It is evident that password security is one economical way to decrease the chances of a cyber incident [1], but recent litigation sheds light on a situation involving a password having too much protection. The American College of Education (ACE), which provides professional development programs for educators, filed suit against its former systems administrator because he would not provide the password for a student email system. The former employee, Triano Williams, filed his own discrimination lawsuit alleging, among many other accusations, that the passwords were stored on a laptop he returned to ACE, and that he offered to help them find the password for a fee.
The first lawsuit was initiated on July 19, 2016, when ACE filed suit against Williams, in Marian County, Indiana, based on allegations that Williams would not provide the password for a Google account that held e-mail and course materials for 2,000 students after ACE fired him from his position as Systems Administrator. When ACE contacted Williams after he was terminated about gaining access to the Google account, Williams stated he would provide the passwords for $200,000.
ACE’s complaint [2] (Paragraph 2) contained the following allegations containing Williams’ employment and termination:
- “As the Systems Administrator for ACE, Mr. Williams had access to ACE’s confidential information and trade secrets.”
- “Following his termination, Mr. Williams returned the company-issued computer which he had been using to perform his work duties.”
- “The computer had been wiped of all information, included information needed by ACE to conduct its business. Specifically, at the time his employment with ACE ended, Mr. Williams was the sole administrator of ACE’s email account (hosted by Google), which is used by its students to communicate with the college and conduct their coursework.”
- “Mr. Williams claims the login and administrator password to access ACE’s email was “autosaved” on his work laptop, but because Mr. Williams wiped his hard drive before returning to ACE, the administrator login information was lost.”
- “The college has been unable to access its email account.”
- “Without access to its email system, ACE is unable to administer its email account, without the administrator username and password which is causing immeasurable harm to the College’s reputation as its students are unable to access their email and coursework.”
- “ACE has also requested the login information multiple times from Mr. Williams, but he has refused to provide that information without ACE paying him $200,000.”
Based on these general allegations, ACE claims it suffered harm from Williams’ actions and sought recovery under theories of: (1) intentional interference with a contractual relationships and business relationships, (2) violation of the Indiana Uniform Trade Secret Act, (3) conversion, (4) offense against intellectual property, (5) breach of fiduciary duty, and (6) criminal mischief. ACE further sought a restraining order requiring Williams to immediately provide the password for ACE’s Google-hosted student e-mail account.
On December 30, 2016, Williams struck back when he filed a complaint [3] in the U.S. District Court for the Northern District of Illinois alleging he was subjected to a hostile work environment and disparate treatment prior to and when ACE fired him. The complaint filed in Williams’ discrimination action sheds some light on Williams’ side of this story. In particular, Williams claims that he “was the sole remaining administrator when ACE decided to terminate him and lock him out of ACE’s Google email system.” Williams refused to assist ACE in retrieving the password because he was no longer an employee at the time and ACE was not offering any compensation for his work. Further, Williams’ complaint alleges that ACE had faced a similar situation with another employee and “paid…a sizable consultant fee to perform the task needed by ACE.”
In discussing this situation, cyber security experts warn [4]that “[a] lot of organizations are using cloud-based services and online services like this [and] [e]ven under a good situation, somebody could leave and then you find out the cloud service you depend on gets canceled because maybe the bill didn’t get paid.” Further, this situation shows the important role employees play in cyber security. While it has always been clear that employees can supplement the technological safeguards put in place, this litigation shows how the technology ACE relied on may have actually made ACE’s life more difficult. Regardless of whether ACE or Williams prevails in their competing lawsuits, the takeaway here is that the dispute may have been defused to some extent if ACE had stored the passwords in multiple (and safe) places.