6

I work with someone, I'll say her name is Jane, who is an administrative assistant here. Jane discovered that unbeknownst to her, someone had set up several automatic forwarding rules in her Outlook. She has been with the company at least a couple years, so for all she knows this could have been going on the whole time (not sure). In any case, emails that were sent to her were getting automatically forwarded to multiple people, including her own peers who are other administrative assistants equal to her, all without her knowledge (until discovering the rules).

Are there standard ethical rules regarding this type of thing? It seems like there should be something wrong with that. But simply googling this I do not find what I'm looking for. Maybe that means there are no such ethics, in which case, probably the best thing to do is just let it go (now that she's turned them off). But I wanted to try to find out. Thank you!

ANSWERS TO QUESTIONS IN COMMENTS:

Our company does not have a documented internal privacy policy (not that I'm aware of, anyway. If it does, it is not in a place that everyone has access to).

She is not sure whether everyone who was getting her emails is aware it was without her knowledge. But PRETTY sure at least one of them was aware of this.

Jane does not know who set them up, or why they were set up. Though the suspicion is purely for singled-out monitoring and micro-managing, given these same peers also try to track her exact arrival and departure times (we do not use key cards or anything like that) and things like that.

No, it does not look like these forwarding rules were also set up for the other people. Jane does not get anyone else's email. I personally do not have any forwarding rules set up either, and know of others that do not.

Improve this question
9
  • 2
    Some of this will come down to your company's privacy policies. In some companies work emails are company property with no expectation of privacy, in other companies your communications are explicitly your property unless a court orders otherwise.
    – Myles
    Commented Mar 23, 2016 at 18:44
  • 5
    if she is singled out and only her mails are being forwarded to her peers while her peers were keeping their emails to themselves, it might be a problem. But in general, workplace email is the employer's property and one should have no explicit or implied expectancy of privacy.
    – MelBurslan
    Commented Mar 23, 2016 at 18:47
  • 1
    @MelBurslan Implied privacy of email varies a lot. In my company without a court order we are not even allowed to view the email of employees who have died. Apparently this is in compliance with German privacy laws.
    – Myles
    Commented Mar 23, 2016 at 19:14
  • 1
    I'm curious: How did she discover the rules were in place? Was she trying to set up a new rule or did she have an idea that something like this was going on? She should talk to her direct manager about this. If her manager doesn't know anything about it then there might be a far larger problem that the company need to investigate.
    – NotMe
    Commented Mar 23, 2016 at 23:50
  • 2
    @MelBurslan her e-mails being employer property is one thing, sharing them without her knowledge is another. Assuming that the employer has the obligation to protect her personal data, any e-mail from HR with such data opens the company for a lawsuit, if that mail got disclosed to her peers.
    – Dmitry Grigoryev
    Commented Mar 24, 2016 at 12:06

6 Answers 6

Reset to default
8

As silly as this may sound, I'm willing to bet Jane set this up a long time ago by accident or someone did for her and she forgot about it. In my experience with non-tech people, I found they did all sorts of bizarre things. If Jane sends you a picture via pasting into Words, you can bet she doesn't know anything about what a "Rule" is.

Unless the rules somehow targeted something specific like forwarding any personal or bank account information, I really can't say anything malicious happened here. I would also think about the consequences of these rules. Did people play cruel jokes on her by knowing something from the emails? Or did they collaborate with her such as, "I seen the email from Joe and I think we should go ahead and set up that ASAP."

My guess is the simplest. If she has no idea how to use a computer chances are the rules were accidental or intentially with unintended consequence. Ex she wanted to forward customer replies to her workers but she didn't understand the rules would also send anything else.

Improve this answer
4
  • 4
    If I was getting forwarded emails I would ask why.
    – paparazzo
    Commented Mar 23, 2016 at 20:22
  • @Paparazzi True. It's entirely possible that 2 years ago Jane went on vacation, set up a forward rule by the office techie, then said to everyone, "I'm off to vacation and I set up a rule to forward you my message." When she came back she forgot about it and so did everyone else until someone new came along and asked.
    – Dan
    Commented Mar 24, 2016 at 12:21
  • 1
    She set it up 2 years ago, forgot, people have been getting her email for 2 years, and no one has said you are back from vacation can turn off forwarding. Yes possible.
    – paparazzo
    Commented Mar 24, 2016 at 12:36
  • There is no way she set these up herself - she didn't even know how to find them. I showed her how to find rules when she came to me with the suspicion that her peer was getting her emails. And if anyone had ever collaborated with her on any of those then she would know they were getting forwarded.
    – Andy
    Commented Mar 24, 2016 at 13:59
4

As a "Just in case whoever did this was careless" if you go into the properties of the undesirable .rwz file and get the details of date created and owner. This isn't 100% however if the file was created by one of the suspicious peers that is a pretty strong indication of malicious intent. If one of the email receivers created the file, that is likely enough to bring to HR. They will need to be asked if they did it and confronted with evidence if they deny, or come up with a business reason if they come clean. If caught lying or no business reason can be presented for modifying a co-workers computer without their knowledge then you have a pretty strong case for disciplinary action.

Ethically even if her emails are company property that does not mean that they are authorized to be shared with the particular people who were receiving them (just like you can't take all of your boss's emails when they aren't looking even though those emails are company property).

Improve this answer
3
  • Thanks, Myles. Though as far as I know, the .rwz file is only created when you export the rules. If Jane does that then the details of that file of course are going to say Jane made it today. So unfortunately it's not helpful. I tried googling how to find out who originally made a rule, but am not finding anything.
    – Andy
    Commented Mar 23, 2016 at 20:57
  • Sorry Andarta that was phrased badly on my part. I intended that to be a part of the perpetrator needing to be careless. More likely that the perpetrator built this rule on their machine, exported it to a thumb drive or common drive and then imported it rather than building it from scratch on her system (unless she leaves her computer unlocked and unattended for long periods of time). If they left this file on a common drive or on her machine you have evidence.
    – Myles
    Commented Mar 24, 2016 at 14:26
  • oooooh...I see, @Myles. Interesting idea, I hadn't thought of that. I searched on our shared drive and that didn't have anything. I could maybe have her try looking on her computer. Though recently her computer needed some sort of work done so the IT guy here was on it anyway - it would have been very easy for someone to have him set it up directly on her machine either then or when she was first set up on it. Thanks!
    – Andy
    Commented Mar 24, 2016 at 16:17
1

Andarta, while legal answers may be off topic for this site, legal resources are probably your best resource for ethics questions. Law and ethics are tightly intertwined and that is where you will find the most thorough discussion of what constitutes ethical conduct in this context.

The ethics and legality of what happened are discussed in broad terms in this piece on Privacy in the Workplace from The Berkman Center for Internet & Society at Harvard Law School. In particular, read the introduction. It says that the law in this area is new and evolving. It also provides links to additional resources.

I don't think that Jane should let this go. Jane should not just go to HR, but also to the legal department, and ask them about their internal privacy policy, and tell them about her situation. She should have a conversation with them about this and explain how this made her feel. Does she want to know what to expect from the employer with respect to her privacy? Tell them that. Does she feel that without a policy she feels afraid of doing her work? Does not having a policy contribute to a culture of fear in the workplace? Tell them that. Tell folks in HR and in Legal.

It's not about filing a lawsuit. It's the Legal folks' job to write the privacy policy. It's not an HR job. So she should go to both HR and Legal and convey that this situation made her feel uncomfortable, and she would feel better if there were a privacy policy at the company.

As others have said, this might have been an innocent technical issue, or may be a sign that the company is monitoring employees and not telling them about it. Or that she is being singled out. Or that there is a malicious employee playing a trick on her. She won't know until she has that conversation. And even then she may not know. But if she is worried and wants to know the truth, this is the way to peace of mind. She should not get angry. She should go with an attitude of curiosity. Don't pass judgement on the company or on HR or on Legal until you hear their side of the story.

Improve this answer
7
  • 1
    Most employers will have an IT or privacy policy that states "All electronic communications may be monitored" (and most employees barely skim over those policies in their handbook) but even without such a policy, I think the employer is still in the clear to monitor work emails. Courts have found that employers are generally free to read employee email messages, as long as there's a valid business purpose for doing so.
    – Johnny
    Commented Mar 23, 2016 at 20:23
  • @Johnny that may well be true. But I still think that Jane should talk to the legal folks. It's not about filing a lawsuit. It's the legal folks job to write the privacy policy. It's not the HR's job. So she should go to them and make the case that this situation made her feel uncomfortable, and she would feel better if there were a privacy policy at the company.
    – Give Love
    Commented Mar 23, 2016 at 20:42
  • @Johnny - I understand that technically yes, companies "own" employees' emails and have a right to review them if necessary. But in this case, she was not given a valid business reason for it, and it is her peers getting her emails, not her boss who would be doing the reviewing.
    – Andy
    Commented Mar 23, 2016 at 20:44
  • @Andarta - She doesn't need to be given a valid business reason for it, the employer just needs to have a valid business reason. The business case doesn't need to involve a supervisor reviewing her emails, it can just be something as simple as "She's an important member of the Admin team that many in the organization rely on, and we need others on the team to be able to respond to her emails if she's not available". Businesses don't just technically own employee emails, they do own them and are responsible for them.
    – Johnny
    Commented Mar 23, 2016 at 20:53
  • Employer's right to monitor email is not the same as right to forward to random people without informing the user. Monitoring is generally covered as an IT or compliance department's responsibility, not one for your peers.
    – cdkMoose
    Commented Mar 23, 2016 at 22:50
0

If it is legal is a legal question and off topic for this site. The law differs country to country.

