Just testing the water with the IT geeks out there who might know.....
How effectively does MS Outlook recall work? Specifically when the emails are being sent outside of the organisation to a range of different email accounts (gmails, iclouds, yahoos, company emails etc)
We were on holiday last week and in my wife's absence her line manager (company director/part owner) sent an email out to a very (1500) large number of people but did it such a way that all contact information was viewable to all recipients (something to do with a limit of 100 from a Bcc). She went into my wife's account(directors have full access to all employee's email accounts and go in frequently) and did it from my wife's email address so it looks like she made the error. The people on this email really [u]really[/u] should not be able to see who else was sent information. They sent a recall about an hour later when they realised what they had done.
Walking into work this morning to a bombard of complaint emails Mrs C was mortified. It's an industry where your reputation is built on your ability to work confidentially and the email list included personal friends as well as just about everybody who is everybody. She thinks her personal reputation is in tatters. I fear she might be right.
She wants, nay demanded, that the company director that used her email address sent out a communication making it clear that it was not Mrs C's error but so far they are refusing as they are trying to get to bottom of how many emails got recalled before being read (can you do this?) and don't want to highlight the problem to people who didn't notice? I think the other reason is the director is pretty teflon and clearing Mrs C would mean implicating herself. My wife was all up for resigning and walking away from them (this was a final straw) but appreciates they will just ensure it looks like it was her fault if she does. Currently considering her next steps, getting a lawyer involved etc. Future at the firm is not the issue - getting away with a reputation to get another job is more the motivation.
So how effective is an outlook recall? My wife's personal email address was on the list and she got it. 50% of her friends she's checked with did too.
The recall only works (and only if not opened) for mailboxes on the senders Exchange Farm so completely ineffective.
My experience of people recalling Outlook emails from other organisations is that all it does is send you a lovely email that says that the sender would like to recall a previous email. Which of course one then reads fully to try and find out what was wrong in it.
Once it has left the Exchange server that your mailbox is on it is effectively gone. And once it is outside your organisation it is gone for good.
My experience of people recalling Outlook emails from other organisations is that all it does is send you a lovely email that says that the sender would like to recall a previous email. Which of course one then reads fully to try and find out what was wrong in it.
Got to confess this is mine too.
Which of course one then reads fully to try and find out what was wrong in it.
+another
In my experience; not very effective at all.
some reasons why from Microsoft
Message recall is not successful if one or more of the following conditions are true:
The recipient is not using Outlook.
The recipient is not logged on to the mail service provider.
The recipient is using Cached Exchange Mode and is working offline.
The original message is moved from the Inbox. This can occur when rules are used.
The original message is opened first and marked as read. This can occur when the message is displayed in the Preview Pane or Reading Pane.
But when you say all contact info, do you mean all or just an email address?
If your wife was away then surely she has an alibi in the event of a tribunal. If a friend has the original email the header may contain origination information showing where it was sent from. If your wife wasn't physically at work then she has a leg to stand on. If it was sent from Outlook Web App by the director then this should be traceable too on the exchange server.
Personally I think the director should come up with a bloody good excuse for the cock up and apologise to those who received the email. If not then the evidence will be available from one of the 1500 people contacted and whoever
looks after the exchange server.
they are refusing as they are trying to get to bottom of how many emails got recalled before being read (can you do this?)
Providing that a read receipt is setup and displayed and clicked on by the recipient, yes.
But when you say all contact info, do you mean all or just an email address?
I do. But the issue (which I don't want to elaborate on for obvious reasons) is that your email address being on the list makes an implication you may rather not want other people making of you (professionally).
some more here, down at the bottom; https://support.office.com/en-gb/article/Recall-or-replace-an-email-message-that-you-sent-35027f88-d655-4554-b4f8-6c0729a723a0?ui=en-US&rs=en-GB&ad=GB&fromAR=1
I do. But the issue (which I don't want to elaborate on for obvious reasons) is that your email address being on the list makes an implication you may rather not want other people making of you (professionally).
