I caught a notary in our office
Posted by TrainingOrchid516@reddit | sysadmin | View on Reddit | 64 comments
After fixing a paper jam the other day, I noticed the page had someone's ssn and financial info on it. I looked up the person in our HR system. No match. I pulled up the printer log and found a stream of suspiciously named documents. I jumped into the OneDrive of the user who had been printing the docs and searched for the filenames. Turns out this employee is doubling as a notary and storing sensitive documents on the work computer. I brought it to HRs attention, but they dont have a policy and could only give a warning not to do such things. MGMT requested I delete the files and backups.
We had an administrative meeting where the new policy was brought up. The day after the meeting, a different employee brought me another printed paper they found on a different printer with financial info on it. It was the same thing, dozens of documents from the employee. This time, while the employee had "stepped out for an hour", I remote into the users computer and found in the open browser a google search for "can our IT department see what I'm printing from a usb". Open and logged in were some notary websites.
Mgmt doesn't care because they're all friends. I have a lot of opinions on what to do, but the company has made it clear they dont care. Our company has a separate MSP which handles network and security, so I think my hands are clean of the situation.
Should I just ignore the issue and let the company deal with the consequences if it comes to that?
jdptechnc@reddit
Next time, butt out.
jdptechnc@reddit
Next time someone brings you copies of something like that from the printer, redirect them to HR/Legal and stay out of it.
It is not your job to be data cop, electronic or otherwise.
NDAbsoluteZero@reddit
In this sort of scenario, make sure you get every damned conversation logged in email. Even if it means writing to HR to confirm what they instructed you orally, it's best to keep that trail.
Previous-Low4715@reddit
You’re not really supposed to do any of this unless someone in HR asks you to. If they’re friends with management and you jeopardise their employment or out management in an impossible situation, you’ll come off badly if not worse than the person in question.
TSwiftDivorceLawyer@reddit
This is the part in the post that worries me. I tried to do pseudo-HR Jason Bourne shit in my younger years and as I re-read this post it does not come across as good guy behavior.
Dramatic-Wasabi5516@reddit
Yeah don’t do this kind of stuff in any cyber or sysadmin role. You’re just literally causing yourself more work and putting yourself at risk going out of scope
TrainingOrchid516@reddit (OP)
I should have stated, I was instructed by HR AMD the employee to delete the files. The browser was still open when I logged in.
TSwiftDivorceLawyer@reddit
Thank you for that clarification!
Current_Anybody8325@reddit
Really depends on the organization. Our Acceptable Use Policy states I.T. management can access any files, emails, or systems at any time for any reason to ensure compliance with policy and maintain security.
bunnythistle@reddit
Every company's AUP states that. However that doesn't mean that anyone in IT can just go snooping around and investigating stuff on their own whim. Otherwise a rogue employee could go around browsing sensitive stuff "just to make sure it's compliant".
If you have a concern that there may be a proper infraction of policy or a risk to the company, bring it to management and get written approval to investigate. There could always be some situation where something that would normally appear to be a violation is known and approved of, and in those cases, someone investigating it without proper approval may be viewing sensitive/restricted information, creating additional risk/liability that otherwise wouldn't have occurred.
Current_Anybody8325@reddit
Notice I said "I.T. Management" - we're not talking some level 1 helpdesk tech here.
Expensive_Plant_9530@reddit
True. But is OP “IT Management”? They never said they were. Maybe that was in a comment.
Current_Anybody8325@reddit
My comment was really a rebuttal to Previous-Low4715 stating "you aren't supposed to do this" as hard fact. Which isn't usually true and very much depends on your organization.
Previous-Low4715@reddit
In the UK this would be borderline illegal depending on the wording in the AUP, at the very least it would make it very difficult for the company to remove the employee in question. The employer is still bound by GDPR regardless of what is in the contract and there are numerous laws and precedents separating IT technical gathering from HR/conduct investigation.
Current_Anybody8325@reddit
I’m in the U.S. and it’s perfectly legal. Anything done or saved on company devices is property of the company.
Previous-Low4715@reddit
Exactly this. It’s not up to sysadmins to randomly investigate employee conduct
TrainingOrchid516@reddit (OP)
Same policy here. People are always surprised by this. Your device and files are not really your own.
