Discovered mistake made a year ago.
September 25, 2017 8:54 PM   Subscribe

Should I confess to a mistake at work I discovered that was made a year ago?

I just discovered a huge mistake I made starting as a new employee that was done a year ago. There's this worker who works as our HR liaison for her division and building since they're not that close to us. So she has access to all of those hundreds of salary and personal information of those employees and we often exchange information for onboarding, new hires, changes, etc. We are also pretty cool with each other more so than others. At a distance we even end up having friendly conversations although rarely seeing each other.

Anyway, a year ago she requested salary reports for all the people in her division. She is able to look it up but unable to pull a report like I can. So I pulled the report of all the people in her area onto the spreadsheet and emailed it to her.

It wasn't until today when she needed an annual updated report that the file I sent her also included other very confidential information of all the other employees on another tab! I was new to this report and wasn't familiar with what could be on the other stuff or what to find. It didn't have social security but it had address and salary information and benefits they enrolled in. As Hr liaison she already has info of all this from the people in her building but not other people.

When I realized this I immediately called her and asked if she could delete it and ask if she saved it anywhere else. She said it was gone. Later when we met up after work during a session, she pulls me aside and says for me to not worry that it's gone. She said when she first started she did something similar (although not as big as what I did) and that it was reported immediately to her boss and she got yelled at. So she understands.

It helps a bit that she is like my "work friend" and she is in a confidential position but I still feel sick thinking about it. I feel so guilty like I need to tell someone but I know that's stupid. I would possibly drag her into it by mistake. How do I stop feeling like I wanna puke and hate myself?
posted by Asian_Hunnie to Work & Money (20 answers total)
 
Good God, don't tell your boss. As a brand-new employee, you made a mistake which, as far as you know, had no actual repercussions for anyone, which has now been corrected, and which you know how to avoid repeating in the future. This is pretty much the definition of a "Let us never speak of it again" situation.

P.S. Better get your brain around the idea that you are going to make mistakes from time to time or you're going to be perpetually miserable.
posted by praemunire at 8:57 PM on September 25, 2017 [51 favorites]


When I realized this I immediately called her and asked if she could delete it and ask if she saved it anywhere else. She said it was gone. Later when we met up after work during a session, she pulls me aside and says for me to not worry that it's gone

This is a solved problem. You don't need to worry about this anymore. Near miss, no harm done.

If you really feel bad about this, write a policy document or standard operating procedure about how to generate this report properly, so that the person who comes after you doesn't make the same mistake.

Do not put yourself in the firing line with your boss over a year-old genuine mistake that caused no harm and that you have corrected. No good would come of it. Not for you, not for your employer.
posted by His thoughts were red thoughts at 9:01 PM on September 25, 2017 [30 favorites]


At my work we have a centralized function to report these type of breaches and it is always better to report than to hide (your mileage may vary, your firm's response may vary) - they ask a bunch of questions but do not overreact. In most cases they handle it similar to what you've done - ask the recipient to delete it. I know someone who was let go after a similar breach, but it was because he did not report it.
posted by valeries at 9:10 PM on September 25, 2017 [4 favorites]


WATER
UNDER
THE
BRIDGE

I understand you made a mistake, but nobody's social security number got shared and your co-worker deleted the file. The problem was solved and the earth has traveled one lap around the sun since. Very gently: do you feel guilty or anxious often? This sounds tough and therapy might bring some relief.
posted by jessca84 at 9:54 PM on September 25, 2017


I specialise in information security and privacy in a federal government context.

Inadvertent, old, it doesn't matter - this is a straight up privacy breach, and I'd be surprised if any decently-sized organisation doesn't have a dedicated policy for reporting it. You should report it. It's a control weakness, and it needs to be closed, or it will happen again, possibly with your data.

had no actual repercussions for anyone
Near miss, no harm done


Neither of you can possibly know this.

P.S. Better get your brain around the idea that you are going to make mistakes from time to time or you're going to be perpetually miserable.

Everybody makes mistakes. Grownups and professionals own them and own up to them.