Recruitment agent then.
Or escort agency 😀
As everyone has said, the recall is completely ineffective, the only time it can even be remotely useful is if everyone is on the same domain and exchange server and you recall almost immediately.
The horse has truely bolted and them saying they are trying to understand who saw it is just wasting time/avoiding responsibility.
Legally speaking I have no idea where your wife stands. I am not sure if there is anything that can be done regarding the misuse of her computer accounts (company directors or not).
Depending on the industry an Ombudsmon of some sort might be interested in how this data was mishandled?
If she were to pursue this legally I would recommend gathering all evidence and speaking to a union rep (if she is a member). It is likely that any case would hindge upon proving someone else accessed her accounts (if the boss won't cough to it); but gathering forensics from her work machine from a hostile employer without their permission might be difficult...
In many organisations sending an email using someone else's account would be a very serious transgression.
Teflon tends to be scoured off by gross misconduct. Disclosing data, using another's account without express permission and there's probably more. If the organisation has DMARC set up then the sending machine IP address will be disclosed in the header. If this shows an office based machine then Mrs Convert is in the clear and Mrs director is screwed and needs to polish her CV.
As a follow on, if the directors have access to everyone's mailboxes none of the employees can be held responsible for any email sent.
The employee simply points out that a number of people have access to the account and repudiates the email.
This is one of the reasons that we urge people not to share accounts in this way.
It might be amusing to send an email to the recipients pointing out the director had sent the original email - then denying having sent the email.
It might be amusing to send an email to the recipients pointing out the director had sent the original email - then denying having sent the email.
I had considered that! Yes, I was always very dubious of their email culture and the expectation to share passwords with directors (or rather they are given passwords and not given the ability to change them). Small company with rubbish policies syndrome (and employees without the balls/confidence/job security) to point out it was wrong.
As others have said a recall outside of Exchange Server simply sends you another message highlighting a cock up! There will be no way to tell how many of those messages were actually deleted and how many were opened.
The email addresses of the recipients are personal data (within the Data Protection Act), however if as your post suggest the data imply something which might have a significant effect or the person then you are into "sensitive personal data" territory. The ICO expects people handling such information to have suitable safeguards in place. That would include generally not giving Directors free reign to send on behalf of others.
The ICO expects you to deal with complaints quickly, and also to have plans in place to respond promptly to any data breach. Waiting to see how many complaints you get is neither good "customer" service nor the right way to respond. The breach has happened even to people who don't complain and they have a right to expect to be informed. If a data subject isn't satisfied with how the data controller responds they can complain to the ICO, case law has now established they can now claim for damages too.
If the implications of the breach are as bad as it sounds then (1) I'm not convinced email address books is the right place to store the information and mail out to all users as mistakes happen; (2) if someone thinks it is worth having a no >100 Bcc's rule then I think it is also worth adding a rule to maximum number of to/cc's as well (probably about 20-30 before you should automatically be raising your eyebrows). Its even worse that this person intentionally added them rather when the Bcc limit gave them a moment to pause and think.
I think your wife is quite right to expect a "public" correction / apology that clearly says it wasn't her behind the email (as well as fixing the issues).
^^ what poly said.
Thanks Poly - very comprehensive response.
The data is not held in address books but rather on a firm wide database. Harvesting the information and exporting out to an email ties up the computer and the user's access to the database for a lengthy period (half an hour or so) so I think she used my wife's account and computer to keep her's free to continue to work on. Whatever, not good.
If your wife has union membership, or legal cover on house insurance, I would speak to them ASAP. I would also be doing everything through email or meetings with union rep or colleague present, and full notes taken.
The company and director have blown it. Blame and processes can happen in future.
Your wife however may be able to salvage something of reputation, however if she cannot then some suitable recompense is due.
As they're finding out - Outlook isn't really the right tool for this. At a push they should be doing a mail merge rather than cramming the addresses into the bcc.
Even on the same exchange server, once read, the message rarely disappears...
In many organisations sending an email using someone else's account would be a very serious transgression.