Previous-Low4715@reddit
Claudeslop answer:
Based on the context provided in image.png, the IT admin's actions cross several major legal, ethical, and procedural lines, especially from a UK compliance perspective. While a corporate AUP typically allows IT to maintain systems and preserve logs, the proactive, unprompted investigative steps detailed in image.png go far beyond standard operational mandates and enter highly problematic territory. Here is a breakdown of why the actions in image.png lean heavily into illegal or severe non-compliant territory rather than just "borderline" policy breaches. 1. Unauthorized Access and "Snooping" In image.png, the admin admits to looking at the content of a stuck page, searching HR systems for a name match, auditing printer logs, and directly jumping into the user's corporate OneDrive without a formal request or ticket. The Reality: While corporate assets belong to the employer, access to individual user data must still be justified under a specific legal basis. Proactively digging through an individual's OneDrive or live browser history based on a hunch, rather than acting on an explicit threat vector or a formal HR/legal escalation, can violate data protection laws. Computer Misuse Risks: In strict jurisdictions, accessing a specific user account or remote-controlling a machine while an employee is away without explicit, documented authorization or an open security incident ticket can blur into unauthorized access. 2. Serious Data Protection Violations (UK GDPR / DPA 2018) The admin in image.png actively looks up an individual in the internal HR system to check for a match. Purpose Limitation: HR data is highly sensitive and collected for specific employment purposes. An IT administrator utilizing their administrative privileges to cross-reference data in an HR database for an independent, unassigned investigation is a direct breach of the Purpose Limitation principle under data protection laws. Proportionality and Privacy: Remote controlling a user's PC while they have "stepped out for an hour" to actively read their open browser tabs and Google searches violates reasonable expectations of workplace privacy. Even under strict corporate monitoring policies, targeted surveillance must be proportionate, justified, and typically vetted via a Data Protection Impact Assessment (DPIA). Siloed, unsupervised IT snooping completely fails this standard. 3. Destruction of Evidence The edit in image.png states: "I was instructed by HR AND the employee to delete the files." Compliance Failure: If the documents contain third-party Social Security Numbers (SSNs) and financial data, they represent a severe data breach for the organization (and potentially the notary's external clients). Simply ordering IT to "delete the files and backups" to make the problem go away, without logging a formal data breach, identifying the affected data subjects, or following a standard incident response protocol, is a massive regulatory compliance violation. Summary The comment at the bottom of image.png highlights the organizational reality: "You're not really supposed to do any of this unless someone in HR asks you to." By acting as an independent investigator, processing HR database records without cause, and conducting targeted live surveillance on an endpoint without a formal ticket, the IT administrator in image.png exposed themselves and their company to significant liability. Securing a perimeter or preserving logs during an active infrastructure alert is standard IT protocol; digging through a specific user's private folders and live browser sessions without authorization is a severe overreach.
Demented_CEO@reddit
I'm not surprised by that, but it'd also immediately make me think you're not based in EU.
It's just not a universal truth that you can write whatever you'd like in a policy and call it a day.
Kind of neat to have that policy, but I'd still keep CYA high up on my list and not do too much.
Let legal/HR take over. Likely there's a clause somewhere that work devices are for... work?
cvc75@reddit
Although I doubt that the company that doesn't care about employees using company printers for private business would have an Acceptable Use Policy anyway.
Arudinne@reddit
If HR doesn't care about them moonlighting on company time with company equipment just let it go.
Could consider blocking the website(s) if there's no legitimate need for anyone else to access it.
Impossible-Goat-4388@reddit
Yes. You brought it to the attention of management and HR. You've done your job.
FatBook-Air@reddit
At most. I am not sure it was even appropriate for IT to do this investigation without HR initiating it.
Stonewalled9999@reddit
When OP's company gets sued for PII breaches I can assure you the first thing HR will say is "why didn't IT prevent this"
drewskie_drewskie@reddit
You bet I'm investigating random as files and print jobs, that's a cyber security threat
HerfDog58@reddit
In general, it not our job as a sysadmin to MAKE policy; our responsibility is to RECOMMEND appropriate policy measures to management, and then to IMPLEMENT and ENFORCE whatever policies are deemed as required by management.
In this case, if you've made recommendations to the higher ups, and they're like "Yeah, whatever, no big deal" I'd follow up via email "Confirming that you are directing me to not worry about external documents being accessed/printed using company resources." And then let it go, as much as it might be aggravating to do so.