But on the off chance that self-interest is what motivates you, my organisation is presently searching email accounts for instances of people emailing confidential customer and HR data. It's not an unusual practice to check for this sort of information being handled outside core systems. Not being caught to date is no guarantee of not being caught in the future.
posted by obiwanwasabi at 10:01 PM on September 25, 2017 [12 favorites]


This is a solved internal problem. You handled it at the peer to peer level and there is nothing your boss needs to deal with. They no doubt have enough on their plate.tThink of staying quiet as protecting their time..
posted by rpfields at 10:04 PM on September 25, 2017 [2 favorites]


You were a new employee that easily and inadvertently made a privacy breach. The larger problem here is the poor process that let that happen, not your individual mistake. In my organisation I'd report it and expect the focus to be on improving procedures, not reprimanding me.
posted by deadwax at 10:47 PM on September 25, 2017 [2 favorites]


The reason the responses are varying so widely is that it really depends on your specific organization. In some, any error that leads to PII being revealed or even suspected to possibly have been revealed (say if you are 99% sure an encrypted flash drive got tossed in the trash, but were unable to verify that it was destroyed so someone could possibly have made off with it) to someone who is not supposed to have access to it must be reported.

In other orgs, an error like this is completely harmless, especially since it is known definitively that the information remained within the organization.

That said, most places with strict PII rules that will get you shitcanned no questions asked for not reporting also emphasize this in initial and recurrent training, so you ought to know if something like that applies to you. And yes, it would be a sick workplace that disciplined you for reporting, required or not. (Again, you are in a better position to know than any of us)
posted by wierdo at 10:51 PM on September 25, 2017 [11 favorites]


Let sleeping dogs lie.
posted by rhizome at 11:06 PM on September 25, 2017


Everybody makes mistakes. Grownups and professionals own them and own up to them.

I think it's adorable you're pretending the federal government is grownup and professional about data privacy considering that it basically handed over the records of twenty-plus million employees to some random Chinese hackers just two years ago.

OP, I think if your company actually had some kind of strict mandatory reporting process for internal disclosures, you would have heard about it, and so my answer was based on the assumption that it didn't. But I will amend my advice: if your company does have such a policy, adhere to it.
posted by praemunire at 11:21 PM on September 25, 2017 [7 favorites]


I'm not sure what your question is... It's been a year. The file is gone. She sympathizes and is not going to tell anyone. She's the only one who got the email. She's already in a position where she has access to most the information anyway. She probably didn't even look at the other tab. This is not worth worrying about. Who would you tell and for what purpose? Seriously, leave well enough alone and pretend it never happened, except learn from your mistake and don't do it again.
posted by AppleTurnover at 11:28 PM on September 25, 2017 [3 favorites]


If you were a Boss, what would you want your employee to have done? What if you were one of the people who's information was breached?

Just don't throw your coworker under the bus.
posted by gryftir at 11:58 PM on September 25, 2017


Am I right in thinking your colleague was duly authorised to handle this kind of information? It's just that you sent her data on people who weren't in her area. She never looked at it (so I think we do have pretty good assurance that no harm was done).

How worried would I be if some of my data, which was legitimately held and used by HR people, was accidentally made theoretically available to another HR person, also legitimately involved with the same kind of data and trusted with it by the employer? The same person who, if I transferred to the other office, would then have this data correctly anyway?
posted by Segundus at 3:39 AM on September 26, 2017 [1 favorite]


Response by poster: I'm not so sure IT or whatever would know about it because people from different departments send personal information of salaries or addressses on forms through email all the time so it wouldn't look any different.

Yes, she is basically the Hr rep for us in that building and location since we as a whole department sit at the home office. She handles a lot of other confidential information and finance information as well so it's a mixed role. Again, she has access to the same information I do but only for people in that building including the higher ups of that division just not the other as well whereas I have all the information.
posted by Asian_Hunnie at 4:31 AM on September 26, 2017


You don't need to fess up and your boss almost certainly doesn't care. IME of jobs, if you made a mistake that you were able to fix and that did not cause any damage because you fixed it, and you're aware of the mistake and won't make it again, your boss really doesn't especially care. In fact, "I made a mistake, whoops, fixed it, won't do it again" is actually sort of an adult job responsibility - they didn't hire you because they thought that you'd never make a mistake or because they thought that you'd come running to them every time you borked the TPS report.

