Ashley Madison Hack: A Cautionary Tale for HR

Experts encourage HR practitioners to enforce computer use policies

By Aliah D. Wright Aug 24, 2015
LIKE SAVE PRINT
Reuse Permissions

Millions of people have used their work e-mail addresses to register on a dating site for married cheaters, yet experts are cautioning employers against deliberately prying into employees' personal affairs.

Instead, HR professionals and labor attorneys are urging their peers to re-send policies on the proper use of company e-mail—and to remind employees that when it comes to the computers they use for work, they have no expectation of privacy.

On Aug. 18, according to media reports, hackers calling themselves "the Impact Team" posted data from 37 million Ashley Madison subscribers to the Internet, making good on threats they had issued in July. They reportedly dumped the data because the owner of the Toronto-based website refused to shut the site down. Leaked information from the Ashley Madison site—which sports the motto "Life is Short. Have an Affair."—included names, e-mails, member profiles, credit card data, street names, phone numbers, likes, dislikes and, reportedly, sexual preferences.

On Aug. 21, The Daily Mail reported that the hackers also have naked photos and explicit chats between users. Websites have cropped up allowing users to search for names and e-mail addresses allegedly found in the leak. The FBI is reportedly investigating the hack.

According to the Associated Press, "hundreds of U.S. government employees—including some with sensitive jobs in the White House, Congress and law enforcement agencies—used Internet connections in their federal offices to access and pay membership fees to the cheating website Ashley Madison." AP declined to name any specific employees.

The Irish Independentthe Edmonton Sun in Canada and other news outlets worldwide are reporting that companies and governments in their jurisdictions have had their e-mail addresses exposed in the hack. Governments and companies in IllinoisOhio and Arizona have researched the hacked information and found that employees used work-related e-mail addresses to register.

It's a big deal. Adultery is a crime in some U.S. states, and Defense Secretary Ash Carter has said that the Pentagon is researching the names of people who used military addresses to register for the site. "Of course it's an issue because conduct is very important and we expect good conduct on the part of our people," Carter said. The military considers adultery a punishable offense, and punishment can include jail time.

What Should HR Do?

Well, HR staff should not sift through Ashley Madison's hacked information, experts said. Attorney Louis L. Chodoff, a partner with Ballard Spahr in Cherry Hill, N.J., told SHRM Online in a phone interview that the first thing HR professionals should do is "make sure their e-mail policies are up to date and clear, and advise employees that computers and the Internet should only be used for business purposes, and that the company can access and monitor [their] Internet use. There should be no expectation of privacy," he said, especially if an employee is using the company computer for personal reasons.

Generally, HR practitioners said, employees need to be made aware that work computers are for work purposes.

"I would prefer that we use this case as an example for employees to understand their work e-mail is for work use and that websites like these should be accessed from their personal computers and phones and during off hours," added Jessica Miller-Merrell, SHRM-SCP. She is chief strategist and consultant with Xceptional HR in San Francisco and chief blogger for Blogging4Jobs.com, which is planning a podcast on the hack later this week.

"Remind them they are representing an organization, but understand that many state employment laws protect against termination for activities outside of work," she said. In general, employees need to separate their private lives from their professional lives.

"Every HR official should leverage the ashleymadison.com and Hilary Clinton e-mail controversies to remind employees about the risks and ramifications of using employer resources for personal reasons," Hezekiah Herrera, a diversity consultant and corporate communications specialist in San Diego, told SHRM Online. "I would caution that organizations not embark on a deliberate query of improper e-mail use, but instead issue a reminder of standing policy or institute a signed agreement regarding improper use of company resources, including e-mail."

To Fire or Not to Fire?

Herrera's comments echoed those in an article written by Philadelphia-based labor attorney Jonathan Segal, a partner in the employment practice group of Duane Morris. Writing for Entrepreneur Magazine in an article titled 9 Questions Employers Need to Answer Before Firing an Ashley Madison Customer, Segal wrote that employers should consider their "reputational risk" when making the decision to terminate an employee: "Reputational risk has two key elements: the nature of your business and the nature of the employee's job. If your organization provides marital counseling, then the employee's membership, now known to the public, could affect your organization's reputation. The same would be true for faith-based organizations. But what if you are producing a product or selling a service that has nothing to do with 'marriage' or 'morality'? In those cases, evaluating the reputational risk depends on the employee's position," Segal wrote. HR should not be investigating whether or not their employees used the site, Segal and other human resource professionals cautioned.

"Don't ask. Don't look," Segal told SHRM Online in a separate phone interview. However, if it's brought to their attention, HR may want to act depending on a host of factors, including whether or not there is cause to fire someone for violating employment policies. 

"My biggest concern now is that confidential business documents are being shared by the hackers," Miller-Merrell said. "What is stopping those hackers from accessing employee files, candidate information and other employee data? We need to make sure our company data is protected because these types of security breaches are increasing," she said.

Just because a person's e-mail is on the site doesn't mean he or she used it, experts also pointed out.

"I have a colleague to whom this happened—his e-mail address was given to the site to open an account to get into the site, even though he's never visited the site at all," attorney Anne Mitchell told SHRM Online. She is CEO and president of ISIPP SuretyMail, an e-mail reputation accreditation company in Boulder, Colo.

"So, if an HR department is going solely on existence of an e-mail address in the Ashley Madison dump in making any decision, they could very well be using bad information for that decision. It's also important to remember that while many states are so-called at-will employment states, meaning that you can be fired for any reason, or even no reason at all, the issue of marital infidelity is very similar to other sexual preference issues, which are becoming more and more protected all the time," Mitchell said.

"I suspect that if someone were fired for having their e-mail address found in the data they would probably win the inevitable lawsuit."

Chodoff suggests companies:

  • Make sure their policies are up to date. "The policy should state that the Internet should only be accessed for business reasons and employees are aware that their Internet usage can be monitored by the company, so that defeats any expectations of privacy that they may have."
  • Make sure the policy is disseminated to employees "so they have notice of it whether it's in the handbook or in the standalone policy."

Don't Be the Morality Police

"I would not think it's morally right for companies to check" any Ashley Madison hacked database, added Jeremy Ames, president of Hive Tech HR and a member of the Society for Human Resource Management's HR Management and Technology Special Expertise Panel. "An incredible amount of information was released in that hack. Even just perusing it to see if your company is listed on there is opening a can of worms and it's morally dubious to do that," Ames said.

"The Ashley Madison hack also provides employers information about sexual orientation, which I am concerned about as well," Miller-Merrell added. "While employers can terminate employees in many states simply because they are gay, I'm hopeful employers won't access the data with this intent, but I won't be surprised if they decide to access the information and use it in this way," she said.

"People are going to hack into additional databases and get information," Ames said. "I would rather companies turn their backs and say, 'This was accessed illegally. Why would we use that? Especially about people's sexual preferences, et cetera.' I don't want to know that stuff about my employees. Trust me."


LIKE SAVE PRINT
Reuse Permissions

Exam Late Application Deadline: April 14

Apply Now

Job Finder

Find an HR Job Near You
Post a Job

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect