Today, we’re talking about the importance of privacy and email addresses for your employees, inspired by a chiropractic office that allegedly got locked out of their website by an employee who was demanding a ransom. Allowing employees to use their personal email addresses for various business activities sets you up for trouble in more ways than we can list… Giving your employees company emails solves so many problems. Let’s talk about it and how those emails can protect you and your business in this week’s episode of What the Hell Just Happened?! with Paul Edwards and guest Ally Dagnino.
Related Links
Transcript
Voice Over: You’re about to listen to an episode of What the Hell Just Happened. Join Paul Edwards and his guests as they discuss interesting topics and solve some of our listeners’ submitted questions.
Paul: And occasionally I’ll go off HR topic and talk about whatever I want to talk about. Think barbecue. Space exploration. Technology. Money. Managing. Business. Things that interest all of us.
Voice Over: We get a lot of e-mails with questions. Stay tuned for details on how you can submit yours to the show. And now let’s get started.
Paul: On today’s episode we’re just going to give some practical guidance here. It’s a repeated issue that I see posted online all the time. You’re always seeing stories where some employee has left and the company has, and it happens to small businesses in particular, the company somehow loses control of the system like their website. We’re going to talk about a, you know, a story that was in the news about someone hijacking a website that belonged to a chiropractic office and then allegedly even using their control over that site to try to get the company to pay them some money in return for letting them in. And so, today we’re going to talk about the importance of privacy and email addresses for all of your employees. And I know it’s going to be riveting.
Paul: So I’m kind of excited about today’s podcast, Ally. Everybody, Ally. Welcome, Ally. Ally. First of all, I just want to say what the hell just happened is that the temperature went up high enough here in the morning that I was able to ride my motorcycle to work. And I don’t know if Ally, you’re not excited about that at all.
Ally: I also rode my motorcycle to work.
Paul: You did? Oh good. Do you have a motorcycle?
Ally: Yeah, It looks like an ‘07 Corolla, but it’s a motorcycle.
Paul: Motorcycle in your mind? I like that. Do you wear a helmet?
Ally: No, no. Safety features are pretty strong.
Paul: I’m going to get you a helmet because I think that would complete the whole thing on the way to work.If you wear a helmet in your Corolla. I got to ride my motorcycle into work, and we have lane filtering now here in Arizona. Not lane splitting. So lane splitting is when that guy goes flying by you and breaks your, you know, goes in between the cars and breaks your side view mirror?
Ally: Oh that stresses me out.
Paul: Yeah it stresses me out too. I would never split. But lane filtering, we have a new law that says that if you’re going, I think it’s under 20 miles an hour, you can…when there’s two lanes of traffic going in the same direction, you can weave between, gently, weave between the two, and you can take the first position at the front of the line. Well there are people who, morally, are upset with that [laughs] in their cars, and it’s like one in ten now. It was a lot more when it first started a year ago, but it happened this morning where somebody wanted to pull up and yell at me for being a butt head, for breaking the rules. Which, I’m not breaking the rules.
And it’s actually much safer for me. So that’s what the hell just happened. Anyway, everyone, welcome to the podcast. So far what you’ve learned is, that there’s lane filtering in Arizona and Ally’s going to start wearing a helmet inside her car on the way to work so it feels more like a motorcycle. Okay. We’re not sure what the title of this podcast is yet, but I’ll just share with you that in the initial notes, I typed ‘Please, please, please, please. For God’s sake, give your employees their own email addresses which are attached to your company’. Right. But that’s probably not what this podcast is all about.
Ally: I think we’re going to talk a lot about emails, but yeah, about a few other things too.
Paul: Yeah, it’s still going on. ‘It’ being that, because we have that over at CEDR, we have our own software, human resource information software, people input their employees’ emails in and they’re putting in their personal emails as their work emails for the most part. And it presents some problems. I have a story. You want to hear my story?
Ally: Yeah, let’s hear it.
Paul: You just got to trust me, everybody, this ties back in. This… many years ago and I could talk about this because this doctor is retired and so I’m not revealing anything. This is like, over a decade ago. We had an instance where an employee was not only stealing from the practice, but she was really being a… if that’s not big enough butt headed-ness, she was also being a bigger butt head. So, the end of the story is that we were able to look into the system, the practice’s system, and the reason why we were able to do that is because we had a policy in place. They had a policy, which we had helped them with, that all of our members over at CEDR have, which is just removing the employee’s expectation of privacy when they’re on the company’s systems.