Let's assume it is legal.

If this was legitimate then most likely it would have been done at the mail server level or Group Policy so she would not know.

If these emails were going to multiple parties they had to notice. FW will be in the subject and the mail sent to you.

I have not verified but if they really were forwarded then they should be in the sent items folder.

I would go to your boss. As it is also kind of a violation of his/her privacy if his/her emails were forwarded.

If you don't feel like you got a good answer from your boss then you can go to HR.

Improve this answer
0

Assuming you have competent admin, this is most likely done by a peer. The admin would be able to do this invisibly at the mail server.

My advice to her would be to remove the rules and see if anyone asks why, and then query why they were there. She shouldn't be doing anything that she needs to hide on her work email anyway. Until someone says something just ignore it, there are too many reasons why it might have been done, both legitimate and malicious.

This underlines why people need to lock their machines when they don't use them, and have a strong password (you can actually password protect your .pst file as well). That way if anything has changed you know that it was done by admin and can query them as to why if you feel the need.

Improve this answer
6
  • 1
    Actually, as an administrative assistant, there are plenty of confidential emails that she might need to hide from peers and others within the company. These emails might be part of a confidential discussion with her manager and/or HR. Lack of privacy for herself does not mean that just anyone in the company can read her email.
    – cdkMoose
    Commented Mar 23, 2016 at 22:39
  • I agree with cdkMoose. One thing that comes to mind is whether those other admin assistants are spying on her particular boss. Honestly, I'd bring this up with management.
    – NotMe
    Commented Mar 23, 2016 at 23:52
  • good points, but I'm not the paranoid sort, I tend to take things at face value unless I have a reason not to. So I would assume there was a legit reason at some point in time. I can't see what bringing it up with management would do in a positive way. Start an investigation and make it the office drama of the week? Investigation hasn't much chance of turning anything up. Better to make someone show their hand than look sideways at everyone.
    – Kilisi
    Commented Mar 24, 2016 at 0:58
  • 1
    If it was an attempt at sabotage why would the attacker do a blanket forward to multiple people? And on top of that nobody saying anything for seemingly a very long time? It seems like either everyone is in on it or somehow the rule was setup on purpose at some point and just forgotten about. It seems logical to me that someone attempting at espionage would try a more covert approach such as asking an sysadmin or if they knew her password why not simply log in every night and browse emails/files instead of a blanket forward rule?
    – Dan
    Commented Mar 24, 2016 at 16:49
  • 1
    I should also add if it was a espionage attempt wouldn't the perpetrator always be one step ahead of Jane? Or at least some sort of internal problems such as accounts missing or identity stolen? Seems like if it was something like that the attack would be known or at least something fishy going on.
    – Dan
    Commented Mar 24, 2016 at 16:53
0

If Jane is absolutely sure that she didn't set this up herself (perhaps when taking leave at some point?), then 2 options remain.

One, is that it is an official action to monitor her mailbox. It's quite common among administrative pools to have some form of email sharing setup, though if this was the case she would be aware of it, and there are better ways to implement this. It could also be for disciplinary or performance reasons, but again there are much better ways to set this up. And, ethically she should be made aware of that, and in many jurisdictions, legally she would have to be informed too.

Second, it is an unofficial action, either setup by another assistant or by her manager. This is effectively spying, if there's any chance that she would receive sensitive material by email, a security breach. Sensitive material doesn't have to be classified military secrets, it could be personal employee information (payroll, reasons for absences), it could be a managers calendar, it could be customer information or details of potential customers or sales, it could be details of an upcoming product/service etc.

In either case, I think Jane should consider acting as if it is a security breach and reporting it as such. How she actually does this will depend on her organisation, it may be more appropriate to approach her manager directly (unless she suspects him/her of involvement), or it may be more appropriate to talk directly to IT or IT security. Her organisation's computer usage policy may give some guidance.

If this is something unofficial, it will bring in the right people to address it, if it's something official then at least she will know and will be addressing it head on, and by highlighting how it has been handled may also be protecting herself.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .