General discussion

  • Creator
    Topic
  • #2151215

    HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

    Locked

    by drakebrown ·

    I am the Director Of I.T. The Director of HR is demanding that i provide all the passwords of the administration department employees. I am being told they have a right to this information as they want to check email whenever they want. I consider that snooping. I recognize that email is the property of the company. However I feel unsure of whether legally they have a right to just go in carte blanche and look at email without just cause. My position is i will log into the individual account and let them peruse email without divulging the suers password. How do other companies handle this.

All Comments

  • Author
    Replies
    • #2908916

      Be VERY careful.

      by locrian_lyric ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      Tell HR that you want something in writing from compliance before you even THINK of doing anything of the sort.

      While the company can of course view what is on their equipment at any time, granting access to individual’s passwords is lunacy and asking for a lawsuit.

      You may wish to grant some sort of super-user access to ONE person in HR, but nothing more than that.

      Our company checks email on the servers and never goes into the accounts themselves. ALL email is monitored on the server, they have sniffers and pick out emails as they wish.

      Now, here’s a question I have for you:

      If an employee is disciplined due to information gleaned from this method of spying, how can you prove it?

      “Hey, I didn’t write that email. One of you HR people must have logged in as me! I know you poke around because I noticed that my account had been logged on when I wasn’t even here!”

      Can you say “lawsuit” boys and girls?

    • #2908910

      That needs to be elevated

      by dawgit ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      With a written Policy Letter (that would hold up in a Court of Law) as to specificaly Who, and for What Purposes, would have acess to What. You of course need to start that with a memo (at least) to the upper levels, with a copy to the HR, expressing the negitive effects of not having that policy. With out an effective policy your company maybe be in violation of several laws. (depending on your location, and type of business) IMHO of course. -d

    • #2908846

      Company policy

      by mjd420nova ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      We have a company policy that says that the employees direct reporting manager has the right to review any employees E-mail upon request from that employees manager. The employee will open his/her E-mail account and allow the manager to look through it at anytime. The catch is that the manager must request this and the employee must be present but that no passwords are to be revealed. This way there can be no denial of the origin of any content. Makes sense to me and actually has a very trusting effect and a restricting policy at the same time without being to constraining.

    • #2908819

      The other answers are great

      by zlitocook ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      But a user that is doing something that they should not, they would delete or create many subfolders so that some thing they are trying to hide will be hard to find. And a search of their email would not show this. Only the back ups if kept, on the server would show what the user has done. And only the IT department can get to the back ups.
      You need to point the HR department to government compliance websites Even if your company is not a public company.
      And point this out if some one else opens and reads the emails they will no longer be new so the next time the user checks their email they will not see new mail.
      This kind of thing (spying) needs to start at management and needs to be promoted up to HR and lawyers to see what it could mean to the company.
      If it did not go as planed could the company be sued or could it lead to a news story with the user telling every one that they are being singled out for some reason?
      This is a vary tricky thing to start and company lawyers need to look at it first.
      No do not give HR access to email with out doing allot of research first.
      It could be your problem if you have to go to court.
      It could be that an HR person has a problem with a person and wants to find a reason to dismiss that person.

    • #2908796

      Bad News

      by cognos ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      I think it depends on your locale. However, I would say that it is highly unethical to provide any person the ability to impersonate another in any format — including email. Giving someone credentials to an email account does just that, and guess who is party to any illegal behavior undertaken in that case? *YOU*. Fun, eh?

      While most companies do have a right to look into employee email, doing so can be justification enough for the establishment of a hostile working environment in the event that something about the employee is revealed to the employer and the employee sues for some reason. (Harassment…?) Further, the employee can sue the employer if anything personal is revealed.

      Unless I suspect something illegal, I don’t turn passwords and user names over to anyone — period. In the event something illegal goes on — and it has on a few occasions — giving the information to law enforcement won’t get me in hot water or my employer in a lawsuit. I think that’s the only “safe” case for that type of disclosure.

      My opinion, of course. 🙂 I wouldn’t do it without as documented (written, dated, signed) request from your CEO. I wouldn’t do it unless there’s provision for it in the employee manual. And I would certainly make all users aware that their email is open to snooping from the get go.

      • #2904814

        very well stated

        by drakebrown ·

        In reply to Bad News

        Thank you. You have provided a concise accurate analysis. Believe me when i got the request from HR the first thing i though about was what you pointed out in your opening paragraph. I would be the one singled out not HR.

