee, and the second is what to do after he is no longer an employee. It is very likely that the legal implications will be different once his status has changed.

        Third, most of the earlier posts seem to asusme that your company has policies for things like this, and therefore either has an acceptable use policy, or will be happy to adopt one once you suggest it. You sound like you are in a small company. I’ve been there, and know that small companies tend to be focused on other things (like, for example, selling products), and therefore are often very lax about having explicit policies for a whole host of issues. If you do have an AUP, then it probably came out of some dimestore software package which one of the company founders got at Wal-Mart with “1001 Legal Documents You Don’t Need A Lawyer For.”

        I have been asked to secure the email, the hard drive, and the network files of several terminated employees, both those who resigned and those who were fired. In some cases I have been explicitly directed to do this without the knowledge of the current LAN administrator, and without the knowledge of the email server adminstrator (in our case they are two differnet people, one on site, one off site). I know that in most of the cases where this was requested that the managers who requested this were then examining the contents, particularly when a terminated employee took legal action against the company. That said, I think I know how you feel about this. It is a lousy position to be in, and the CFO doesn’t really seem to be on your side, even though he might be trying to convince you that he is.

        My advice is to do the following.

        Get the request in writing, and keep multiple copies at multiple off site locations. Mail one to your best friend, or sister, or mother if you have to, and ask them to hold onto it without reading it. Tell the CFO that you are going to keep the written copies of the request, so that he knows you are covered that way. He will be less likely to deny asking in the first place. If you can, get someone to date and sign an envelope with a copy sealed inside, so you can prove that you had the written instructions before any questions were raised. You not only need the copy, but you need to be able to prove that it is authentic. Impress each person to whom you entrust a copy that it is confidential, and don’t enlist anyone you would not trust with your future.

        Tell the CFO that you expect him to notify the outgoing CEO of the monitoring. Get him to include his response to that request in the written instructions. He may or may not agree, and he may or may not do what he agrees to, but you want to have documentation both that you raised the issue, and on what basis you proceeded.

        Do not inform the person who is being monitored yourself. You may want to do so, but don’t do it. Not only will you lose your job (will, not might), but you may be in for even bigger problems, like being sued by your employer after they fire you.

        Talk to a lawyer. If the company has an attorney, and the politics allow, then talk to him/her/them about this. If the company does not, or if that is not acceptable within the political situation, then find an attorney of your own and talk to them. There are both Federal and State laws to cinsider, and the State laws vary wildly, both in letter and in interpretation. And don’t use the attorney who did your real estate purchase, your divorce, or who wrote your will. Get someone who knows privacy laws. Lawyers are like programmers. You don’t hire a Java guru to maintain legacy COBOL code.

        Your instinct to do this yourself rather than delegating it is a good instinct. As an earlier poster noted, there is both the question of what you can monitor/review/read, and what contents you can disclose. If you are the only one doing this, then you are the only one who needs to keep it to herself. Don’t disclose anything to anyone other than the CFO. Since your isntructions are to report to him, that is as far as any safety goes for you. If anything else leaks then you are completely on your own, since you are outside the scope of your instructions.

        With the exception of what you have been instructed to disclose to the CFO, protect the privacy of the outgoing CEO at least as much as you would anything else while he is an employee, and even more so when he leaves. If a question comes up, you don’t want anyone to have a basis for saying you were sloppy and caused a leak. No matter how innocent it seems, treat it like a top secret.

        At the same time, assume that whatever you disclose to the CFO is just as good as published in the local paper, so keep it to a minimum. It might not work out that way, but better to prepare for the worst.

        Be prepared for some other executive level person to come to you with further requests and/or contrary instructions. Be prepared to tell them to go to the CFO for whatever they need. Don’t be the one who is later blamed for expanding the scope, stopping the surveillance, or whatever. Make sure it is his decision, not yours.

        Assume that everyone will eventually know that you have done this, both the outgoing CEO and every other employee past, present and future. As above, prepare for the worst. Some people will see it as company loyalty, others will see you as a fink and a spy. Life’s tough that way, and there is no way around it, so deal with it when it happens.

        Keep a contemporary log of everything which you do report to the CFO. Don’t assume that you will be able to recall when and what you disclosed later on. Write it down each day, attach copies, and keep offsite copies as above. If the worst happens, and you must defend yourself down the road, a journal you diligently wrote each day will carry much more weight than your recollections after the fact.

        Last, don’t speculate, ask around, or try to figure out why the CFO is doing this. You will not substatially improve your position in any respect by knowing, and may well jeopordize it. Part of your defense, should it ever come up, is that you were following explicit instructions from someone in a sufficient position of company authority to issue those instructions, and that you were not aware of any illegal purpose or action. If you do come to suspect that something illegal is going on, or if you are in a position where you reasonably should have known so, then you don’t have much of a defense.

