In our November 8, 2013, post No Hall Pass for School Officials in School Texting Scandal, we discussed the impact of inappropriate and possibly illegal employee activity on company-owned electronic devices for both employees and organizations. Now, we turn our attention to the company’s IT staff, and the professional, legal and ethical dilemmas many might face when dealing with the improper conduct of employees.
The Importance of IT Protocols
Employee misconduct comes in many forms – the conduct might simply amount to a violation of company policy or it might amount to a criminal act. Regardless, organizations should consider implementing protocols for IT staff to follow when reporting and/or investigating the possible misconduct. For example, chain-of-command – to whom will IT staff report possible misconduct? Is there a direct line to a supervisor, or does the IT professional report these incidents to a senior level manager? What happens if, as in the Coatsville case, the IT staffer believes the supervisor is involved in the illegal conduct? Does corporate protocol anticipate these circumstances? These questions should be discussed with all stakeholders so that the IT protocol includes a procedure that works for the organization. So, what are the important takeaways relating to IT protocols?
- The protocol should tell IT staffers what to do with evidence of possible misconduct. For example, who is responsible for and/or authorized to report possible misconduct to senior management and/or law enforcement personnel.
- Organizations should train IT staff on the protocol so that they know how to respond when confronted with possible misconduct.
- The protocol should outline to IT staff when to engage with inside or outside legal counsel to insure that preservation obligations of the company are met. IT staff should not be forced to make this important decision in a vacuum.
As we often say, a good protocol should tell employees what responsibilities that each employee holds, and the obligations of those employees to perform certain duties when they are faced with employee misconduct.
What to do When Law Enforcement Becomes Involved
Another issue that should be addressed for your IT professionals is what to do when, as in Coatsville, law enforcement personnel become involved. For example, in the Coatsville matter, the IT Director was first told by the District Attorney to preserve the integrity of the computer system and its content as evidence of an alleged illegal act. Then, the Acting Coatsville Superintendent directed the IT Director to give-up the computer codes to an outside computer firm. The IT staffer walks a tightrope in complying with the directives of a supervisor while simultaneously following the legal requirements to preserve data and records for criminal prosecution. What can a company do?
- Have a protocol in place that clearly delineates how IT personnel should react to involvement of law enforcement.
- Supervisors or managers too should know how to respond to reports of misconduct. For example, supervisors and managers should know that intimidation of IT professionals is not appropriate following a report of possible misconduct. For a good example, see dailylocal.com,More details in alleged harassment of texting scandal whistleblowers, October 1, 2013. (The Acting Superintendent’s email to the IT Director ordering compliance with his demands lest he be slapped with insubordination regardless of what the county’s district attorney ordered).
According to the District Attorney involved in the Coatsville matter, an organization facing a criminal investigation should map out a clear strategy for preserving any computer evidence, backing up files with minimal disruption to the organization’s operations, and then a plan to communicate the strategy to law enforcement personnel to prevent any inference of company interference in the investigation. See edweek.com, Pa. Texting Scandal Highlights Complexities for IT Leaders, October 16, 2013. “The IT director really at that point has a double set of duties,” Mr. Hogan said. “They have to preserve any data that might be related to the investigation from the standpoint of the government. They also have a duty to follow any lawful orders of the [enterprise] regarding that data.” As noted above – thinking about this upfront so that IT professionals have a protocol to follow would have alleviated some of the strain on the IT Director in this case – as well as the possible conflict with local law enforcement.
Do you Hire an Outside Forensic Vendor?
Finally, another big issue commonly faced by organizations is when to hire an outside forensic firm to preserve computer evidence and the integrity of the entire computer systems. The retention of an outside firm can help negate any inference that the business is involved in covering-up, or worse, destroying, evidence. A well thought out and documented protocol might include a section addressing when to hire a forensic computer firm, how that firm will be retained, and who will be responsible for working with the firm. Preservation of evidence is an important component of any potential legal action – criminal or civil. As a result, having a clear road map of how an organization responds to preservation of evidence can help save the organization from the threat of sanctions if litigation later develops.