        Thanks
        Drake

    • #2905952

      If they want look they want to look

      by tony hopkinson ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      Howver they don’t need an individual’s user to do it. Hand that out and they can impersonate ann employee. This would make any evidence garnered dubious.

      What you have here is some non tech person asking you to implement their solution instead of asking you to solve their problem.

      Never a good idea to go along with that sort of thing.

    • #2905930

      I’m in the UK, but….

      by gadgetgirl ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      I’d tell you to rapidly do some research on digital evidence collection and justification.

      There is no reason to ballpark all the admin dept people – they MUST have an idea of who it *could* be; that means, of course, that they have to do this through incident investigation. That means proper authorisation.

      At the very least, following digital evidence collection best practice, there needs to be a lead collecter and witness at every stage, otherwise (over here, at least) the evidence wouldn’t even get IN to court, never mind be thrown OUT of it.

      This is an absolute minefield – CYA as much as you can: if necessary, refuse to do it, and give them a detailed explanation in writing, as to your reasons for refusal.

      Over here, through the EU P & M Directive, we can’t look at EVERYTHING in a persons’ mailbox in any case….

      Yes, I’ve done this before, yes, I investigate incidents, yes, I write policies and procedures too, and yes, I will accept a pm from you as you no doubt realise this is an absolute minefield.

      GG

    • #2905902

      NO!

      by charliespencer ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      As many others have pointed out, there’s no way to prove someone in HR didn’t log in as that user and commit an offense. Worse, having the password provides access to all data the user has rights to, not just his e-mail. Not only should HR not have an employee’s password, neither should IT or anyone else.

      Work with HR to develop an e-mail auditing policy. This should specify that requests to audit an account must be in writing, and should be signed by the person requesting the audit and his supervisor. (Where I work that requires a VP signature.) Then change the employee’s password to a temporary one, log in, audit the e-mail with at least two people present at all times, log out, and require the employee to change the p/w when he next logs on. This way you have an electronic trail of the p/w being changed.

      • #2905770

        Giving out passwords is a no-no

        by notsochiguy ·

        In reply to NO!

        I ran into an instance of just why passwords should NEVER be given out or shared a few years back.

        A high level person within a company I was working for ‘resigned’ via e-mail to the CEO. The problem was that he was out of the country on a mission for his church (this was widely known, too).

        At the time, we didn’t offer OWA, so the only way someone could send e-mails was to either be connected internally or via the VPN. The CEO asked us to check if this was legit, and sure enough, there were no logins from the person on the VPN. HOWEVER, someone had logged onto his computer to presumably send the resignation (as well as some other choice messages, I may add…if not for these other messages, we would have written it off as a friendly prank….but these other messages were rather mean spirited).

        Unfortunately, we never found out who did it. The user said he didn’t give out his password, and he didn’t have it under his keyboard (I checked)…but somehow, someone got a hold of it.

        Like others have mentioned…catching messages on the server or having a policy in place to outline spot checks is a much better route to go.

        • #2907249

          Faking “from” address of email is easy…

          by sdrucker ·

          In reply to Giving out passwords is a no-no

          and generally doesn’t require knowing any passwords. Thats what sounds like happens to your missionary guy.
          If you look at the headers of the original email, you can see what ip address it came from. I could send an email from president@whitehouse.gov to hillary@hillaryclinton.com telling her that her green pantsuit makes her feet look big.
          The FBI and Secret service would be knocking on my door within a few hours for that little prank (the originating IP would track back to my ISP), but my name and email would remain anonymous to the recipient (until AT&T told them).

          Giving HR access to passwords seems irresponsible. You might compromise by giving a specific HR officer a special user/pw that has access to a SPECIFIC user’s home directory and email with a LIMITED time factor. They do have legitimate reasons to snoop(audit) occasionally, but if my HR rep had a user/pw list on her laptop (that her boyfriend/corporate spy/hacker) might get access to, well, bad things could come from that.

      • #2904817

        email auditing policy

        by drakebrown ·

        In reply to NO!

        I like that idea of an email auditing policy which would be in the form of an official request signed by the President of the company. I hadn’t thought of that.

        Thanks
        Drake

    • #2905893

      as a rule of thumb

      by jck ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      I can not vouch for law in your state or jurisdiction.

      Emails that are sent or received on company computers are viewable by the company management at any time for any reason.

      However as Director of I.T., you are not obliged to divulge ANYONE’s password. That is not only a violation of system security for which YOU are directly responsible. But, it is also not the right of anyone other than the user to know his or her password.