        Good luck. Most likely this will all blow over and become an unpleasant memory and a good learning experience. Just be prepared for worse.

    • #3115808

      It’s all company property

      by tomw ·

      In reply to Rock and hard place

      If management wants something monitored, monitor it. What’s the ethical dilemma? You work for a company and they want you to manage a company asset.

    • #3115789

      Not to worry

      by blueknight ·

      In reply to Rock and hard place

      The CFO’s request is not out of the unusual. Since company e-mail systems belong to the company to aid in the carrying out of its business and therefore can be monitored, and in many places are on a routine basis. You may feel a bit uneasy about being put in the position of e-mail monitor, but it is a perfectly legitimate and defensible request. It could be that the higher-ups want to make sure the former CEO doesn’t use that e-mail account to do harm to the company.

      If I were in your position, I would do as requested, and while doing so, I would watch for abuse of the e-mail system by the former CEO, such as divulging “company secrets.” Any such activity must be reported immediately to your boss and the new CEO, and the e-mail account should be terminated.

      At the end of November, or on the first day following the former CEO’s complete severence, his e-mail account should be terminated. There is then no legitimate business need for his continued use of the system and he has no right to expect e-mail access to continue beyond that date.

      Not to worry, you’re in the clear on this because you’re not violating any laws — you’re protecting the company.

    • #3114434

      corporate resources

      by danny1310 ·

      In reply to Rock and hard place

      our company regularly monitors not only email but actually computer usage via real time monitoring. Our company also uses a termination check list. This allows for the return of asset keys, laptops, cell phones, Id cards, and termination of computer usage for the company. Continuing usage could lead to unauthorized access that the company has no legal remedy for. When an employee is terminated or teminates his employment all ties are done when he goes. Usually the employee is paid for the day even though he may only be there long enough to complete termination package.

      If he was in a position ie CEO CFO ect.. his mail is forwarded to the new CEO or person incharge of that department. Much of his mail may be related to the company and should reach the new person in that position.

      I think you CFO is being to soft. I would openly monitor all communications to ensure corporate information is not being lost. Looking at the size of a email is irrelevent since a database could be sent out in smaller packets.

      Part of your job is to watch out for the companies interests. Try not to get into a political game. Documentation is everything. Keep good records. If the CFO requested it, give the information requested. If the CEO finds out and asks pass on what you were told.

      Dan

    • #3114378

      No question what you should do…..

      by is girl ·

      In reply to Rock and hard place

      Since you report to the CFO and the old CEO is on his way out, you should do what the CFO asks without notifying the old CEO.

      It’s possible that the monitoring is only to let the CFO know when the activity tapers off to nothing so he can tell you to terminate the account.

      An outgoing CEO may still have ties to the company. He might have a couple of deals going that he’s committed to wrapping up or he may be going to work as a consultant for your company…..these issues could also still be up in air.

      I think since there is not actual reading of email going on, there is no problem. Monitoring volume is harmless and one might expect that you can and do monitor everyone’s email volumne on a regular basis.

    • #3114363

      Legalities and Duty of Care

      by deadly ernest ·

      In reply to Rock and hard place

      The legal aspects will vary from state to state, however, the general rule is that the company and its officers are legally responsible for all material on, in, and leaving the corporate systems and network. Past court cases have seen multi-million dollar pay outs.

      The CFO has a responsibility to protect the company and a right to know what is happening, especially with a person who is no longer with the company and still using corporate assetts. However, if the CFO is being honest in saying that all he is interested in is the usage stats, this could then be due to oncharging agreements, then there are various technical solutions that will handle that. Another technical option may be to set up mail forwarding at the server if it only relates to contactability; then the old CEO could set up an account elsewhere for transmitting in preparation for the final cut.

      A few years ago I did an assignment on this and related issues and will happily send you a copy if you wish, just email me with a request.

    • #3114280

      Cover the.. umm… Bases! :)

      by cloakedrun2001 ·

      In reply to Rock and hard place

      I see nothing wrong with the request. However I would strongly advise that you ask the CFO to document the request in writing! An e-mail is probably easiest, but a letter would be acceptable. You will, of course, maintain a copy of this authorization OFF-SITE (eg at home!) for your records.

      This is what was refered to in “Clear and Present Danger” as a “get out of jail free card”. Monitoring of the e-mail at a basic volumen level is well within your abilities, and within the scope of your job. If you are concerned, document the request, and then follow up by keeping very detailed records of what you do, and how you do it.

      If the crap hits the fan, then you should be OK.

      Just my two cents worth.