And this is important. And it’s also putting employees on notice, like, “Don’t, you know…we can see what’s going on. If we look in, it doesn’t mean we’re always looking in, but if we do look and just know that we can look in our own systems and see what’s going on”. So that’s the reason for my ‘Please, please, please create your own emails’, because once you create company emails for people and put it in their position, you know, maybe attached to the position, which is, you know, “frontdesk@mypractice.com, officemanager@mypractice.com, hygienedepartment@mypractice.com”. Not to say that you can’t have, you know, their first name and last name or whatever @yourpractice.com. But I think that’s the first step Anyway we…you know, this is a little tricky, this story I’m sharing because the thing that turned out was actually in her personal email. And so an argument was made in court that what was found in that email could not be introduced because they had an expectation of privacy. Unfortunately for her, I don’t think her attorney read the employee handbook. And it was pretty quickly pointed out that that policy was in place, that she had acknowledged it. And in the end, we have her bragging about stealing, and then also telling, uh talking to her boyfriend who lived in another city saying that there was some kind of event going on there that the practice was sending everybody to, and she was going to go to the event and not return. And so she was joking around about how she was also going to get her her trip paid to move to be with her boyfriend. And she was saying lots of bad things about the doctor. And just anyway, she ended up doing a couple of years in jail for it in the end. That said, it was really tricky because they were trying to work through introducing something that was in her personal email and only, you know, again, I’ll say it again because of the policy, it kind of worked out. I don’t know if it always works out that way, which is another reason to use company emails.
Ally: Yeah. It might not work out. And like you said, you could skip all those extra steps in the middle. You could have had it just gone straight to the work email.
Paul: Yeah. So I think we may have really kind of just almost jumped to the end here, but we have more. What more do we have?
Ally: We do have more. So I feel like a lot of the time we talk about stuff on here because we’re like “This crazy story came up” and we do have a story for today. Aside from your story, that’s very relevant to the industries that we work in. Which is why it was particularly interesting. Sometimes it’s industries that are completely out of the realm of CEDR members.
Still relevant, you know?
Paul: Yeah, we’re all employers, same rules.
Ally: But this one is an industry that we work with. But before I say all of that, I want to point out that we’re not talking about this simply because you have a wild story, and this is a wild story, this is something that CEDR talks to members about every single day.
Paul: Yeah. So you see this in the queue. There’s something going on.
Ally: It either comes up in the queue, but also when someone signs up and they’re speaking to our member engagement team for the first time and they’re getting a walkthrough of how to sign up for the Vault, they’re told at that point, “Hey, do you have employee emails for everyone?
Because we strongly recommend that when you put your employees in the Vault, you give them a work email”. So I won’t get into all of that. But what prompted this podcast was a woman in a chiropractor’s office was terminated.
Paul: Oh this was this was in the news.
Ally: This was in the news.
Paul: This wasn’t one of our members.Could have been but it wasn’t.
Ally: Yeah, I actually didn’t look that up, but this is very recent. Woman was terminated and then allegedly she actually had her court date scheduled for the beginning of March. And I tried to do some research and see if there were updates.
Paul: What was the court date?
Ally: I think it was March 6th.
Paul: Oh. so, okay. So the court date was about the practice. The practice. Okay. Yeah. Tell the story.
Ally: So the woman was separated and then allegedly basically changed the password to their website, and then held it for ransom because her personal email was what she was able to use to log into the company website. Held up for ransom. She was asking for like the equivalent of her three years that she’d been there in pay to get it back. Yeah. So like I said, alleged her court date, hadn’t happened, apparently she was denying it. So we don’t know if all of that’s true. Right. But it’s a really good example of why having an employee use their personal email for any company sites, any company documents, any company files can really come back to bite you in the butt.
Paul: Well, in this instance, I think probably she’s in court because there’s some kind of extortion thing going on there. And that’s why they jumped on her that way. However, our point here is none of that would have happened if you had been using office manager@thatchiropracticpractice.com because you would own the domain, you would own the email address and you could simply log in as them.