      If the Director of H.R. keeps insisting, take this to your immediate supervisor for consultation with your corporate legal counsel.

      I believe you are in the right. Providing them access to emails is one thing, but giving them sensitive account information is wrong and could put you and your employer at jeopardy.

      • #2904822

        nice summation

        by drakebrown ·

        In reply to as a rule of thumb

        I believe this to be the clearest most accurate view of any suggested.

        Drake

    • #2905823

      Sounds like trouble

      by himdownstairs ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      To me it seems like your HR department is overstepping its boundaries. While it’s important to monitor if a user is abusing policy, it’s also important to not go on a witch hunt. HR needs to let the people who deal with computers, deal with computers. Shouldnt they be dealing with more pressing issues (i.e. creating policies protecting an employees personal information)?

      • #2904826

        It is trouble

        by drakebrown ·

        In reply to Sounds like trouble

        Thank you, that was my initial reaction. Ironically the HR director subtly implied she may sue me if the person she wanted to investigate ever threatened her. The argument HR made was one of i went to I.T. and they wouldn’t get me the passwords thereby putting me (the HR director) at risk. My point was to allow her to see it but under controlled supervision with the President of the company’s approval. I would then log into that person’s account and supervise HR’s inquiry into the various emails requested. The fact that she might sue me because i didn’t roll over for her is very disconcerting.

        Drake

        • #2906707

          That is a threat!

          by 1bn0 ·

          In reply to It is trouble

          And the last time I looked at the labour laws here, it was ILLEGAL

    • #2905822

      HR is not IT

      by cactus pete ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      HR personnel do not generally have the background required to properly do this sort of IT work. That’s why there is an IT department, after all…

      Also, why in the world would you know everyone’s password? Shouldn’t passwords be changed regularly, as well? Are you to provide updates to the HR department every time someone changes their password?

      I suspect HR doesn’t understand much at all about IT, since they asked for this in the first place. Passwords are to be secret. That’s why we have elevated admin accounts that don’t need a user password to view the data…

      If there is a legitimate need for HR to see something, they should provide IT with detailed search criteria so you can help them out.

      Now, if they are investigating an IT employee, obviously you, as the director, need to be the one handling the search.

      Frankly, I am astonished that HR would have such little knowledge about what they can or can’t do, or should or shouldn’t do. I’d watch my 6 if I were you.

      • #2904831

        why I.T. has passwords

        by drakebrown ·

        In reply to HR is not IT

        You raise a good point, one that i have wrestled with. When i set up a new user i have my unix server generate a random password, generally meets the requirements of a good password and then instruct the user that they can change it if they want. Most never do. Also, i have found through experience that it is a big headache to not be able to log in to that persons account to troubleshoot an issue as the individual sees it. Sometimes the problem has to do with a users profile for instance. Anyway even though i have elevated status i still couldn’t troubleshoot someone’s email problems without logging in as them. But it does put me in an ethical dilemma at times. That is why i instruct them to change their password if they prefer. Perhaps you have a better strategy.

        Drake

        • #2904810

          What if

          by wesley.chin ·

          In reply to why I.T. has passwords

          What happens in a scenario when user changes the password, only the employee knows what it is, and then later down the road, the employee can’t login to his computer….

        • #2904778

          Then you reset it to a temporary p/w and require them to change it.

          by charliespencer ·

          In reply to What if

          The user logs in with the temporary p/w and is then prompted to create a new password. This is SOP in almost all shops.

        • #2906929

          Hmm

          by wesley.chin ·

          In reply to Then you reset it to a temporary p/w and require them to change it.

          It may be doable in a network with a server, but if that isn’t one, then that might not be an option.

        • #2904345

          Sure it is

          by ic-it ·

          In reply to Hmm

          Manage – Local users and Groups – Right-click a user – Properties – User must change password on next logon. 😉

        • #2930521

          Don’t keep the passwords

          by cactus pete ·

          In reply to why I.T. has passwords

          If you generate it and give it to them without forcing them to change, just give them the original copy and never record it.

          Should you need to log in as them later, ask them what the password is, and don’t record it.

        • #2930473

          I wouldn’t even do that.

          by charliespencer ·

          In reply to Don’t keep the passwords

          If I need to log on as them, I’d force the password to a new one, use it, and force a p/w change when after I log them back in.

          I don’t ever want to know a password, and I’ll force you to change it if you tell me.

