June 22 update to this topic: Today the judge refused to block the release of the emails as Sebring and her lover requested. See http://www.desmoinesregister.com/article/20120622/NEWS/120622012/Judge-announces-decision-on-Sebring-email-release
In the past few weeks the use of emails at work has been in the news a lot in central Iowa, and the news quickly spread around the globe because of the sex and intrigue involved. Basically, approximately four months before the end of school, the Des Moines Superintendent of Schools at the time, Dr. Sebring, started sending what would end up being over 40 very personal and sexually explicit messages to
a man who was not part of the school system throughout most of her remaining tenure. The man was not her husband, but he was married. About the same time the explicit emails started, Sebring had given her notice to the Des Moines school board that she was resigning effective July 1 to go lead the Omaha school district. She ultimately will not be going to Omaha after all.
This still unfolding story certainly contains enough salacious content to understand the worldwide interest. It also concerned the Omaha district enough that they accepted Sebring’s resignation before she even had a chance to start. Even Sebring has said in court, as she is trying to block the further release of more messages, that the publicity has likely ruined not only her career, but will also ruin that of her lover who exchanged the messages with her, if his name is ever made public.
I’m not going to get into any discussions of the moral or ethical issues related to the contents of the emails. However, this situation points out four important lessons to everyone who uses a business email system:
- No one should ever send or receive sensitive personal email from a business email system. Even if they have already planned to leave their employer, they must still refrain from such use.
- You should not send email messages containing information to someone’s business email address if you would not want the business leaders there, or the entire world, to see it.
- Personal and explicit messages sent through business computers and systems could very well become widely known to the public in a very damaging and humiliating way. There are many e-discovery and open records laws that provide access to business email system.
- You can ruin your business, and possibly personal life, if you send non-business information using the business email system, and you could also ruin the lives of those you are exchanging the emails with.
This really is a sad situation to see play out in the media. Dr. Sebring truly had done a lot of really good things for the school district during the six years she has been here. My children have been in the Des Moines school district since they started school, and the schools they attend are now rated in the top 1% in the U.S. This email humiliation completely overshadows all the good she has done, and will leave her with a scandalous legacy she would certainly want to completely erase.
Currently Sebring and her as yet unnamed lover are awaiting word from a judge as to whether the remaining email messages can be kept from going public. Existing open records laws in Iowa, and the existing school district policies, make it highly unlikely that this type of gag request will be granted.
Inappropriate messaging is a long-time problem
The problems with workers using business email addresses for personal purposes are not new. Ever since there have been email systems, workers have been using the systems for non-business, and highly inappropriate fodder for the office, communications; even before email systems were connected to the Internet. I was first on an email system in 1988 at a large, multinational organization where only employees could message each other. There were several instances of wildly inappropriate messages that were discovered, even back then, between co-workers.
Dissecting the primary issues in the Sebring case
Here are some of the primary reasons that so many have gotten worked up about the Sebring situation, and some of the situations that businesses of all sizes need to consider when determining email policies and procedures.:
- There were many messages sent between Sebring and her lover using the school email system. The district’s technology policy forbids using school computers or email accounts for personal correspondence.
- Sending the messages with such sexually explicit content was also against the district’s technology policy forbidding the use of school for the exchange of sexually explicit materials.
- Sebring admitted that she knew the policies which prohibited the personal use of the email system. After she was caught she apologized for sending them and said what she did was wrong.
- Some of the messages were sent during school time. Many parents, and non-parents who wanted to throw in their 2 cents’ worth, worried aloud that if she was writing love messages during the school day then she wasn’t paying appropriate attention to her job duties.
- Sebring tried to delete the emails messages after the school board discovered them and confronted her. The email system backups and other settings reportedly prevented the emails from truly being completely removed.
- Under Iowa’s Freedom of Information law the email messages of state agencies, including the schools, are subject to public scrutiny.
- The school district did not have a policy that covered deleting the email messages of terminated employees as soon as they leave as Sebring claimed. Sebring has argued in court that her emails were being treated differently than other employees because they were not immediately deleted.
