Rules Are Rules. And Some Rules Are Ridiculous.
While working at a financial institution, I was once enrolled in a training class for a new software package.
The training required a live connection from my computer directly to a training account on the vendor’s system, and since that kind of connection wasn’t allowed from within the corporate network, I agreed to participate from home using my personal computer.
Although I had registered using my personal email along with my home address and phone number, the vendor was required to email the course material to me at work, so I had to forward it to my personal email to be able to access it from home.
Within an hour, my manager texted me, needing to speak to me about an urgent matter.
Automated security software detected that I had sent an unencrypted email to an outside email address containing confidential customer information as well as a user ID and password. The notice he had received recommended terminating me immediately.
The customer information was my own name, address, and phone number, contained in the training packet cover sheet. The user ID and password were for logging into the training system.
I think it’s safe for me to reveal that they were “admin” and “password”.
My manager agreed that this was ridiculous, but he was still forced to choose from among the allowable responses, the least of which was to perform “corrective instruction”, and there was no way that he could remove the blot from my employee record, although he could add the results of his investigation.
Very soon afterward, everyone in the department was required to install email encryption software, and we were no longer allowed to send any unencrypted email outside the company.
My manager told me that he had set this policy after my “breach” because if anybody was to unthinkingly email anything as sensitive as their own tax information to their personal accounts without encryption, he would have to fire them.