We have several clients who have stated that they “need to have all employees’ passwords.” They don’t, and furthermore, after a brief explanation, they realize they don’t want them either. Here’s why.
Quite simply put, if you you think you need your employee’s password, it means you do not have the appropriate level of access to your business information systems. You should never need another user’s password. If you think you do for some reason, you need to contact your IT support provider to arrange for the appropriate levels of access. If you need to run a program on an employee’s computer, you should not need to be logged on as that user – you should be able to run all programs as yourself.
Usually the reason an employer or manager will cite for wanting employee passwords is because they want to read their employees’ emails. The best way to do this is to have an email archiving program in place, which catches all incoming and outgoing messages. If you are checking up on employees by just looking at their inbox, you are not seeing the whole picture. For instance, messages stored in other folders, or ones that have been deleted, will not show up in the inbox. Only a comprehensive archiving and retention program will preserve every email.
So why is having their password so bad? First off, if your company policy does not explicitly state that this sort of action may be performed, you’re opening yourself and your company to a privacy violation lawsuit. (If you haven’t, check out the US Constitution’s Fourth Amendment for an interesting read.) Second, you could accidentally modify the contents of the employee’s email upon doing so. There’s nothing like saying “big brother is watching” by accidentally deleting or marking a message as “read” and then having your staff find out when they check their mail.
Finally, by knowing and using your employee’s passwords, you are making it more difficult, if not impossible, to terminate their employment with cause. If you have an employee’s password and they do something funky, you have no recourse when they say that you are the one who did something funky while posing as them!
Are you in possession of your staff’s passwords? Maybe now’s a good time to rethink that approach and have a good password policy which helps you manage without exposing you to additional liability.
Note: I am not a lawyer and I don’t offer legal advice.