First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

IT-guy writes script to delete records…and wipes phone despite director’s pleas to “stop!”

data-securityEmployers have been cautioned to be wary of insiders with the potential to cause the organization great harm. For instance, employers are often advised that if they are terminating IT personnel they should do so with pay in lieu of notice, instead of working notice. A recent hearing in Manitoba illustrates the insider risks associated with IT roles.

Background

The Grievor was a well-educated, high-performing, senior Technology Transfer Specialist (TTS) in the Technology Transfer Office (TTO) at the University of Manitoba (the University). Before his termination, he had never been disciplined or given a negative performance evaluation.

The TTO helps to commercialize inventions of University researchers. TTSs assess patent potential, conduct market assessments and prepare commercialization plans, confidentiality agreements, and negotiate licences. Wrongfully disclosing or compromising TTO’s confidential information could be devastating. It could negate a successful patent filing, expose the University to suits for lost opportunities or breach of confidentiality, and make third parties reluctant to deal with the University. Given his level of responsibility and independence, trust was a significant component of the Grievor’s employment relationship.

Excessive personal calls and deleting cell phone records

Around October 2013, the TTO’s Director met with the Grievor to discuss excessive personal calls on the Grievor’s University-issued cell phone. The Grievor was contrite and promised that the excessive personal calls would end (and they did). Given the pattern of calls, the Director suspected the Grievor of having an affair, and testified that at the end of the meeting, as a friend, he warned the Grievor to “be careful”. The Grievor characterised the warning as a threat. Coupled with other factors, the Grievor said this caused him to fear that the Director, and potentially others, would use the affair against him, for example to blackmail him or ruin his reputation.

Around January 21 2014, the Director discovered that shortly after the October 2013 meeting, the Grievor altered some Rogers cell phone bills stored on a shared drive. The Grievor testified that his belief that the Director had threatened him, and his belief that the TTO was monitoring his cell phone usage, triggered a need to protect his privacy. Therefore he wrote a script to easily delete the pages of his phone bills that logged his call details, from 2011 to 2013. After running the script he discovered that he had also accidentally deleted records for all other TTO employees.

Meeting re paid suspension to facilitate further investigations

On discovering that the Grievor had deleted phone records, and in light of other suspicions, the Director testified that he was concerned about what other information had been lost or otherwise compromised. The University decided to place the Grievor on a paid suspension to facilitate an investigation. The Director convened a meeting with the Grievor, without giving him advance notice, but arranged for his union representative and Human Resources (HR) to be present.

As the meeting began the University disabled the Grievor’s access to email and other systems. He was informed that his cell phone and computer would be examined as part of the investigation, and was asked to hand over his cell and keys for the duration of his suspension. Reluctantly, the Grievor agreed and left the meeting to retrieve the items. Meeting participants heard him slam his office door, and when he did not return immediately, the Director went to his office to check on him.

Wiping of the phone and the malfunctioning computer

The Director saw the Grievor at his desk, going into settings and wiping his phone. The Director asked him to “Stop!”, but the Grievor continued and explained that he was just deleting his personal information. The Grievor ignored at least 3 other pleas to “Stop!”. During the exchange, the Director called for another employee to witness what was happening. In under a minute the Grievor wiped his phone of all information.

After passing the phone to the Director, the Grievor bent down, presumably to turn off his computer and also asked to speak to his union representative. The Director left to get the union representative while the employee who witnessed the wiping of the phone stayed behind. The Director testified that when he had first come into the office the Grievor’s computer had been on (i.e. it was working). The Grievor himself testified that he was using his computer shortly before he went into the meeting. When the Director and the union representative returned, the computer was off.

A day after the Grievor was suspended, the Director tried to start the Grievor’s computer but it would not boot up then, or anytime after. The University did not determine the reason for the computer’s malfunctioning. The Grievor testified that his only guess was that his “hard” shutdown irreparably damaged the computer. The University felt that it was possible, but unlikely that the “hard” shutdown damaged the computer and felt that the Grievor had removed one of the hard drives or otherwise damaged the computer.

Obey now, grieve later and other defences

A key aspect of the hearing was the Union’s reliance the privacy exception to the “obey now, grieve later” (ONGL) principle. Under that exception, employees may be justified in refusing orders that impinge too deeply on their personal lives and privacy. The exception may be appropriate where the grievance and arbitration process cannot provide adequate relief to the employee who obeys an order that turns out to be illegitimate or illegal in some way. In that event, the potential harm the employee could suffer would be more compelling than management’s need to maintain authority. The Union argued that the University had provided the Grievor with no assurances that his privacy would be protected and had provided no ground rules about how it would conduct the investigation. The Grievor had Gmail, texts and other personal information in his phone, and once he handed it over, the Union argued, he would lose control. Both the Union and the Grievor downplayed the seriousness of deleting the phone records, arguing that the records could be restored or retrieved from backup, Rogers or other copies.

The arbitrator’s decision

The Arbitrator explained that to access the ONGL exception, employees must communicate to management the reason for refusal to obey. The Grievor did not do this, or ask for any assurances about his privacy. Instead he wiped the phone and pre-empted any ability of the University to address his concern. In fact, the Arbitrator said, the University had acted reasonably in its approach to the Grievor’s privacy. For example, it arranged for HR and union representatives to attend the suspension meeting, and in conducting its investigations, assigned someone outside of the immediate TTO group to review the Grievor’s emails.

The Arbitrator reiterated that employees, like the Grievor in this case, have no reasonable expectation of privacy regarding emails, if they know that emails may be monitored. The Arbitrator also found it troubling that the Grievor was unwilling or unable to grasp that he had no right to surreptitiously and unilaterally alter the employer’s business records, even if the records could be easily restored or retrieved. Contrary to the Union and the employee’s assertions, the Arbitrator also found that the Grievor breached the University’s express policy on the use of computer facilities.

The Arbitrator made several other findings, key among them, that: (i) although the Grievor had opportunity and motivation to disable his computer, the technical nature of the issue and the circumstantial evidence made it unsafe to infer that he had damaged his computer, and; (ii) while the Grievor had accidentally deleted the records for other employees, his wiping of the phone after repeated unequivocal, instructions to stop, constituted deliberate insubordination.

The Grievor maintained that despite everything, he “absolutely” could return to the TTO under the current Director. Disagreeing, the Arbitrator felt that the best indicator of hope for renewing an employment relationship was the employee’s attitude toward, and understanding of his misconduct, and that progressive discipline might have been appropriate had the phone-wiping incident not occurred. Since the Grievor showed no sign of remorse, did not apologise and did not understand or accept that what he did was wrong he would likely continue to reject his Director’s authority to mange and could not be reinstated.

This case illustrates the inherent risks created by the right IT skills, improper motives and a poor attitude. It illustrates why employers are cautioned to be wary of insiders with the ability to cause harm. Before terminating or suspending IT personnel, employers should consider various ways to secure equipment and data.

The case can be found here: http://canlii.ca/t/gkm5nUniversity of Manitoba v Association of Employees Supporting Educational Services, 2015 CanLII 49535 (MB LA)

Information Technology PolicyProInformation Technology PolicyPro published by First Reference provides information on the controls and the policies needed to minimize situations such as these and their ability to cause harm to your organization.

Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)

Apolone Gentles is a CPA,CGA and Ontario lawyer and editor with over 20 years of business experience. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools.
Send to Kindle

, , , , , , , , , ,

Comments are currently closed.