This is the nub of the issue. Using another employee's account is a complete no-no in any organisation with a proper IT security policy, exactly because of this sort of situation. You still see it happening sometimes, typically with senior execs who hand over management of their email account to a PA.
[i]If[/i] your wife's employer has a properly written IT policy, the line manager's actions should be a clear breach, and responsibility will be an open and shut case. Of course, taking on the owner/director, if they are refusing to step up and admit their error, is not going to be very easy.
The recall is pointless. They need to assume that everyone still has access to the email.
Using a shared email from a generic address is not uncommon but having access to a named email account is odd imo. Sometimes I see a sent on behalf on the bottom but in everywhere I have worked using someones account email is a no no... Every so often information is sent to the wrong people and someone is out the door.
The company should be sending out a mass email (but not in a crap way) apologizing for the previous communication citing whatever failure they decide is appropriate. Well this should have been done at the point of recall but they can at least try to salvage something but I would guess the only thing left is to make a scapegoat out of someone and publicly push them out. Hopefully not your wife.
Has she at least changed her password (and refused to give it out) to stop someone doing it again?
Makes no difference if they have permission to her mailbox.Has she at least changed her password (and refused to give it out) to stop someone doing it again?
convert I dare say many people here would be able to advise on better ways (or at the very least a more efficient export - it should take seconds!). However whilst a convoluted route to extract the emails is perhaps better than the main address book, obscurity is not the same as security. The proper solution does not involve the user ever having a big list of email addresses in a file which they can (ab)use, but has a tool that says 'send this message to all users [flagged as xyz]' and then the back end does the work.The data is not held in address books but rather on a firm wide database. Harvesting the information and exporting out to an email ties up the computer and the user's access to the database for a lengthy period (half an hour or so) so I think she used my wife's account and computer to keep her's free to continue to work on. Whatever, not good.
On a more practical note....
if the boss is refusing to do it, whats to stop your wife from emailing everyone apologizing, and explaining that (whilst she was on holiday) one of her colleagues accessed her account and sent out the offending mail? No need to point the finger.... but stating that she was on holiday, makes it clear to all that it wasn't her cock-up.
It's one thing for the boss to refuse to step up and accept personal responsibility, and quite another to prevent your wife from sending one.
I would probably give her boss a deadline - after which she will send the email herself.
Yep what batfink says, give them the deadline and as said above there are tools to send on behalf of, people can have access to your mailbox properly as but the audit trail remains.
Unless it's a great place to work (doesn't sound like it) a further ultimatum about change in practices, investigation as to how such a breach/screw up occured (formally) and policies as to how to stop it happening again along with a formal public apology would be the minimum I'd be looking for.
If she is planning to leave then a full summary to be prepared to be submitted to relevant ombudsman including things like all management having the passwords to all accounts and details of what happened and why. If nothing happens send it regardless.
I'd be making sure a copy of the list of names falls into my bag at the end of the day too. Print it out. Just in case this situation goes horribly wrong. And the email.
Auditing is there as long as it is turned on, it (Exchange) has been told what to audit, and how long to retain it. So don't rely on it. I also like the word "hostile" used above to describe the person guarding it. A fair assessment of mail administrators when they are questioned in my experience (assuming this company even has one).
I would be seeking professional advice if there is reputational damage.
Did she have an Out of Office turned on - the complainers would have got that at least.
Ugh what a horrible IT policy, smacks of Directors being control freaks and not trusting their employees. Your wife has every right to demand a public apology, I'd also say they need to agree to review their policies around this to ensure such a situation doesn't reoccur (at least without it being due to gross misconduct), doesn't seem like that's likely to happen though in this case.
Update.
Legal advice being sought as we are both unhappy with the steps that have been taken have been done in such a way to protect my wife's reputation. In fact opportunities have been deliberately missed with complainants to not make clear the apparent sender of the email was not responsible or even at work at the time. Some junior looks like they are going to carry the can and the director get off with nothing.
