When it comes to securing employees’ email accounts against internal hacking, leave nothing to chance. Make it clear that you forbid employees from illegitimately accessing co-workers’ email—and that it’s grounds for dismissal.
Be sure to spell out exceptions, such as allowing some computer administrators to access accounts when necessary for operational reasons.
The best policy is to always require approval from a designated manager before going ahead. That way, there won’t be any surprises like the one in the following case.
Recent case: Kathleen worked for Riverside County as a local area network administrator. Computer security was among her job duties. In a county career that spanned more than 17 years, Kathleen had an exemplary employment record with no disciplinary black marks.
Then, two of her subordinates discovered that Kathleen had been accessing other employees’ accounts, although they could not tell whether she had in fact read any emails. They went over her head to report their suspicions.
The county conducted an investigation and made the decision to terminate Kathleen, especially after she admitted reading one email and opening an attachment. She claimed during the investigation that she did so for good reason; she said it was an effort to recover an accidental deletion. She also said she accessed accounts because she felt it was part of her security duties. She denied reading any other emails, but was terminated anyway.
When Kathleen sued, an arbitrator concluded the county didn’t have just cause to terminate Kathleen, given her long employment history. Plus, he reasoned that no one had specifically told Kathleen she couldn’t access the accounts. He then ordered reinstatement. An appeals court upheld the arbitrator’s decision. (County of Riverside v. Matheson, No. E053005, Court of Appeal of California, 4th Appellate District, 2012)
