ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    This doesn't sound right - 3rd-Party "Deduction Management Firm"

    IT Discussion
    email security e-mail
    6
    23
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @wrx7m
      last edited by scottalanmiller

      @wrx7m basically here are the issues that I see:

      1. Assuming that there are strong policies in place in regards to the employer being allowed to read the employee's email as a given starting point, that doesn't cover the situation here. That's "normally legal" if handled properly, but risky enough to generally be advisable to avoid. Even if the employee legally can do nothing, it can damage the company's reputation. And that's best case, worst case it goes to court and the company can't prove that it had the right to do it.
      2. The request is to capture all traffic, not just email. Maybe we want to ignore this, but the request is for this and would risk crossing into "social engineering" grounds by trying to convince you to do so. This would include bank transactions and all kinds of things. Claiming that they are just incompetent might work, but not likely. Bottom line, they are asking for the keys to absolutely everything, using email as an excuse to breach the firewall / network security.
      3. Even if we ignore #2, the request is for all email, regardless of sender or recipient, or system. This means that not just proper business transactions with clients, but also the CEO talking to the company lawyer, the HR team discussing employee issues, and other matters of HR, legal, or attorney / client privilege or possibly SEC trading (if you are public) are exposed to a third party without anyone's permission or knowledge (presumably.) Even telling people that this could happen appears to mean nothing.
      4. We have to assume that the Harvest company has no legal framework around it making it have to do any due diligence to protect the confidentiality of the emails that it receives. Honestly it sounds like a scam business, but even if it isn't, this seems like a huge problem to know that they have major security gaps in their understanding and let them have data of unlimited sensitivity.

      Sharing specifically targeted client / sales conversations, once the sales team is made aware, and the emails are verified by some process seems fine. Everyone knows what the contents are ahead of time. But anything that does a "grab all" from the network or the email system would be grabbing data of unknown origin and destination and purpose.

      It would be super, duper hard to defend in court if an employee's private conversation with HR, a boss, a doctor, a bank, a family member, etc. was intentionally shared with a third party how that would be legal as it serves no business purpose.

      1 Reply Last reply Reply Quote 1
      • KellyK
        Kelly
        last edited by

        It hasn't gone into effect, but as of 1/1/20 you will be operating under this law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

        wrx7mW 1 Reply Last reply Reply Quote 0
        • wrx7mW
          wrx7m @Kelly
          last edited by

          @Kelly said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

          It hasn't gone into effect, but as of 1/1/20 you will be operating under this law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

          Thanks. At this point, it is only companies that this request would apply to.

          1 Reply Last reply Reply Quote 0
          • 1
          • 2
          • 2 / 2
          • First post
            Last post