Regarding logins and passwords in a business.... Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it? I've taken advice from the IT bods where I work and they find it unfathomable. Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin who with collate them and save them in a password protected file which only member of senior management can access. That sounds inept, paranoid and controlling and all kinds of wrong to me. And as stated above it would surely be almost impossible to pin malpractice on anyone as they could always claim that others had access to their accounts so it is unprovable. I sure as hell would not want to be that member of admin with access to all that information.
Poor Mrs C, this has really effected her both through worry for her reputation and lack of trust for her present employer. About one step from a bit of breakdown I fear. She knows she has enough info to whip up a world of legal pain for the director and firm but knows doing so will also mean she is unlikely to work in the profession again. And non of it was her fault.
Sounds awful.
My previous employer had a policy that using someone else's account was grounds for dismissal.
She knows she has enough info to whip up a world of legal pain for the director and firm but knows doing so will also mean she is unlikely to work in the profession again.
I'd say that she is due a very large payout from an employment tribunal for reputation damage.
Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it?
Seriously? A copy of that instruction would help Mrs C's case.
Regarding logins and passwords in a business.... Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it?
WTF?
As "admin" I can log into your account without password whenever I want, why would I need your password? This goes for just about any OS under the sun. Sounds like those IT people are just incompetent.
As xora says, why would admin need your password anyway? I can change any user's password and I can access their document share (though bot emails) without even doing that. Of course what it allows "senior management" to do is use anyone's account without their knowledge.
Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it?
I have, and I've fought tooth and nail against it. One of the branches at a previous employer did this, their logic was that "someone else can use their workstation if they're away." They were oblivious to the notion that they were network passwords and anyone can log in anywhere. (For added lols, the password list was securely held in an unlocked desk drawer.)
In the rare cases where it's actually necessary to log in as someone else, their passwords can be reset by the systems admin. If people need access to others' emails (eg, a PA to a director sending mail on their behalf) then rights can be delegated to those users.
If your password is known by *anyone* else you no longer have any accountability, and that's a Bad Thing. Someone gets caught surfing for porn on their lunch hour, "oh, it wasn't me, could be anyone who's seen the password list."
Yes, last two places, the IT dept (one was an external supplier) asked for passwords. I resisted, but was told to tell them. Just seemed totally wrong, but I wasn't IT so had to do as was told.
I sure as hell would not want to be that member of admin with access to all that information.
On a point of order, when I was in IT I always instructed people *not* to tell me their password (usually before they blurted it out unprompted but not always). I don't need it, and I absolutely don't want it. I don't want the finger of suspicion when you do something stupid tomorrow. If I need to monitor, say, Internet activity or emails then I'd do that serverside where access control is tightly controlled and readily visible.
The policy we had is that if something is done in your name, you're culpable. Either you did it, or you were careless with your passwords and that's still your fault. A management policy demanding passwords undermines that. I can only assume / hope that it's born out of ignorance. If it were me in IT there I'd be asking why they felt they needed to do this and then if it was reasonable I'd give them what they needed in a proper, controlled fashion. "Password lists" are insane and there's absolutely no justifiable reason to do it.
Yes, last two places, the IT dept (one was an external supplier) asked for passwords. I resisted, but was told to tell them. Just seemed totally wrong, but I wasn't IT so had to do as was told.
I'd have refused, or given them a password and then changed it the next day.
In fact that's just reminded me, years back my non-technical boss kept demanding the master domain admin password. After a bit of to-ing and fro-ing with me getting busted for giving him dummy passwords, I wound up creating a new Admin account and revoking the rights on the Administrator account to turn it into a regular user with 'log on locally' rights to the server. He was happy with that, he tested the login to see that it worked but didn't actually try to do anything.
devash - Member
She knows she has enough info to whip up a world of legal pain for the director and firm but knows doing so will also mean she is unlikely to work in the profession again.
I'd say that she is due a very large payout from an employment tribunal for reputation damage.
Nope - not a chance. Tribunals only award for financial losses and there is no grounds for going to a tribunal here
Well maybe if she is in a position that she ends up forced to resign ( constructive dismissal) and is able to show the reputational damage has cost her further employment.