Common mistakes and misjudgments
Here are some of the reasons why people dig themselves into digital holes at work with regard to email, and other technology, misuse:
- Many long-established workers started using email for the first time at work, and now think of their work email address as an extension of themselves.
- Many younger workers have used some type of electronic messaging for so long that they now consider it a personal right to send and receive messages, whether they be personal or professional, at any time, and through any system available.
- Many workers think that there are so many emails sent through the system that no one would ever notice what they are sending.
- Many workers have tied their social networking accounts to their work email address. So, when an email is sent from a friend, or even stranger, on such a site, such as LinkedIn or Facebook, it is automatically forwarded to the business email address.
- Most social media sites provide for emails to be automatically sent whenever a comment, reply, etc. is made to a person’s wall, Twitter stream, or whatever the associated social network calls the person’s primary screen. These email notices contain the full message. So, even if you make a comment and then delete it right away, it likely will still exist in other places within that email notice to the account owner, and could be dug up later.
- Many workers believe that they have a right to privacy on work systems, regardless of what the policies say. Even Sebring stated in court when fighting the release of her messages on the school district’s email server, “every individual’s entitled to have a private life, even public employees.”
- Workers often don’t see a clear line between work messages and personal messages. For example, at the same time as the Sebring incident was percolating, an email message sent by a school worker in the neighboring community of Earlham about her son and a teacher was also raising eyebrows and bringing into question what as appropriate, and what truly was work related or personal in nature.
Businesses all need to do a better job communicating their messaging policies, and providing regular training and ongoing awareness communications for messaging. Too many business leaders see emails as being an old topic that is no longer worthy of mention. How wrong they are!
Messaging privacy and security
All organizations, from the smallest to the largest, need to ensure their workers know, understand, and consistently follow their messaging policies and procedures. Here are some actions all businesses need to take to address this long-time important topic:
- Establish information security and privacy policies covering all types of electronic messaging; not only for emails, but also for texting, instant messaging, and every other type of messaging that employees use.
- Be sure to include directives covering how personal email accounts should and should not be connected with, or used for forwarding, business emails; especially emails from social networking sites such as LinkedIn, Twitter, Facebook, and so on.
- Ensure each department or business unit establishes procedures that fit their business responsibilities and practices, in support of the enterprise messaging policies.
- Provide regular training that covers information security and privacy related to all types of electronic messaging.
- Send ongoing communications reminding workers what they should, and should not, be doing with business messaging systems and business communications that may be sent and received on personally owned devices.
Never assume that everyone knows what is and is not acceptable with regard to messaging. That assumption could lead to not only problems for your workers, but also for your organization, and to the others outside of the organization with whom your workers are communicating.
Bottom line for all organizations, from the largest to the smallest: You need to establish messaging policies that clearly communicate that all emails sent through the company email system are subject to monitoring, and that no one using the system should have any expectation of privacy for the messages. And certainly make clear to workers that if they have any type of digital communications they want to keep private that they’d better use their own personally-owned devices, preferably that are not also used for work purposes, to send and receive them.
Other Information about messaging security and privacy
Here are some additional cases of email and messaging uproar within work environments, along with some good resources and articles to assist you with improving your own personal, and organizational, messaging practices:
- Workplace Privacy and Employee Monitoring from the Privacy Rights Clearinghouse
- When can agencies monitor your email? FDA case sparks debate over policy
- What’s OK in office communications? It’s not always clear – Omaha World
- Employee Privacy-What Can Employers Monitor?
- Britain to snoop on every email, SMS, phone call
- Israel’s National Labor Court Imposes Strict Limits on Employee Monitoring
This post was written as part of the IBM for Midsize Business (http://goo.gl/VQ40C) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Tags: awareness, breach, compliance, Des Moines, e-mail, electronic mail, email, IBM, Information Security, information technology, infosec, Iowa, IT security, messaging, midmarket, non-compliance, Omaha, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, public school, Rebecca Herold, Sebring, security, sensitive personal information, SPI, systems security, training