        • #2930444

          actually

          by cactus pete ·

          In reply to I wouldn’t even do that.

          I was going to suggest you WALK over to the user and look at their system. Or at least make them type in their password.

          But I wasn’t sure about the whole setup. I realize sometimes you have to balance security and functionality. (for example, the user can’t ever have the password accepted – it’s a keyboard issue…)

    • #2904811

      I would advise of options

      by tonythetiger ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      most email systems have methods of looking at email without logging in as the user.

      In my opinion passwords must be kept private. Otherwise why even have them?

      • #2904421

        Similar in concept to Payroll

        by drakebrown ·

        In reply to I would advise of options

        That was my point originally. Passwords by definition must remain private and kept from all parties. Obviously I.T., since they set it up will know the passwords. I see it similar to Payroll. Of course no employee has access to other peoples wage information except their own. The Payroll Dept of course does have that information. They simply have to be trusted to be confidential. The same with I.T. I’m going to have information (like passwords) that no one else has. I simply have to be ethical and confidential. And no one else should get that information unless approved by very senior and/or upper management. I don’t consider HR senior or upper management.

        • #2906718

          You have the passwords??!!!!!

          by ic-it ·

          In reply to Similar in concept to Payroll

          You should set it up initially, then force a user must change on next logon. This protects you as well as the user.

        • #2906700

          IT does not have the passwords

          by rfink ·

          In reply to You have the passwords??!!!!!

          In most OSes the passwords are unknown to the administrators. They have the power to reset them, but they don’t have the power to see what they currently are.

          IT couldn’t gave the passwords away if it wanted to.

        • #2906689

          Read his third sentence

          by ic-it ·

          In reply to IT does not have the passwords

          Then my response will make sense. It should not have the password after initial account setup.

        • #2906675

          Obviously I.T., since they set it up will know the passwords

          by tony hopkinson ·

          In reply to Similar in concept to Payroll

          I’m getting confused here.
          That you have say the sa password for a database server. or the domain admin, fine.

          You should n’t have any passwords for anybody else though. Setting up wise you might know it until the user first logs on and is forced to enter their own, but that’s it.

          You are on seriously shaky ground here, the standard get out for this is “I don’t have their password”, and you shouldn’t.

          How could you prove it was me who sent the email, could have been you. I’m not suggesting you’d do such a thing, but a lawyer will…..

        • #2906615

          The bottom line is

          by tonythetiger ·

          In reply to Similar in concept to Payroll

          if anyone knows anyone else’s password, they could pose as that person. Not only would it be possible to use someone else’s account to perform some bad act, it gives the account holder deniability should they perform a bad act.

    • #2906664

      take it to the boss

      by oz_media ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      You boss or teh owner should autjorize this, it i not your esponsiobility to do so unless yoru employer asks you to. HR is just a group of employees, would you do give the receptionist all the passowrds for office admins?

      It is not YOUR call and it is not HR’s call, only the owner/boss has authorization to allow computer access.

    • #2907286

      Security Breach

      by samuellthomasjr ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      Apparently, you have a turf battle at hand. HR is HR; and IT is IT. Information Technology, and anything related to it, remains the pre-imminent responsibility of the CIO or Director of Information Technology. Providing your or another person’s password to anyone else is a complete violation of every security policy ever written and enforced.

      Monitoring is the answer. Monitor network utilization by the HR and everyone else are, including web content and email filtering. Extract detailed reports of non-business related activities and you will find that HR is the biggest culprit. The password thing is a smoke screen. Focus on what is really happening.

      You are totally correct in NOT providing the passwords, but permitting company HR & Security to work WITH you to resolve security breaches. Be Proactive! And see how quickly HR backs off.

      I had a HR Director, that was breathing down my neck. She was using an outside HR firm to do her job. Little did the CEO and CFO know this, until I provided the network logs of activity between that company and ours … and the origination. She was stood down very quickly; required to do her job; and stayed clear of me the remainder of the time I was there.

      There are several issues here, rolled into one. But, the underlying issue is security. Users are provided with an initial password and required to change it frequently.

      HR’s ploy compromises security of your Information Technology infrastructure.

      Review and audit your company’s security standards. Make certain this policy complete defines “appropriate business use”. Make certain that this policy is included in the employee handbook and each employee signs an agreement to adhere to this policy. That is where HR’s responsibility stops! Then it becomes you responsibility to assure compliance.