Ally: And the issue doesn’t always have to be that dramatic, right? The issue could simply be that you separate and it was Susie@gmail.com. That’s the log in for that. And now you don’t have access to it because Susie…Susie’s pissed that she got terminated and she has no intention of getting back to you. You know, and she’s holding it hostage in a different way.
Paul: So, and we see this quite often, more often than I care to see it. We see that the problem. Yeah, the ticket is, is she was using her own personal email and, and this except for insert whatever this information is into the space here and this information that belongs to the practice or is about the practice was going to her personal email. She was getting the notices from our bank if we were, when deposits were being made it was going to her email.
Now you don’t have a trail. You can’t even go back and investigate easily by looking in that company email to see how many, you know, emails came in from, you know, I was going to name a bank. I just don’t want to ever seem to endorse any bank on the face of the Earth.
Ally: No banks are endorsed by What the Hell Just Happened.
Ally: Yeah, the banks are. Yeah. I mean, you’ve you’ve got the risk, obviously. Like you just said, you don’t have access to that information in her account anymore. There is the risk of you getting locked out of whatever company site or important page that you need to get to. And then there’s also the risk of that employee now having all of that information.
Paul: Right, that they maybe shouldn’t have ever had going to their Yahoo account because it’s got PHI in it.
Ally: And like, you know, I think the the majority of the time, nothing’s going to happen from that. The employer will delete that stuff, you know, wipe their hands of the time of the practice. But it’s a real risk and a lot more can come from it. And just in general, you don’t want, you know, whether it’s financial information, login information, stuff for your website, security information, you know, those aren’t things that you want someone who doesn’t work at your practice to have anymore.
Paul: Okay. So this practice of giving people company emails I equate with, because it solves so many problems like these things that we get, we’re not even going to cover all the different ways that you might have been able to short circuit a problem because you automatically have access to that person’s email. I kind of equate it with how many times we ask, “Did you give them a job description?” when they call in, when our members at CEDR call in and they have some kind of an issue. And the problem can really be solved by presenting the job description to the EEOC or to an unemployment hearing or in so many other contexts. It’s just the thing you should do.
Ally: Right. It should be the default.
Paul: It should be the default. And, you know, I know that it used to be a little bit difficult to do this.. because, look, I come from before Gmail and so we had emails for our domains. We could get them, but it was a kind of a third-party company that just sort of… that was their job, that was their role. And it could get a little complicated. And then they would, and I think even Gmail does this, they would meter the number that you could create, charge you more if you did, you know, if you did this or that. But nonetheless, you know, you could you could get it done, but it was difficult. Now, it’s not that difficult. You really can. If you’re using Gmail, you can it doesn’t have to be, you know, yourname@gmail.com. It becomes, you know, your name at whatever your domain is. And Gmail hosts that part of your email stuff. So doing this is not very difficult and it should be something that is just part of your part and parcel. And, you know, I like the issue. I like the idea of issuing them to positions. But at some point you have more employees than you have, you know, office manager. So, you know, you use their name and then you just you just own that email and then, you know, it really does fit into other things like Slack channels and to Google Workspaces. And, you know, these are all forms of Slack channels. If you’re using something like Asana, you know, to manage projects or, you know, something along those lines, again, you want all of that stuff tied back into your own email addresses because those systems are using those email addresses to authenticate. And you know, I’m going to say Asana again because I’m hoping they’re going to get in touch because unlike the banks…
Ally: Can we say we endorse them? No.
Paul: Can we say that we endorse Asana? So can we say that we’ve been using it for like six years and it’s awesome and it keeps getting smaller? Ally, I wanted to bring up one other kind of thing, just because it’s in my notes here and it’s in bold, I think it’s a note you made, which is don’t share passwords. Don’t share you know, don’t share email passwords.
This gives you a lot more control over that because you can just go in and hit reset and then go into their email and and and see what the reset is for the system that they were in charge of.
Ally: Yes. Yeah, exactly. The note that I made about sharing passwords, you know, we’re talking a lot about emails here. That was a little bit. We also wanted to touch a little bit on just privacy, you know, electronic privacy in general. In the office. You know, when you have access to the emails, like you said, you can go ahead and just reset the password should that person leave or should you, for whatever reason, not want that person to have access to that part of your company anymore.
