I can't dismiss for this?

[Patchoomi]

A month ago our work systems were hacked. No data breaches but man hour costs to rectify it.

The security team identified Dave, not the real name, had clicked on a link in an email. They asked me to start disciplinary procedures for dismissal. Dave doesn't know this.

Our IT rules are standard, don't watch naighty films, don't be illegal, don't download harmful data.

Dave has worked for the company for about 7 years. He's hardworking and honest. It is not rare for our work to click emails. I really believe it was an accident and that if he knew, he would have told the managers and been upset. I don't like Dave but he is good at his job and honest.

I don't know that he breached the IT policy because I don't think he did it on purpose or through neglect. I think too that if we dismiss him it will stop others being honest when they make mistakes.

Work know Dave is dating my best friend so I will refuse to do the process and ask someone else must do it even though I am his manager. I don't know how I can help him.

Or do you think my company are being reasonable and sensible because even if it was a mistake it still made big problems?

I think your firm need to look at their procedures. They can't just dismiss him, they need to carry out a fair investigation (and NOT PREJUDGE THE OUTCOME).

Check ACAS and your HR policies.

If they simply sack him for a simple mistake they'll end up with an employment tribunal case. I'd ask for this to be moved to the employment section and get some proper advice on there.

Do HR not get a say? Surely the remit of the security team is to identify the source of the breach, not to decide how to deal with the member of staff?

I think they will do the process but do it so he has to prove it was an accident instead of them asking if it was. This is harder.

I work in the NHS and lots of staff accidentally click links in scamming emails. We have an IT phishing department partly for this exact reason. Dave has done nothing wrong! Unless there's more to it?....

You need to refer this to HR, you aren’t sufficiently qualified or knowledgeable in the area to carry out an investigation yourself, and especially not if you’ve been actively told what outcome you need to find.

Broadly, the company can’t seek to to dismiss him unless it counts as gross misconduct, and for it to qualify as that you would need to demonstrate he had intentionally and maliciously sought to jeopardise your systems, or was grossly incompetent. Accidentally clicking on a phishing link in an email is generally dealt with by sending staff on refresher training teaching them how to recognise a fishing email and what they need to check to ensure all links are genuine in future.

Has Dave had training to say not to click the link?

I am sorry if I was unclear. HR have said to discipline and dismiss because of what the security team told them. They say he has breached policy and that is gross misconduct. I was not at work during this time.

Unless there’s an outright policy that links in external emails must never be clicked (and I can’t see how that’s workable for any organisation) it’s very unlikely they can claim he’s breached a policy. I’d put it in writing that you are not qualified in employment law and thus are not in a position to carry out an investigation with the outcome being dismissal.

We have to complete IT and security training every year. HR will help do the process but it is the manager who must investigate and lead it. I have said I can't do it.

Well I hope Dave got adequate training on cyber security otherwise I expect he will have a claim for unfair dismissal - especially if he’s able to get hold of the internal communications which demonstrate they decided to dismiss him before carrying out any sort of disciplinary procedure/ at least asking Dave what his version of events is.

If they say it is gross misconduct he can be dismissed.

I understand what you are saying Fleur

But they can't just say it's gross misconduct if it's not, surely

They can - but it isn't and he'd have an excellent case at ET.

There’s a legal definition of what sort of actions would amount to gross misconduct - your employer can’t simply decide that accidentally clicking a phishing link or spilling your tea on your desk is gross misconduct and sack you at will. How big is this company? Do any of these people in HR have any qualifications whatsoever?

What policy has he breached? I work in data protection and if there is an actual data breach, an employee would be dismissed if it was malicious and the breach was high risk personal data and they may be disciplined if they had had extensive training on data protection and kept repeating the same mistake but in some of those cases they would argue they hadn't received enough training and the fault lies with the employer, in fact in nearly all of those cases. However, I don't see how they'd get away with this treatment of an employee if there is no actual breach!

l left education last year. Staff were always accidentally clicking on emails, even why IT told them not to!

No one was ever disciplined for it.

With 7 years service and an unblemished(?) previous disciplinary record, and no catastrophic consequences, it would be a little risky to dismiss based on a simple mistake. They’d have to show it was gross negligence for the dismissal to be fair.

if he’s had annual training specifically on this issue and they can demonstrate that, plus a written policy, and they can also demonstrate that a fair procedure was followed then it’s possible he could be fairly dismissed.

However, it won’t be a fair procedure if it’s been pre judged, and their reason for dismissal is borderline. On balance I think dismissing him would be likely to be unfair (unless something similar has happened before).

Firstly, if the outcome of a disciplinary hearing is pre-determined then it is automatically unsound. There might be some extenuating circumstances no one is aware of. No HR person worth their salt would ever tell you it's dismissal without a proper investigation and hearing first.

Secondly, what do your policies state? If clicking on a phishing email is listed as gross misconduct... that is still shaky ground as that in itself is quite unreasonable. Unless EVERYONE who has ever clicked on one of these links has been dismissed?

They say he didn't follow the IT policy because he downloaded harmful data when he clicked the link. The policy says if you don't follow it that is gross misconduct. He did download the data and so didn't follow the policy but I think it was accidental. He did not intend to.

The hack damaged our systems and caused data loss but no information was shared outside the company. Our security team are happy it was only an internal issue and no one saw anything they should not.

We must do IT and security training each year. He has not been in trouble before.

HR here. Despite the fact it was an accident/ people sometimes make mistakes - No investigation first? They're on very dangerous ground.
If they try to dismiss I suggest he appeals and also does an SAR whereby it would be clear they'd discussed trying to dismiss him before an investigation.

Do you know what the link was for?

I feel this should come into play with the decision making.

I will speak to HR tomorrow about already deciding the outcome and tell them they can't do that. I think they still will but will be more secret about it. I have emails saying they want to dismiss so I will keep them. I will try to guide them to ask my fair colleague to do it instead of me.

I will think about how to find out what has happened when people have clicked things they shouldn't before. He won't be the first person and it would be unfair to punish him if they were not.

Thank you for giving me hope. I don't like Dave but I don't think this is fair.

It is utterly ridiculous to think they can dismiss him for clicking a link. Surely they would need to prove that he knew it was a scam and that it would download data.

The link downloaded something that damaged our systems. I don't know what Dave thought he was clicking. We have to click a lot of links in our emails so it would be normal. Unless it said to click here for porn or something which would be different of course.