If some of your employees are found to have misused their work email or internet accounts, will they have violated the company’s ethics policy? Yes, if the ethics policy in some way addresses misuse of company assets.

As many employees learn to their dismay every year, a majority of businesses monitor what their employees do online. A study by the Bentley College Center for Business Ethics, for example, found that 92 percent of American businesses with ethics officers monitor their employees’ email accounts. And, according to a different study conducted by the American Management Association and the ePolicy Institute, more than one-quarter of employers have fired employees for misusing work email and more than  one-third have fired employees for misusing the Internet (Willens, 2015).

As stated, companies often spot possible misconduct by monitoring employee email activity and internet use. Sometimes, too, employees report suspected misconduct, either directly to a supervisor or via an ethics hotline.  There is, or should be, a process in place for investigating further.

But, what happens if there are reports that company email addresses have been found on an unsavory website? What happens if there are reports linking company employees’ names to an unsavory website, even though the employees may have used personal email or personal internet access to engage with the site? What happens if such a website is hacked, its users’names and email addresses leaked, and company leaders ask themselves whether any company employees show up on the list? Events surrounding the recent hacking of the Ashley Madison website and subsequent release of names and related email addresses have raised these kinds of questions.

What should you do? What should you not do?

According to the Society for Human Resource Management (SHRM) in its article “Ashley Madison Hack: A Cautionary Tale for HR”, by Aliah Wright (2015), you should enforce computer use policies; you should not sift through Ashley Madison’s (or any similar site’s) hacked information. That would not be morally right.

More specifically, you should first make sure that company ethics, email, and internet-use policies are up to date and clear. Then, use the situation to remind all employees that work email, internet, and smartphone accounts are for work use only; personal business, beyond some reasonably defined level of incidental personal use, must be conducted on personal time using personal computers, phones, and accounts.

If you learn that an employee used personal assets and personal time to access a less-than-desirable site, that is not the company’s business, barring some tightly defined “reputational risk” based on the employee’s position or the directly-related nature of the company’s business.

If you receive specific allegations about misuse of company assets by specific employees, you would investigate just as you would any other reported misconduct.  Don’t rush to judgement, however. As the SHRM article reminds us, just because an employee’s work email account is used to create an Ashley Madison account doesn’t mean that employee is the one who opened the account, or that he or she knew anything about it.

The Ashley Madison hack/leak provides a reason to review and update existing policies, educate employees, and engage in discussion of the ethical questions it raises.

Please contact Ethical Advocate for a consultation or training on ethics, compliance, hotline implementation, and related topics.

References

Willens Max. “Thousands of Ashley Madison Clients about to Learn (The Hard Way) That Most Employers Monitor Email,” International Business Times, August 22, 2015. http://www.ibtimes.com/thousands-ashley-madison-clients-about-learn-hard-way-most-employers-monitor-email-2063792

Wright, Aliah D. “Ashley Madison Hack: A Cautionary Tale for HR,” Society for Human Resource Management website, August 22, 2015. http://www.ibtimes.com/thousands-ashley-madison-clients-about-learn-hard-way-most-employers-monitor-