    • #3114279

      CYA

      by dv370 ·

      In reply to Rock and hard place

      The politics surrounding the request is all that has been an issue for me, not the request itself. I have requested, in writing from the CFO, the request and am documenting everything as I go. At this point, that’s all I can do as it is a directive from my immediate manager. Thank you for the relevant responses, ideas and information. They are greatly appreciated.

      • #3114785

        Still not Clear on the Political Ramifications

        by bluegiant ·

        In reply to CYA

        never mind…I’m a little slow sometimes 🙂

    • #3114193

      Possible Explaination

      by christineeve ·

      In reply to Rock and hard place

      While we can only guess why you’re being asked to monitor, may I throw in an example from my past work experience?

      I worked at a firm that had a large lay off of software engineers and managers. In a local office of 400 over 150 lost their jobs.

      The individuals who had been at the firm for many years, over 10 years at least, were permitted to come to the workplace and access their email and use their office during their job hunt. Some were getting paid severance, some wheren’t. It was part of an exit program. They were permitted to use these services for varying amounts of time. This included their remote access of email from home.

      I am not sure why they did this, but it seemed to soften the blow of losing their jobs. It seems like an IT nightmare to me. I’m not in your field, so I can only wonder about all the pitfalls of allowing this practice.

      As you’ve already been informed in professional and not so professional ways, it’s legal to do this monitoring. The computers and the Internet access belong to the company and they are permitted to monitor in anyway. The only notification employees are due, are usually in the employee handbook or any security splash screen that comes up when they log onto the network.

      You are most likely asked to do this because of your level in the company in consideration of the level of the former CEO in the company.

      I’m glad you posted this question. There are no dumb questions. I learned a lot reading the various posts. Good luck to you!

    • #3114188

      Companies own their resources…

      by mikebertie ·

      In reply to Rock and hard place

      I don’t know how it is everywhere, but in my organization the computers, every file on them, and every transmission sent from or received by a computer owned by the company is the property of the company. That means that employees do NOT have the right to privacy when utilizing company resources.

      I therefore don’t see this as an invasion of anyone’sw privacy, and see nothing wrong with the request. I would comply without question. Anything that ANY individual is doing with company resources could potentially harm that company, so they have a right to defend themselves by monitoring that resource usage.

      That’s my two cents anyway…do with it what you will…

    • #3114182

      I will do it if…

      by buzzlife ·

      In reply to Rock and hard place

      In my previous company, everyone have to sign a form, one of them said that you are allowing the company to monitor your emails or your documents store in your local drive or network. Do you have this kind of policy in place?

    • #3114935

      Now, it falls under your job description

      by kallir00 ·

      In reply to Rock and hard place

      If you believe one of the objectives of your job is to secure the data on the network, then this “Rock and Hard Place” feeling truly is part of your job. Every pieces of software tools or other devices which access data in your network is in your jurisdiction to be monitored for anything out of the ordinary; including that of the ex-CEO. Now the only reason that you may not be monitoring OTHERS is that, there is no possible threats from them (I would even question that in this day and age.). As a pre-emptive action from your employer this new task of your will be justified.

      If you’re ever called into a grandjury to testify about the contents, then seek a counsel before you answer. (that is a joke, with all that is going down in DC!!).

      Relax. Stand for what is right. May God Bless.
      Regards,
      RK

    • #3116767

      Don’t mistake email for “snail mail”

      by leewc ·

      In reply to Rock and hard place

      I can relate to your dilemma. However, there are a couple of things all parties should be reminded of.
      First, no email can be considered safe from prying eyes. It is the property of the organization which provides the connectivity, directory and storage service by default and I have no expectation of privacy from any corporate email service. For commercial ISP’s I have some expectation because I pay money to get some privacy.
      Second, no one from the FORMER CEO down should expect any organization to provide unremunerated email service for them if they no longer work there. The account should be terminated at departure.
      Third, most email clients provide a delegation feature that allows other users to take optional roles for email maintenance. This is the cleanest method for your CFO to get what is needed. The IT guy does not need to act as a secret agent.
      Fourth, because email does not enjoy the same benefit of law (or suffer postal charges) as USPS and delivery services, one should not assume it is physically secure. Don’t email anything you wouldn’t want to become public knowledge.
      Conclusion: If your company grants email service to anyone free of charge and the company needs to see the content or metadata then official who needs the data should be delegated to look at the email himself. If the company charges for such service, then the contractual agreement of service should determine the legal limits of such monitoring.

    • #3116706

      Make sure corporate legal counsel has been engaged

      by geekdoctor ·

      In reply to Rock and hard place

      (a) The CFO can generally request this and it’s appropriate
      (b) How squeamish you feel is a separate issue if your boss is making a legal request
      (c) Make sure corporate legal counsel is onboard. You can ask for advice without letting the CFO know about it.

      Get over your discomfort with “spying”. “Monitoring” is a generally accepted IT practice.

    • #3116648

      It is strait forward

      by seyffu ·

      In reply to Rock and hard place

      You contact the outgoing CEO requesting an alternative e-mail address.

      For the month of November the status quo on he e-mail remains as a normal employee. During this time you request him to notify all his cantacts. You may even offer to do it for him. I mean how difficult is it to send mail to everybody in his address book?

      Then during December you inform him that all mail to his account will be opened by the new CEO’s PA, who will determain if it is company related mail. This will be sent to the new CEO. ALL other mail will be forwarded to the new e-mail address given to youo. The account will be suspended [deleted] at the end of December. Then yoou do not have a problem anymore.

      Lastly, once you had the talk with the outgoiing CEO you draft a note to the CFO stating what was discussed and what will be done. CC this to the ouotgoing CEO and maybe even the new CEO as well. During all of this it is important to keep the company policies and lacal laws in mind.

      If you do not have a policy covering this NOW is the time to write it.

      • #3116465

        Possibly even *straight* forward…

        by zaferus ·

        In reply to It is strait forward

        If you have a signed usage policy in place your company is fine, and so long as you have this request IN WRITING from the CFO I don’t see the problem.

        Our policy states clearly that any electronic documents and E-mail are the property of the company and there is no expectation of privacy. If you don’t have this I would advise the CFO in writing about the possible legal ramifications. If he wants to override this (again – in writing) then I would think you’ve done your due dilligence in advising of the risk and respect the chain of command.

    • #3116419

      This isn’t even a problem

      by denodave ·

      In reply to Rock and hard place

      If you are not being asked to read the emails and just monitor usage, it’s not even a problem. Network performance and usage are standard-issue administrator tasks, and if your boss wants usage stats just shut up and give it up.

    • #3120324

      Stick to Your Guns

      by willap ·

      In reply to Rock and hard place

      You have morals and beliefs, stick to them. I would tell him “NO” and start looking for a new position with a place that has my same beliefs. If your CFO wants you to watch somebody else, the day may come when the same is done to you.

    • #3118495

      To Whom do you answer?

      by kjenkinsaf ·

      In reply to Rock and hard place

      Does the guy asking you to do this have any power over you? i.e. does he sign your paycheck, write your evaluations, have the bosses ear? If the answer is yes to any of these questions. Do as you are told if you value your job. Then quietly, from home do a job search for yourself. As I wouldn’t work for this bunch.

    • #3123815

      The system belongs to the company

      by stan_gamla ·

      In reply to Rock and hard place

      Tricky one, but there’s really only one right answer here.

      • #3123660

        Ownership does not always trump privacy

        by gardoglee ·

        In reply to The system belongs to the company

        In many cases the building also belongs to the company. However, there are still some places, even in a place of employment, where there is a reasonable expectation of privacy.

        Email is not specifically legally protected, but it is still a gray area, so it is foolish to immediately assume that anything the company wishes to do is okey-dokey. The original questioner was wise to think carefully before jumping into this.

    • #3044034

      Privacy Transcends Policy

      by ryk1 ·

      In reply to Rock and hard place

      Unfortunately, the issue of monitoring mail content is far too common. Yet, if the actual objective is truly to mail monitor traffic volume to a specific account, this in most cases can be accomplished through user statistics available through most mail management consoles, without having to access the actual content.

      When monitoring content, many arguments can be made about the ownership of the mail system and the rights to access content. However, unless specific policy has been established and the user has been made aware of such policies, perfarably with a signed rights of use contract, the user may have a strong case against the enterprise. Even if you have established rights to monitor mail the problem may still exist along the lines of the chicken and the egg where the question of whether privacy transcends policy or if policy transcends privacy. Regardless, these are not waters you want to tread as they may become career limiting.

      As a specialist in SoX, PIPEDA, HIPAA, and othter global privacy initaitives, I have assessed this very issue on more than one occasion, and suggest that if the actual objective is to monitor content violation, transfer of corporate secrets, or other private information THAT IS IN VIOLATION OF CORPORATE POLICY, then policy will in many cases transcend privacy. Yet, to monitor all mail using human resources will violate the users rights.

      One of the best methods I have seen to collect content based policy violations from mail, FT, HTML, or IM streams is through the use of devices using complex linguistic and mathematical filters, such as is manufactured by Vericept. With such devices, information is montired over all modes of TCP/IP based communication (relevent to the position is resides on your network), and will identify only information in violation of established policy. No other information will be exposed to the manager, and EMPLOYEE PRIVACY IS RESPECTED UP TO THE POINT THAT THEIR CONTENT VIOLATES POLICY. In this case Policy transcends privacy while establishing a method to respect privacy up to the pooint of violation.

Viewing 49 reply threads