A couple ways you could approach this differently:
You might also want to go to the employee and say "Hey, those documents you keep printing out, and leaving on the printers for your notary work? Other people have seen those, so you're basically allowing confidential personal identification information to be exposed, which could result in fraud or identity theft. I'm sure would not like to discover that you're exposing their information carelessly." And walk away.
bitslammer@reddit
The company will either be proactive or will eventually learn the hard way.
I've been involved in a handful of cases where employees were doing personal or side business stuff at work on corporate devices and lawsuits were involved. Because at some point someone noticed the corporate email the company was now hit with a legal discovery order which took up significant man hours.
In one instance the company sued the then fired employee for the loss of those hours because they could point to the policy and make a clear case of the person violating that.
bunnythistle@reddit
I would hope that the request to delete backups comes from the requesting manager not having a proper understanding of how backups work, and not because you can actually delete backups.
If you can delete backups, then an attacker can delete backups if you get compromised, and then those are not backups, because they won't be available. Backups should be immutable for a reasonable period of time, and your risk assessments and policies should be based around the idea that sometimes, something you don't want in backups will be stored there for a period of time.
TrainingOrchid516@reddit (OP)
I can delete what's on Microsoft but our MSP has a backup server. They said they cant/wont delete anything so we will delete where we can.
Danowolf@reddit
One exception, you have a policy blocking usb usage right? If employees don't use usb drives I'd block these things. And I'd bring the risk of usb up to mgt. Let them know you understand marching orders on the first subject but the usb issue is a much more dangerous problem.
TrainingOrchid516@reddit (OP)
Finally, a real suggestion. Yeah I thought about blocking the IP and USB storage. We dont have those in place but I'd like to.
FrankNicklin@reddit
HR is there to protect the company not its employees. You should not have done anything without agreement from management and/or HR. You could have compromised your own position.
cjcox4@reddit
At most companies, this is a grounds for immediate termination. I have been witness such in my past. However, as the "whistle blower", that's all you can do... and ethically, should do. With that said, I usually approach the individual, tell them to confess to their supervisor, and if they don't (verification of that left to the reader), then, blow your whistle. If authorities know and do not act, there's not much you do (except maybe look for other job opportunities).
JerryBoBerry38@reddit
Replace his wallpaper with a picture of text:
Yes, we see every single thing you do on this computer. Every keystroke, every device plugged in.
Expensive_Plant_9530@reddit
Management is setting themselves up to be sued if any of those financial documents got leaked and it was determined they knew about the potential and did nothing.
The immediate red flag I see is that the user can print stuff off of a USB drive.
Anyway you brought up your concerns. Make sure to CYA and then just do as you’re ordered to. I would be real careful about acting alone or doing things without management approval.
toddtimes@reddit
I’m confused, why do you care? What’s the added risk to the company from this employees behavior?
Obvious-Water569@reddit
The risk is from a compliance and privacy angle, not so much cybersecurity (though sine the source of the documents is unknown, there is a cybersec risk as well).
The company is holding confidential information about an individual who is not affiliated with the company.
longlivemsdos@reddit
yeah, the more people do personal things on work it just leads to un-necessary cyber risk occur on the work pc (opening spam that they wouldn't have otherwise etc)
also depending how they sign in, risk of data leak - (google account sync in chrome or i've seen word have the external domain as a saving location in word. ofc policies can help restrict this risk)
also yeah, if they send files to the work email and someone gets delegate access of it due to leave etc
RebelnRevolt@reddit
If there's a data breach and that sensitive data gets out, the company can be held responsible.
OkGur2222@reddit
Educate your end user on safe handling of PII.
We have a notary in our office who handles notarizing documents for the company occassinsaly. They also help associates with motorizing personal documents occasionally too. Management is ok with the situation because having the notary onsite when needed benefits the company.
I would be more concerned that the IT department has access to employee PII. And is using it for personal unsanctioned investigations into employees.
Materially_Average@reddit
Logging into their computer was a weird move.
You were right to be concerned. Now, let it go. At this point, you’re more likely to get fired than she is.
PII is an issue, but that’s the notary’s problem. It’s not your company’s client data.
rainer_d@reddit
Next time, ask for your cut.
Big_H77@reddit
Doing way too much; you reported the PII sitting out in the open which was enough.
If the company cared they would institute hardened DLP along with other mitigation techniques.
soulreaper11207@reddit
CYA. Documented it all. Your investigation, your email conversations, etc etc
TylerJurgens@reddit
If you can delete your backups, you're doing it wrong. You need to have immutable backups, and multiple copies.
