Friend sent me sensitive work content - data protection breach?

[Hollywood-Tourist]

So one of my good friends (manager of the office) has just emailed me a photo of a resignation letter of a colleague who has just quit and also a photo of her employers company accounts where she joked that they are a cr*p company to work for (hence the colleague leaving) and that their sales figures were down due to Covid-19.

She called me soon after saying that she is now worried that she thinks that she's breached the data protection policy and that this could be considered gross misconduct if her employer was to be made aware of this and that she could be sacked?

I told her she was stupid to do what she did and that if anyting happens, then she needs to take responsibility.

Does anyone agree with this that she is wrong? I've told her to delete the photos she took immediately.

[basil67]

Of course she was wrong.  Why do you have any doubt?

[CautiouslyOptimistic]

It is probably unlikely she will get caught unless she used a company phone and they are in the habit of hiring a high tech forensics company to keep tabs on stuff like that, but yes, she was totally wrong.  

[Hollywood-Tourist]

2 minutes ago, basil67 said:

Of course she was wrong.  Why do you have any doubt?

I mean deep down I know that she was wrong. I guess I'm just afraid for her that she will posssibly be held accountable for this in some way whether that is dismissal or a warning/disciplinary.

She loves her job.

Just now, CautiouslyOptimistic said:

It is probably unlikely she will get caught unless she used a company phone and they are in the habit of hiring a high tech forensics company to keep tabs on stuff like that, but yes, she was totally wrong.  

From what I can make from the photos, they were taken on her personal mobile phone and emailed to me.

[CautiouslyOptimistic]

Just now, Hollywood-Tourist said:

From what I can make from the photos, they were taken on her personal mobile phone and emailed to me.

From a work email or her personal email?

[basil67]

And if they found out and she lost her job, then she deserves it.   The fact that she's a nice person has nothing to do with it.

[Hollywood-Tourist]

1 minute ago, CautiouslyOptimistic said:

From a work email or her personal email?

These were emailed to me from her work email account and also WhatsApp to me from her personal mobile phone.

I don't know what she was thinking and why she's been so stupid.

[CautiouslyOptimistic]

Just now, Hollywood-Tourist said:

These were emailed to me from her work email account

Oh dear.  Well, she should be on edge, but it's more likely than not she won't get caught.  Still.....I'd be paranoid....

[Hollywood-Tourist]

1 minute ago, basil67 said:

And if they found out and she lost her job, then she deserves it.   The fact that she's a nice person has nothing to do with it.

You're right. You could be the best employee in the world and be good at your job, but mess up like she did and you'd be out that door quicker than you can say sorry.

I really think she has committed career suicide by this idiotic move. Why couldn't she just have told me about it and not have to send photos to back her claims up?

[Hollywood-Tourist]

1 minute ago, CautiouslyOptimistic said:

Oh dear.  Well, she should be on edge, but it's more likely than not she won't get caught.  Still.....I'd be paranoid....

She is in panic mode now and I've told her not to do anything else yet other than to tell her boss what she's done and own up to it. 

It might not change the outcome of her employers decision, but it's sure as heck the right thing to do is be honest and admit responsibility before it goes to them.

[basil67]

2 minutes ago, CautiouslyOptimistic said:

Oh dear.  Well, she should be on edge, but it's more likely than not she won't get caught.  Still.....I'd be paranoid....

My husband's work's IT does find and flag stuff like this.  

[basil67]

5 minutes ago, Hollywood-Tourist said:

You're right. You could be the best employee in the world and be good at your job, but mess up like she did and you'd be out that door quicker than you can say sorry.

I really think she has committed career suicide by this idiotic move. Why couldn't she just have told me about it and not have to send photos to back her claims up?

Because she didn't think.

[Hollywood-Tourist]

1 minute ago, basil67 said:

Because she didn't think.

Agreed.

What's your opinion on what could happen?

I think if her bosses find out without her bringing it to their attention then she's a goner.

[lana-banana]

She emailed you proprietary customer and account information?! What in the world was she thinking?! 