However from what we know I don't see this as a constructive dismissal at all
I think I would tell the director responsible that she needs to repair the damage to her reputation by sending a follow up email to the entire list stating it was not her who sent the email but someone else with access to her email and sod the bosses on that. If they sack her for that then a tribunal claim is much stronger.
Legal advice is a good step
Regarding logins and passwords in a business.... Has anyone (especially all you IT types that seem to lurk here) worked for an organisation where employees have been instructed to inform 'admin' of their new password(s) when they change it? I've taken advice from the IT bods where I work and they find it unfathomable. Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin who with collate them and save them in a password protected file which only member of senior management can access. That sounds inept, paranoid and controlling and all kinds of wrong to me. And as stated above it would surely be almost impossible to pin malpractice on anyone as they could always claim that others had access to their accounts so it is unprovable. I sure as hell would not want to be that member of admin with access to all that information.
Managers who don't understand IT are inevitably lost in the modern world. They likely haven't demanded this because they MUST have it but because they haven't understood the alternatives. Unfortunately success in IT isn't always linked to your ability to communicate effectively with the business stakeholders and so the IT team are at least partly to blame. It sounds like the sort of thing that happens in SMEs where there isn't a real it person just 'bob' who likes computers and who made something is ms access once and so fell into it.
I don't know which industry she is in, but many of the more sensitive ones are much more enthusiastic about whistleblowers and those who stand up for doing things right than they used to be. I'd be surprised if the industry was so small it closed all doors. However, before she goes saying "none of this is my fault", I think there needs to be be a moment of reflection, it was forseable that security breaches will happen with the approach they were taking. Everyone has a duty to highlight security vulnerabilities which affect people's personal data. If she works in a sector where she could really be expected to suffer huge reputational damage for this, I'd think having knowingly allowed this sort of account sharing to go on reflects badly too. Its difficult to know how much the "industry" would blame her, without knowing the industry or the size of the company....but knows doing so will also mean she is unlikely to work in the profession again. And non of it was her fault.
Email admin a made up password...it will only be known when they try to use it again...
I don't know which industry she is in, but many of the more sensitive ones are much more enthusiastic about whistleblowers and those who stand up for doing things right than they used to be. I'd be surprised if the industry was so small it closed all doors. However, before she goes saying "none of this is my fault", I think there needs to be be a moment of reflection, it was forseable that security breaches will happen with the approach they were taking. Everyone has a duty to highlight security vulnerabilities which affect people's personal data. If she works in a sector where she could really be expected to suffer huge reputational damage for this, I'd think having knowingly allowed this sort of account sharing to go on reflects badly too. Its difficult to know how much the "industry" would blame her, without knowing the industry or the size of the company.
You are absolutely right - I have been nagging her for a while about making a fuss but I'm far more bolshy at work and find confrontation less stressful. The issue is twofold however - there is the loss of reputation element but there is also the issue that the director is very well connected, indeed is regional chair of the professional body. It's not unknown for her to 'bad mouth' in subtle and underhand ways. Leaving on very bad terms would have an impact irrespective if you were 100% in the right. It would be really messy. Ultimately employers would look to avoid a new employee with a 'rumour' to their name - it's just not worth the hassle if you have another option.
FWIW one of my managers back in the dim and distant past (mid 90s) insisted on having access to all contractors accounts. Several of us refused. He threatened and blustered and swore. Until HR got involved.
Once they found out how long and how thoroughly he'd been doing it (he told them everything, thinking it was good, sensible management of contracting scum who can't be trusted) he was demoted, moved to another role, in another department on a different site. That was quite a major US corporation.
if there is anything concrete/traceable connecting the director to this sort of behaviour, they won't be regional chair for very long after the whistle has been blown.........The issue is twofold however - there is the loss of reputation element but there is also the issue that the director is very well connected, indeed is regional chair of the professional body. It's not unknown for her to 'bad mouth' in subtle and underhand ways.
Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin
Quite apart from being bad practice it's hard to see why this would affect the likelihood of recurrence of the original problem. Is it a case of "we need to do something" and this is "something"? Odd behaviour if this is an industry where confidentiality is important.
What industry?
All in all this is a thoroughly disheartening thread.
Someone has done something stupid in a doubly stupid manner and the response is not to stop that ever happening again as a director will have complete power over the admin.
Get proper legal advice and then approach the company. If there is a regulatory body for the profession you may also consult them.
In the long run it might not be as serious as it seems to you/her right now. Granted, she has been shat on from a great height, but are the long term consequences as severe as you really think?
I work in a relatively niche career, so I know most people in the region who do what I do. I am on the local committee for my profession. People who are atrocious at their jobs, with a very poor reputation still somehow manage to keep employed. Your wife is probably well regarded in her region and professional circle, and there may be minimal long term consequences. Thats the optimistic hope, anyway.
Was this act really a doomsday occurrence? If she is a recruiter and all her address book has been exposed, then is this so bad? Everybody is on at least one recruiter's address book somewhere. It doesn't mean we are actively looking for a new job.
I don't know enough about the specifics. But hopefully it's not as all as bad as it seems right now.
Is there anything stopping her for sending out an email apologising, explaining that it was done her absence and without her knowledge / consent? I don't see why she'd have to "whistle-blow" just to go "wasn't me, guv."
Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin
Sounds like buck passing. They're not acknowledging where the root cause was, they're making it look like it was someone else in the organisation.
Sorry I'm late to the party. Is it likely that one of the many recipients happened to work at a place with decent HR and IT admin. Then such person went to speak to them saying 'This seems odd and wrong, it looks like they are sharing my personal stuff'. And they chose to act. Should there be a Responsible Person in Mrs c's work, to whom such complaints could be made? Head of data security, that sort of JD.
When the excrement hits the expelair, it would be nice if it landed at Board level.
Not suggesting that one of Mrs c's more personal contacts might make a fuss.
In the long run it might not be as serious as it seems to you/her right now. Granted, she has been shat on from a great height, but are the long term consequences as severe as you really think?
It's probably very difficult to keep everything in perspective and take a detached long term view, and obviously only your wife knows what her industry is like and how others in the industry and (potential/existing) clients might react if they learn what has happened, both the untrue version (she did it) and the truth.
I would be wary of acting too hastily, whether that be trying to force the company/director to tell all the email recipients that it was not her fault, or going along with any plan the company/director might have to placate clients without telling them the truth or even actively lying to the clients.
I suspect that her best approach may be to be patient and see how events play out, and respond to them accordingly only when they happen and when she can better see the lie of land as it were, rather than trying to force the issue which may be a high risk strategy for someone who is the more junior person in the organisation and industry.
Taking two extremes:
Firstly, this might prove to be a storm in a teacup which becames ancient history in a few years, with no lasting damage to the company, the director, or your wife. If so kicking up a fuss now may be counterproductive.
Secondly, if the incident is going to cause major reputational and commercial damage, it is likely to be something that will take a little while to build up to a crisis point, and in that event the longer it goes on the stronger your wife's position and the weaker the director's, for the simple reason that it was the director's mistake.
Put crudely, if the whole thing can be easily and quickly glossed over by the company with no long term harm, the more likely it is that they will agree to cover up for their fellow director/part owner. It will probably only be if the stakes become so high that the future of the company (and the investment of the other part owners) is threatened, that those other owners would be prepared to publicly blame their fellow director, which would be a nuclear option, especially if it meant having to buy her out/pay her off, and might not be effective damage limitation if the company is fatally hurt by the incident anyway.
