- Privacy Risk Report - https://privacyriskreport.com -

Recent Litigation Provides Example of Password Being Possibly Too Safe

It is evident that password security is one economical way to decrease the chances of a cyber incident [1], but recent litigation sheds light on a situation involving a password having too much protection. The American College of Education (ACE), which provides professional development programs for educators, filed suit against its former systems administrator because he would not provide the password for a student email system. The former employee, Triano Williams, filed his own discrimination lawsuit alleging, among many other accusations, that the passwords were stored on a laptop he returned to ACE, and that he offered to help them find the password for a fee.

The first lawsuit was initiated on July 19, 2016, when ACE filed suit against Williams, in Marian County, Indiana, based on allegations that Williams would not provide the password for a Google account that held e-mail and course materials for 2,000 students after ACE fired him from his position as Systems Administrator. When ACE contacted Williams after he was terminated about gaining access to the Google account, Williams stated he would provide the passwords for $200,000.

ACE’s complaint [2] (Paragraph 2) contained the following allegations containing Williams’ employment and termination:

Based on these general allegations, ACE claims it suffered harm from Williams’ actions and sought recovery under theories of: (1) intentional interference with a contractual relationships and business relationships, (2) violation of the Indiana Uniform Trade Secret Act, (3) conversion, (4) offense against intellectual property, (5) breach of fiduciary duty, and (6) criminal mischief. ACE further sought a restraining order requiring Williams to immediately provide the password for ACE’s Google-hosted student e-mail account.

On December 30, 2016, Williams struck back when he filed a complaint [3] in the U.S. District Court for the Northern District of Illinois alleging he was subjected to a hostile work environment and disparate treatment prior to and when ACE fired him. The complaint filed in Williams’ discrimination action sheds some light on Williams’ side of this story. In particular, Williams claims that he “was the sole remaining administrator when ACE decided to terminate him and lock him out of ACE’s Google email system.” Williams refused to assist ACE in retrieving the password because he was no longer an employee at the time and ACE was not offering any compensation for his work. Further, Williams’ complaint alleges that ACE had faced a similar situation with another employee and “paid…a sizable consultant fee to perform the task needed by ACE.”

In discussing this situation, cyber security experts warn [4]that “[a] lot of organizations are using cloud-based services and online services like this [and] [e]ven under a good situation, somebody could leave and then you find out the cloud service you depend on gets canceled because maybe the bill didn’t get paid.” Further, this situation shows the important role employees play in cyber security. While it has always been clear that employees can supplement the technological safeguards put in place, this litigation shows how the technology ACE relied on may have actually made ACE’s life more difficult. Regardless of whether ACE or Williams prevails in their competing lawsuits, the takeaway here is that the dispute may have been defused to some extent if ACE had stored the passwords in multiple (and safe) places.