You are right that confessing immediately might help her to keep her job, but if her IT department is even remotely competent they should have gotten an alert the second she sent an attachment from a work email to a non-work address, and they should now be in the process of triaging the incident. 

I don't know what else to tell you. Yeah, she definitely could be sacked. It's one thing to forward a funny email or screenshot, but sensitive company information is so far into the realm of inappropriate (and possibly illegal depending on the circumstances) that I really have to question her judgment. She may well be fired anyway. We work with particularly sensitive information and have a very aggressive IT staff. If she tried that here she'd have her accounts turned off within the hour and would be escorted out. Then again, I used to work for the government, where it was even more intense and walking out with any kind of paperwork could land you in jail.

 

Edited July 23, 2020 by lana-banana

[basil67]

1 minute ago, Hollywood-Tourist said:

Agreed.

What's your opinion on what could happen?

I think if her bosses find out without her bringing it to their attention then she's a goner.

I think she's a goner even if she does bring it to their attention.   Is the company big enough to have a competent IT department?

[Hollywood-Tourist]

1 minute ago, basil67 said:

I think she's a goner even if she does bring it to their attention.   Is the company big enough to have a competent IT department?

As far as I know the company is a very big UK nationwide business with many offices up and down the country.

I'm worried for her of course and am very surprised at her actions. She is normally a very sensible person with a logical and professional approach to business.

I guess this is in the hands of her employer now. I will keep this lage updated as and when she informs me of developments.

[lana-banana]

I was so appalled by her sending proprietary information that I completely forgot about how she also trashed her company in the email. Yeah, she's hosed. I would expect a phone call telling her not to bother coming in tomorrow.

[Shining One]

35 minutes ago, lana-banana said:

You are right that confessing immediately might help her to keep her job, but if her IT department is even remotely competent they should have gotten an alert the second she sent an attachment from a work email to a non-work address, and they should now be in the process of triaging the incident.

Allow me to professionally disagree. This is more a question of company policy, not IT competence. If it were company policy to not allow emails with attachments to external addresses, a competent IT department would have email policies in place that prevent those emails from going out in the first place.

[lana-banana]

12 minutes ago, Shining One said:

Allow me to professionally disagree. This is more a question of company policy, not IT competence. If it were company policy to not allow emails with attachments to external addresses, a competent IT department would have email policies in place that prevent those emails from going out in the first place.

Maybe, maybe not. Plenty of places simply set alerts rather than completely disable the capability, because there are times when it's necessary/unavoidable and there are certain roles where it may be permissible. Our company alerts every time somebody uses a work device to send an email outside the intranet, but we don't block it outright because said alert is almost never a problem (it's usually somebody forwarding a photograph or a calendar reminder). And as an office manager she may have more authorities than a line employee.

I don't know what her IT department is like, I just meant that it's very unlikely that her she sending an attachment outside the network went unnoticed even if there's not a firm rule or policy prohibiting it.

 

Edited July 23, 2020 by lana-banana

[Hollywood-Tourist]

This actually gets worse!

So I've just received a phone call from her saying that an outsider to her and the business has contacted the Head Office of her employer because they too actually received a copy of the email in error.

It turns out that the particular day she sent me the email, she'd had a bad day at work, was the last to leave the office that day and she had opened a small bottle of wine to 'help her deal with her cr*p day' and basically thought she'd emailed me only the stuff that she sent. But it turns out that a similar email address was inadvertently also sent to someone neither of us know and this person has received the data and made a complaint.

All I know is that she said that her reputation is tarnished and that an investigation is being pursued against her.

She's actually unbelievable, I'm disappointed in her.

[lana-banana]

Never drink near a work device. That's just common sense. (Granted I think most of us, even when hammered, wouldn't send out our employers' most sensitive information. Does your friend have a problem with alcohol? Is something else going on emotionally?)