Paul: And you also forward it to yourself. I mean, that’s the awesome thing you can do in the interim while you’re replacing someone else.You can see what’s going on in the system, which is very, very helpful. Wait a minute, I have a point to make.
Ally: Sure.
Paul: Hold your thought. Here’s the other thing. If you’re running your business right, you’re letting go of a lot of different things.
Ally: Yeah.
Paul: And other people are in charge of it. And if you’re growing, I say this jokingly. You become a victim of your own success because you have to give more and more responsibility to other people and let them do their jobs. And part of that is, is different people curate different systems. We use a different customer support system than we do as a marketing system. And different people are in charge of those things and they’re the primary people who are getting the emails from those accounts. Like, you know, “Hey, your credit card failed”. I mean, that’s a really good example, right there. You would know that your credit card is failing on some key thing because you just gave that over to somebody else to manage.
Ally: Yeah and I mean, putting that into perspective, if you were getting all of those emails as the owner of the business, when would you find that email? Like I don’t even want to know what your inbox looks like. You know what I mean? That would be lost. So being able to, like you said, delegate all of that stuff because you have the measures in place…
Paul: To be able to reclaim everything, even if it’s temporarily before you hand it back off to somebody. All right. So I honestly can’t believe that I just did a whole podcast on email addresses and trying to get people to use work email addresses. But there’s one last thing before we go that I want to cover, which is, that’s just from our experience. What are the steps when someone leaves? Like around email and changing systems. Can we give people something they could take away from this other than they can wear helmets in their cars?
Ally: [laughs] When an employee just has a personal email, the steps surrounding what to do with their email when they leave don’t really exist. Because you can’t do anything. But when you have a work email, you know, our HR department here. As soon as someone leaves, whether they were separated or they voluntarily left, they immediately go in and take away access to-
Paul: So take away access to the email.
Ally: Take away access to the email, take away access to any, you know, other system. For example us we use the Vault every single day. Obviously, take away their ability to log in to that post-separation.
Paul: Turn them off in the systems. We’ve had so many times where an employee gets mad because they’re being separated, they go sit down, start deleting appointments and stuff and like your only recourse is to drag them away from the computer and now they charge you with laying your hands on them. I mean, and this is not a rare occurrence. So we always say, you know, before you let someone know that they’re going, if you think it’s going to be contentious, turn off the systems.
Ally: And then importantly and again, why the work email is so essential, is we go in and forward that person’s emails to typically their department manager. That’s usually how it goes to make sure that things aren’t getting missed. Yeah, exactly. Because there’s things that are going to come in and immediately after that person separated-
Paul: Projects that they’ve been on, even internally that you might want to be reminded about.
Ally: Any communications outside of the company for a project that that person was working on kind of thing that, whoever they’re communicating with might not know to contact anybody else, you know. So it’s just a way to make sure that communications keep flowing despite this person leaving and without the work email, that’s so much harder to do.
Paul: We are such HR nerds. We are so down the rabbit hole right now. I don’t think anybody else in podcasting is doing this kind of cutting-edge podcasting right now, Ally.
Ally: It’s like you said earlier, this comes through the queue all the time. And I mean, we…the goal is to talk to a member before it ever gets to a point where someone has hijacked their website or someone is stealing from the company and e-mailing their boyfriend about it.
Which is why this is important.
Paul: Yeah. Yeah. Okay. So what the hell just happened is someone left and you didn’t have control of your systems because they were using their Yahoo account from…Fine, I have a Yahoo account. Fine.
Ally: I still have an AOL account.
Paul: Oh! Wow.
Ally: I mean, it’s not…I have a Gmail account for, like, my real life.
Paul: But you can’t let go of the AOL.
Ally: Well, they well, you know, when you’re at the grocery store and they’re like, “Do you want to put in your email for 20% off?” And I’m like, “Yeah, but I don’t want your email”
Paul: I don’t actually want to get the emails, yeah., I think we’re all doing that.
Ally: 20 year old account.
Paul: All right, everybody, you just heard What the Hell Just Happened. Get your helmets. Thanks, Ally.
Ally: Bye.
Voice Over: Thanks for joining us for this week’s episode of What the Hell Just Happened. If you have an HR issue question or just want to add a comment about something Paul said, record it on your phone and send to podcast@WTHJustHappened.com. We might even ask if we can play it on the show. Don’t forget to like and subscribe and join us again next week.
