A recent New Jersey case makes the point that you need to assume that everything you store on your work computer is accessible to your employer. It also highlights the need for even small companies to employ some reasonable level of system security.
The facts read like something that could make its way in to the next season of "The Office." Employer hires ex-con employee out on probation to be a part-time bookkeeper, apparently looking past his conviction on 14 counts of forgery for stealing over $220,000 from an earlier employer. Employee is told that the computers are company property when he starts work, and soon becomes a trusted employee, rising to the level of full-time bookkeeper with broad, finance-related job duties that touch on a wide range of Employer's operations.
Employee also owns his own company, selling used computers and related items. Employer expands employee's duties further to include computers. Employer upgrades computer system and installs a network. Employees log in to the system by entering a common password -- cleverly set to be "password" -- and then their name.
Employer begins purchasing computers from employee, starting with a $1500 tower and then employee's used laptop. The laptop sale was a double score for employee, since he had used his boss's credit card to purchase the laptop originally and then paid the bill with a check that he had employer's system issue. Employee was not entirely self-centered; he did list the laptop as a company asset on the employer's depreciation schedules.
Employee next calls employer's payroll company and gives himself a raise, from about $40,000 per year to $125,000 per year. This, finally, is discovered and employee is sent packing. He leaves the computers behind, which are searched when the police are alerted to employee's creative asset enhancement program.
Employee -- now, again, a defendant -- moves to suppress the evidence of the computer search, claiming that the laptop -- the one he had purchased for himself with company money and then sold back to the company -- belonged to him. He also claims that the $1500 tower computer was his as well.
The bottom line: the employee had "no reasonable expectation of privacy in the personal information stored in his workplace computer." Employer owned the computers, they were kept in the company's offices, the employee was so advised when he started work, the tower was connected to the company network, the laptop contained business software, and other employees had equal access to the computers.
Employees: Know your rights . . . or lack thereof, where personal information and company computers are concerned.
Employers: Secure your systems and be wary of hiring serial fraudsters.
I wrote on this workplace privacy issue some months ago.
Thanks to the e-discovery law blog for this one.
IoT Cybersecurity: What's Plan B?
3 hours ago