In case you missed it earlier this week, Rocky Mountain Bank in Wilson, Wyo., got a court order requiring Google to deactivate a certain Gmail account. A bank employee had inadvertently sent an e-mail containing the financial information of more than 1,300 bank customers to the Gmail address, and the account owner did not respond to the bank's request to destroy the information and contact the bank.
Google complied with the order and then worked with the bank to resolve the issue. Since it turned out the Gmail account owner had not opened the e-mail, it was deleted, the case was dismissed, and the Gmail account was reinstated. What I find most interesting, though, is this: According to CNET News blogger Elinor Mills, the bank did nothing to the employee who sent the e-mail to the random Gmail address. Makes sense, generally. No harm, no foul, right?
Contrast that with this situation, detailed by Compliance Week editor Matt Kelly back in August. He wrote:
Twice in the last month, workers at retail-oriented companies have foiled thieves trying to steal goods, and been fired for it. First, a teller at a Key Bank branch in Seattle chased a man who tried to rob the bank, and then held him in submission until police arrived. Several weeks later, a shoplifter at a Best Buy in Broomfield, Colo., ran off with some electronics; two clerks ran after him and tackled him in the parking lot. All three men showed impressive bravery. They also violated company policy about handling thieves, and are now on the unemployment line.
In both cases, there was violation of company policy. The first employee sent protected information to an unauthorized recipient. The employees in the second set of examples chased after thieves. Yet those responsible in each case reached opposite conclusions as to how the violations should be addressed. I'm not a compliance professional or a risk officer, but it seems the action taken by the employers was misguided.
The first employee's actions resulted in no harm to the company only because the recipient never opened the e-mail containing the sensitive information. And the bank went to the trouble and expense of securing a court order and negotiating a resolution with Google, but no action was taken against the employee? Shouldn't that person at least receive additional training regarding when and where and to whom certain information can be sent?
The actions of the employees who chased after thieves, on the other hand, saved the companies they worked for from losses. Yet they were rewarded with pink slips. I have to agree with Kelly on this one: If that result doesn't give a compliance officer pause, he or she is not doing his or her job "thoughtfully enough." So what should have been done instead? Kelly has the right idea here. Rather than termination, how about a temporary suspension, coupled with an "employee of the month" award?
It seems paradoxical, but compliance isn't always going to be black and white.