Also, look, data privacy is important, but just because something is important doesn't mean that it is realistic to expect that no one will ever make a mistake, and companies don't expect that. The Experian hack? Bad because major and preventable. Sharing that spreadsheet with the entire company? Would have been pretty bad! Sharing it with an HR rep? Not that bad.

People at work make mistakes. I know someone who lost their company $10,000 due to an error. $10,000!!!! Was he fired? Nope. The company assumed that at some point someone would make that kind of mistake and was prepared. Now, they weren't thrilled, but he was a newish employee, it was a complicated situation and they basically just said "don't do it again".
posted by Frowner at 6:21 AM on September 26, 2017 [1 favorite]


Potentially career-ending mistakes happen in every business, literally every day. Have you ever held open a door for a colleague who didn't have their badge on them? That's an immediate firing offense at any company that bothers to lock their doors. Except it's generally not enforced until there's An Incident, and then upper management and the security folks get involved, the guy who let someone tailgate gets shitcanned, and everyone pretends to care about physical security for a week until they don't because they're human.

Have you ever sent personal email from your work email account? Termination offense. Told your spouse how busy you were because of the big deal coming up that hasn't been publicly announced? Termination offense. Rounded your timesheet entry to the nearest 10 minutes? Termination offense. But in all cases, the sentences are suspended indefinitely until the action causes An Incident.

Don't turn a routine fuckup into An Incident, unless it's really the right thing to do.
posted by The Prawn Reproach at 7:37 AM on September 26, 2017 [2 favorites]


Would your company go far out of its way, and risk its own position, in order to be fair and right and just and confessional and honest to you? I'm guessing no. There is absolutely NO REASON to do anything but move on. Sure, lots of companies would LOVE for you to take on this absurd sense of personal responsibility and contrition and guilt, but screw that noise. I don't care how many people try to tell you the important thing is to report it. Your livelihood and reputation are on the line, with people who would never have your back in a million years if the situation was somehow reversed. And since the situation will *never* be reversed (because of the nature of our capitalist society), please don't even consider telling anyone about it. The issue is resolved, and the sensitive info was already deleted (this is no longer an issue where you owe some confession for the sake of people's info.) The only result at this point would be endangering your own position and that of your friend's. In the name of what: honesty and loyalty to a company? No.
posted by thegreatfleecircus at 8:17 AM on September 26, 2017


Response by poster: Thank you all. I was really sick thinking about it...but I'm doing better now and moving past it. As I said before, I know more than a year ago and have been careful but now I want to take even more extra steps like setting encrypted passwords for data when sending and calling searately for the passcode just in case it is sent to the wrong person because I don't want to feel that way ever again.
posted by Asian_Hunnie at 9:30 AM on September 26, 2017 [1 favorite]


I think it's adorable you're pretending the federal government is grownup and professional about data privacy considering that it basically handed over the records of twenty-plus million employees to some random Chinese hackers just two years ago.

I think it's adorable that you assumed I work for that federal government. I'm Australian, and I live in Australia. It's another country; you may have heard of it.

In any case, Chinese hackers don't excuse not disclosing an internal privacy breach, and I'm not sure why you think it would. And if you knew anything at all about managing electronic risks to privacy, you'd know that email systems are soft targets for said hackers. Why attack that hardened mainframe when chances are somebody has emailed a giant Excel spreadsheet with exactly what you need and it's sitting there on an unpatched Internet-facing Outlook server? This is why you need to disclose breaches - all breaches.

OP, I think if your company actually had some kind of strict mandatory reporting process for internal disclosures, you would have heard about it

We have mandatory annual training specifically because people (usually contractors) haven't heard about our policy, or forgot about it after learning about it during induction, or because it's changed.

But I'll say it again: grownups and professionals don't need a policy to own up to mistakes. They just do the right thing. The policy is there to hit people who don't do the right thing or plead ignorance.
posted by obiwanwasabi at 5:55 PM on September 26, 2017


I think you can move on from your mistake but I think you should bring up with management or IT or whatever entity something like "Hey, I noticed when I'm pulling x report, it give me excess personal information that I need to manually remove. Is there any way to change the parameters of this report to give only the requested info to avoid an overshare?"
posted by WeekendJen at 9:00 AM on September 28, 2017 [3 favorites]


« Older identify this song about sailing and saying...   |   Has anyone experienced soreness when speaking a... Newer »
This thread is closed to new comments.