Any day now, a CIO is going to become a newspaper headliner, without doing anything obviously wrong.
Whether by title, design or default, the CIO is charged with the “proper” use of the corporation’s IT environment. Opportunities for the abuse of IT are many, and one abuse to be concerned about is harassment, sexual or otherwise. I predict that we will soon see an avalanche of harassment claims, and that the CIO will occupy the centre of controversy.
Most managers have become sensitized to the harassment issue, and understand that virtually any type of unsolicited advances, statements or innuendo can fall within the definition. When that happens through the IT medium, and (perhaps) cannot be traced to a specific individual, must the CIO then shoulder the blame?
Consider these scenarios, which reflect actual events. A staff member downloads a sexually explicit picture, joke or story from an Internet source and e-mails it to a co-worker. Alternatively, a co-worker registers one of his or her peers in an underground forum, Web-site or chat room that causes that person to receive graphic or controversial e-mail. In both cases, the recipient may find the material objectionable. If repeated, this can be construed as harassment.
As it is the recipient who ultimately determines what is objectionable, the CIO’s ability to prevent these occurrences is severely limited. Although it is relatively easy to monitor and block specific URLs or keywords at a firewall, human sensitivities can range far beyond sexual issues, to include religion, politics, lifestyle and even physical attributes. The number of addresses and keywords involved would make firewall-based restriction a technical and practical nightmare. Still, the CIO must be perceived as taking prudent and responsible action to prevent harassment in any form.
Many CIOs believe they are not at risk because they have a policy that instructs employees not to do these things. But legal sources suggest that you will not find much success in this type of ostrich defence. Although corporate policy may specify dismissal when a breach of etiquette occurs, that presumes the policy has been communicated to everyone and that the culprit can be pinpointed. Unfortunately, IT policies typically enjoy very little awareness, and if staff possess even a modest technical IQ they are quite capable of hiding their tracks. Typically, the courts do not entertain a defence based on ignorance, and will likely hold the CIO responsible for implementing adequate safeguards for preventing harassment.
There is also the issue of unintentional harassment. One such situation involved two people working for a major hardware vendor who were having a torrid affair (both in person and via e-mail). All was going well with their clandestine activities until one of the parties created a spectacularly descriptive e-mail message and inadvertently sent a copy to everyone in the company. There were as many people who were incensed about receiving the message as there were who thought it was terrifically funny. You didn’t want to be CIO of the company on that day.
There are some obvious steps that you can pursue if you don’t want a harassment lawsuit. First, knowing that employees create most security breaches, you should put sufficient mechanisms in place to allow you to block and trace all activities throughout the network. Second, recognize that harassment can assume many faces and educate your staff to be sensitive to the issue in all of its various forms. Third, deploy strong policies that are both documented and well communicated throughout the enterprise. Fourth, learn more about the tools available to crack your security, and strengthen your ability to repel them. Fifth, polish up your resume, because you may be the one we read about in the newspaper.
Greg Georgeff is Vice President of Information Services for OMERS (Ontario Municipal Employees Retirement System). He lives in Acton, Ont.