I am very sorry about your friend. I really hope she isn't prosecuted and they just let her go without any additional fuss. The amount of trouble she is in will certainly keep her from doing anything like that in the future. It's a good thing it also went out to someone responsible enough to do the right thing. What if it had gone to a competitor or somebody just looking to make a quick profit off of inside information? It's very sad all around. 

[Hollywood-Tourist]

7 minutes ago, lana-banana said:

Never drink near a work device. That's just common sense. (Granted I think most of us, even when hammered, wouldn't send out our employers' most sensitive information. Does your friend have a problem with alcohol? Is something else going on emotionally?)

I am very sorry about your friend. I really hope she isn't prosecuted and they just let her go without any additional fuss. The amount of trouble she is in will certainly keep her from doing anything like that in the future. It's a good thing it also went out to someone responsible enough to do the right thing. What if it had gone to a competitor or somebody just looking to make a quick profit off of inside information? It's very sad all around. 

She does have a problem with alcohol yes and to my knowledge has done nothing to stop the vicious cycle and habit of it. She has struggled with this drink problem for well over 20yrs.

As far as I know nothing else is bothering her in her life other than she suffers from anxiety and depression too.

When you say that they should let her go without any additional fuss, do you mean dismiss her from her position? I think that would be the best thing to do as if they didn't, that would be telling her that what she did was OK and obviously that isn't right or acceptable.

I think she will have to take this as a very painful message that what she did wasn't acceptable and that there are consequences to her actions.

It's hard to have sympathy for her in this case really 

She is obviously troubled.

[lana-banana]

7 hours ago, Hollywood-Tourist said:

She does have a problem with alcohol yes and to my knowledge has done nothing to stop the vicious cycle and habit of it. She has struggled with this drink problem for well over 20yrs.

As far as I know nothing else is bothering her in her life other than she suffers from anxiety and depression too.

When you say that they should let her go without any additional fuss, do you mean dismiss her from her position? I think that would be the best thing to do as if they didn't, that would be telling her that what she did was OK and obviously that isn't right or acceptable.

I think she will have to take this as a very painful message that what she did wasn't acceptable and that there are consequences to her actions.

It's hard to have sympathy for her in this case really 

She is obviously troubled.

I think it's very unlikely that she will keep her job. I'm honestly quite surprised that she hasn't been fired already, but that could be a matter of labor laws. In the course of my career I've only seen two people fired for intentional security violations, and in both cases the people had their accounts disconnected and were walked out of the building before they could even tell anyone what they did. 

I also don't think that if they did allow her to keep her job, it "would be telling her that what she did was OK". It's clear what she did was inappropriate and potentially against the law. But if she has a long history with the company or a completely clean track record, they may choose to simply demote her. And if lawyers get involved, they may come to some sort of settlement related to her getting treatment for alcohol abuse. 

It may be hard to sympathize, but you should try, because she's your friend and she has made a life-altering mistake. Be kind to her. She is no doubt beating herself up enough.

[Hollywood-Tourist]

12 hours ago, lana-banana said:

I think it's very unlikely that she will keep her job. I'm honestly quite surprised that she hasn't been fired already, but that could be a matter of labor laws. In the course of my career I've only seen two people fired for intentional security violations, and in both cases the people had their accounts disconnected and were walked out of the building before they could even tell anyone what they did. 

I also don't think that if they did allow her to keep her job, it "would be telling her that what she did was OK". It's clear what she did was inappropriate and potentially against the law. But if she has a long history with the company or a completely clean track record, they may choose to simply demote her. And if lawyers get involved, they may come to some sort of settlement related to her getting treatment for alcohol abuse. 

It may be hard to sympathize, but you should try, because she's your friend and she has made a life-altering mistake. Be kind to her. She is no doubt beating herself up enough.

As far as I know, her bosses are investigating her but she hasn't said if she's suspended or not.

She did sound very angry of course and is probably annoyed at herself for all that has happened.

[basil67]

If she's angry with herself, that's a good thing.   If she's angry with her bosses, then it's a problem.   We all make mistakes, but those of us who have emotional maturity immediately recognise when we are the problem (even when provoked) and take responsibility for our actions.