      To avoid these issues, most companies that I consult with implement security standards that avoid the root cause and negate the HR invasion.

      Email content filters do have the capability of detecting, storing and preventing delivery of illegitimate or compromising email. And, you, as the Director of IT, determine the flow direction. Most of this filter software also has notify capability, acting as a “red flag” to potential security risk.

      Much like web content filtering, email filtering software for security content comes in many flavors. The more granular the software, the more expensive it becomes.

      I hope this helps avoid the scourge. Good luck in dealing with HR.

    • #2930313

      How can you even give a password?

      by gsg ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      I’m perplexed at how you would even know their passwords. Unless you have a system that stores the passwords as clear text somewhere, you shouldn’t be able to even see them.

      We assign a password that is set to expire at first logon. The user signs in and can go no farther until they change it. If they forget it, then we re-set with a generic and the whole dance starts again.

      No one, not even an IT person should be able to know anyone else’s password, so any request to have someone’s password would be impossible to grant.

      (Of course, I’m ignoring key loggers and other hacking tools)

      • #2930910

        I came to that conclusion myself

        by drakebrown ·

        In reply to How can you even give a password?

        You’re right. At first i thought it a hassle to have to always ask for a password from users. So i just stored them in a DB and used them when needed to log in on their pc. I trusted my ethics. But now i realize knowing this info is a liability that i would prefer not to have.

        • #2930796

          You asked for their passwords?!?!!

          by gsg ·

          In reply to I came to that conclusion myself

          And they actually gave them to you? That is a huge no-no here. We train our people to not do that and actually fired one of our IT people for asking. There’s no reason for an IT person to know any one’s password here.

          If they need help and we need them logged on, then they have to stay with us. Otherwise, we’ve opened ourselves to a big risk.

        • #2931400

          Hold on there

          by drakebrown ·

          In reply to You asked for their passwords?!?!!

          Look I am the I.T. manager. The only I.T person here at this company. I set up all new users and give them a randomly generated password. I don’t have a huge staff. I am the staff and i set the policy. That’s why I’m askin the question. How are others doing this and handling this.

        • #2931395

          I AM the IT staff here

          by dumphrey ·

          In reply to Hold on there

          and I have no idea, or any desire to know, the users passwords. As the IT manager I can reset a password, but the user would know right off when they come back. As a rule, I do not reset a users password without their consent. And on our network, there has not been an issue I could not work around until the user became available.

        • #2929631

          IT numbers

          by gsg ·

          In reply to Hold on there

          I was just saying how we do it at our organization. In fact, we are audited yearly by the state and at a minimum every 3 years, by the JCAHO and that’s one of the things that can affect our licensure. It would take about the same amount of time to re-set a password in AD as it does to look up the user’s password in a database (I’m assuming that you run windows as I’m not that familiar with other OS’s).

          The point here is that it’s just not recommended as good practice for you to know their passwords. If one of them downloads child porn, they could say that you did it as you know their passwords.

          HR may force you to turn over passwords now, but in the future, if you keeping the passwords in a database is not your organization’s policy, I’d seriously consider not keeping them. When they expire then this becomes a mute point as they will then change their passwords and you can tell HR honestly that you have no idea what they are. That removes you as the middle-man and the perceived bad guy when your end users find out. And they will find out.

    • #2931396

      Alot depends on your company email policy

      by dumphrey ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      But access to email is one issue, access to their password is another. If they want to monitor email, they need to pay for a solid solution, or use the MTA to copy all incoming mail to their account 😉

    • #2931388

      DUPE POST

      by oz_media ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      DUPE POST

    • #2931381

      not an issue

      by Anonymous ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      Where I am, there is a person who has a list of the passwords of all employees. So that issue is a non issue here.

    • #3015976

      we need to go as per the company policy

      by urpraveens ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      we need to go as per the company policy. Need to be escalated to higher management. Finally passwords are highly confidential. Don’t disclose with anyone and don’t provide to HR also.

    • #3015845

      Proper way to handle this

      by theprofessordan ·

      In reply to HR DEPARTMENT DEMANDING EMPLOYEE PASSWORDS

      My opinion is that you approach the HR Manager and tell him that he can have the passwords as long as there is a written policy in place agreed upon by the what ever form of executive committee or baord that your organization has. I am not opposed to HR doing this but there has to be concrete policies in place to protect the company in case of potential lawsuits. This will either open the door for discussion or close it because the HR manager will know that they are out of line.

Viewing 19 reply threads