DistributionFickle65@reddit
Choose your battles. Trust me, this isn’t it.
cheetah1cj@reddit
Why is this you or your company's problem? Your company is not responsible for the security of the data that the user is handling. Unless you have explicit policies that prevent using company equipment for other paid work, then they have done nothing wrong in your company's eyes.
If your concern is the insecure handling of sensitive data belonging to another company, then you could report it to them yourself. Your company clearly does not want to be involved, so make sure it is clear that you are not doing this on behalf of your company. Again, unless this goes against a policy at your company, then this has nothing to do with your company. I do think reporting it to the other company is a good idea, especially if they are leaving those pages on the printers for others to see.
whatdoido8383@reddit
What the hell, just FYI, that would of been insta-fired most places. You can't go snooping around with peoples social security stuff or digging in like that without direction from HR.
You should of just swung it by HR and let them handle it.
BadSausageFactory@reddit
I don't know where you are, but in some states just having PII unsecured on your systems can be a problem. You are 100% correct to delete the files and backups, but the printed material left out is a real issue. That could trigger a complaint which means auditors. I'm surprised your ownership/leadership was that relaxed about it, I can only think they're not understanding the responsibility lies in your systems containing PII, not how it got there.
Knyghtlorde@reddit
If work doesn’t care, it’s not your place to stop the person.
BryceKatz@reddit
Meh.
The employee moonlighting as a notary is technically stealing, but I doubt their printing is making a dent in your printing costs.
There might be some liability for them or your org for hire she's storing documents in the company OneDrive instance, but that would only be relevant in the event of specific legal actions that go far though to compel discovery. That's not an IT problem.
You cannot care more about these things than company leadership. That way lies madness & burnout. Document what you found & Leadership's response to cover your ass. Then move on with things that are your direct responsibility.
Hefty-Amoeba5707@reddit
You can just remote in any users computer while they are logged in without their consent?
Comfortable-Bunch210@reddit
You could always take the super petty route and just delete the files. I’ve been in that situation before. For people who run their personal business on company resources; you just can’t be nice to them.
Brua_G@reddit
Now that mgmt knows, they might have a duty to protect that information, due to privacy laws.
USarpe@reddit
How could you see his onedrive?
ExceptionEX@reddit
If management doesn't care, you shouldn't care, you are just a steward of their will.
Advise them as to the problems, and potentials but at the end of the day it is their choice to manage.
Comfortable-Bunch210@reddit
PII mean anything to you?
Dramatic-Wasabi5516@reddit
“Should I just ignore the issue and let the company deal with the consequences if it comes to that?“
Yes. You’ve raised a concern and been dismissed. Document that part thoroughly for your own ass covering.
FrankNicklin@reddit
Whats it got to do with you if Management don't have an issue with it. You are more likely to get in to trouble for snooping on employees than the employees themselves.
We have a clear policy of no private files orr non business related files to be stored on the business computer system with a clear warning about file deletion should any be found.
As they are "all friends" as you say, why have they suddenly created a policy and they want you to delete the files and the backups. Unless those files are backed up separately how would yo go about deleting backups without compromising the whole business.
Then you have the question of what constitutes non business data, obviously some filenames might give the file contents away, other may not resulting in valid files being deleted.
Let them get on with it, you have reported it so act on the instructions given.
Intelligent-Pause260@reddit
So you are playing printer police in your office? This isn't good office politics. Snitching on people for using a printer is going to make you a lot of enemies and then you'll be the one surprised when it's you that's laid off.
WiskeyUniformTango@reddit
Ive seen my fair share of things. Most times management really doesnt care. It can be frustrating, but is what it is.
-Employee dick pics -Pirated music/movies -Hiring hookers while their wife also works at the same org -Running a side mortgage company secretly on company systems -Gigs of porn
jason9045@reddit
You did your part, hopefully in writing. If management wants to take on the risk of the notary's clients' personal data being compromised from their systems, then that's their prerogative.
ZMD87412274150354@reddit
Yes, management made a management decision. It was bad and shortsighted, but that's their problem. Make sure your suggestions were in writing, to a personal account, all that jazz.
kitsinni@reddit
If management doesn't care, it is only going to cause you harm trying to get them to understand why it is a problem. Your only real options are deal or move on.