My advice would therefore be for your wife to play a waiting game for now and keep her options open. She probably needs to avoid being drawn into any cover up or fake explanation concocted by the company which would entail her telling lies to clients. At the same time for now she probably needs to avoid telling clients it was the director that did it. So she needs to very careful what she says to clients. In her shoes if a client complained to me about what had happened, I would have a prepared script, e.g. maybe something like, "I'm extremely sorry this has happened. I am not in a position to be able to say what happened, but I can tell you that I did not send that email, and was on holiday at the time. I can only apologise [u]on behalf of the company[/u]". The trick is to communicate this message confidently, and not to 'protest too much' to clients that it wasn't her.
If clients complain directly to the directors/owners, and they threaten to blame your wife as part of a cover up, then I guess the gloves are off. Blaming your wife would be a high risk strategy for them, since it would leave them open not only probably to a case for constructive dismissal, but also defamation (destrying someone's business repution by libel/slander would be an extremely expensive and damaging legal case for them to lose). If it gets to that stage, your wife will clearly need legal advice. Since the email went to your wife's private email address, she is presumably in a position to (threaten to) email the clients and tell them the truth, although that is a nuclear option. It might well be that the best option would be if the company offered her a life changing sum in compensation with a gagging clause, to enable her to retire early or retrain. If she blows the whistle, the company might be destroyed by the fall out, and your wife's career might still be harmed, but there would be no financial compensation.
If complaint is related to disclosure of personal information could your wife whistleblow anonymously or get someone on the list to report the breach to the Information Commisioners Office which then takes it out of the companies hands?
A likely outcome of this would be the company having to contact those on the list to explain the circumstances of the breach thus removing any perceived blame from your wife.
I looked into this for a different reason recently. You have to report the issue to the originating organisation first, and if you are not satisfied with their response then you contact the ICO. Might not be a bad approach though.get someone on the list to report the breach to the Information Commisioners Office
^ Given how much a year I my company pays in ICO fees, please make them do some work.
Our IT Policy specifically prohibits the sharing of passwords and rightly so for user-specific accounts.
There is NO reason at all for someone else to know your password (assuming LDAP/Active Directory in place and nothing stupid is being done like using user accounts for things like SQL rights, service logons etc.). If you don't have centralised accounts and for some reason can't have multiple local accounts then use a generic account name so there's no implied accountability for you.
As has been said if an administrator/manager needs to be able to logon as your account then they should be given rights to change your password, not your password itself. Auditing should also be in place to clear record the password change (and which account was used to make the password change).
If some crappy policy dictated I give my user account password to someone else then I would but I'd change it after and say I forgot (or made a typo in the email). Everyone sending their passwords via email is a joke in itself, email systems are one of the primary targets for anyone hacking into your network (and that could be a 5 minute phishing based attack not elite Russian hackers breaching your firewalls).
If someone needs to routinely access your mailbox for a legitimate reason then should should just be given rights to your mailbox (ideally not send on behalf of but at least even with that you can set up auditing easily enough to capture which account was used when the mailbox was accessed).
Can't understand why do people allow places like these to get away with this kind of behaviour.
They probably forge your signature too "for convenience".
ICO sounds a good bet.
Anyone see "Line of Duty" last night? "I need your username and password" Here it is on this Post It note! thanks!
I thought that was the most unrealistic part of a pretty far fetched storyline... apparently not!
Information Commisioners Office
I don't think they would be at all concerned with a visible email "in copy" list, in fact they might well tell you to stop wasting their time.
If its a breech of data protection which on the surface it would be then they would be interested.
Effectively the company gave everyone on the list everyone's email address. Thats a clear breach of data protection in my book. Also they email address might not have been given to the company for this purpose - another breach
You should anonymize this thread.
1. If the industry is "legal" then anonymize further.
2. Remove the bit about regional chair. Easily identifiable.
Yesterday (in light of what happened last week) all employees have been emailed and told to change their passwords but then email the new ones to a member of admin
Humm changing everyone's password to one you know and preventing them from changing it would be bad.. but would be one approach.
Attempting to share mailboxes by asking people nicely for their passwords then hoping they will send the correct one seem pretty silly to me.
I'm the worlds worst (self appointed) email administrator and I'd not even do that 🙂
Incidentally,
Given the whataboutery of the importance of this "industry" she's in, I'm guessing that they're placed to legally require a Data Protection Officer. What do they have to say about the matter?
Effectively the company gave everyone on the list everyone's email address. Thats a clear breach of data protection in my book
email address isn't classed as sensitive data from a DPA perspective, so the ICO wouldn't be [I]that[/I] concerned
Also they email address might not have been given to the company for this purpose
I think the chances are that the email address was given for the purposes of email contact, which is exactly what it's been used for. It doesn't sound like a marketing mailing.
Judging by convert's posts, the company sounds like a relatively small one, and the industry itself is not that large. Given that, to suggest whistleblowing or that convert's wife should seek recourse under the Data Protection Act (or that she should encourage clients to do so) is naive.
That sort of approach might be appropriate for large corporations (but see the recent example of Barclays where the CEO tried to identify an anonymous whistleblower), it's unlikely to be appropriate for a small business, unless in a heavily regulated industry where enforcement action could well result in someone being barred from the industry by the regulator or courts. In comparison to that any enforcement action under the Data Protection Act is likely to be trivial.
If convert's wife is in something like the recruitment industry, then this is going to be fundamentally a matter of professional reputation and its commercial impact on the business and on the career of convert's wife. Her problem is that the person who sent the email using her email address is a director and part owner with a lot of influence in the industry. That means convert's wife is in a very weak position, and the only thing in her favour is that she was not responsible for the mistake.
Does she work for an administrators? 😀
Seems that the folks managing the Trans Savoie administration had a bit of a friday afternoon moment and CC'd all the creditors at once (then issued 4 recalls) *oops*
I'm desperately resisting the urge to reply to all 😀
They probably forge your signature too "for convenience".
I have our Director's signatures as PNGs, handy if I need to knock up a letter of invite etc for someone and no one is about..
Any update on this? I am curious as to how it turned out and what the legal implications are
I have our Director's signatures as PNGs, handy if I need to knock up a letter of invite etc for someone and no one is about..
I got asked by one of our admins if I had an electronic signature.
What she mean was 'did I have a scanned .tif of my signature'.
Not quite the same thing...
I have our Director's signatures as PNGs, handy if I need to knock up a letter of invite etc for someone and no one is about..
Pretty modern solution if you have PNGs. I have to admit that I actually wrote code to automate a factorys orders to suppliers via fax back in the 90's. The system used signatures from BMP files 🙂
Still the situation described by OP sounds quite nasty, almost Trumpian.
Pretty [s]modern[/s] stupid solution if you have PNGs.
FTFY.
"Back in my days we only had ones and zeroes to program with, these days the youth have PNGs and everything..."
Any update on this? I am curious as to how it turned out and what the legal implications are
Not good.
All the right people were informed (by the company owner) so the legal and compliance side all good. However director continued to lie about what happened through the investigation and 'manipulated' the apologies to effected people to cover her own involvement and allow enough grey to imply Mrs Cs guilt.
Relationship broke down - essentially this woman is a bully and couldn't stand being challenged. This was only one of a number of issues with her but it's fair to say sociopath and compulsive liar are phrases Mrs C would use to describe her. She went in today and resigned (to the owner not the director, siting the director's lack of morals and professionalism and attempted bullying after the incident as her reasons for leaving). Resignation accepted and she was home by midday with the director shouting insults at her across the open office as she left the building. Since getting home she has had a volley of messages from other employees wishing her well and how much they would not been have able to work with the woman in the way Mrs C had to.
Probably good grounds for constructive dismissal - I'm no lawyer but she might explore that when the dust has settled. Just glad she is home and out of that toxic environment. We'll worry about rebuilding her career once she has had time to lick her wounds and if nothing else she'll get to enjoy the summer whilst looking for a job. Some things are more important than money.
Ta for the update
Seems to me like a possible constructive dismissal - far closer to it than the usual examples on here. I wouldn't let the dust settle too long and I would get legal advice on this
I think I would threaten constructive dismissal and look for a payoff in exchange for silence.
Sounds awful.
