The American College of Education, an online for-profit college, recently experienced every business's worst nightmare: the wrath of a vindictive IT guy.
The IT guy was Triano Williams, and he seemed pretty angry. Last year, the school made a move to consolidate its technology operations at its Indianapolis headquarters, which would've meant an unwanted move for Williams. Although a severance package was offered, the college claimed that the systems administrator was fired after refusing to relocate. Williams had a different story. He's accusing his former employer of racial discrimination.
The problem, however, was the password to an online Google account that stored email and course material for the college's 2,000 students. Williams changed it -- and didn't tell anyone. He said the password was auto-saved on his company laptop that he returned, but the college said he erased the hard drive. Google wouldn't comply with the college's request to access the account because Williams was individually named as the sole administrator and not the company. Everyone was at an impasse.
So how to solve the problem? Williams' attorney proposed an idea: pay his client $200,000 and give him a clean letter of reference. I'm sure the $200K will come in handy, but I'm not so confident the "clean" letter of reference will hold up once any future employer does a standard background search of Williams online and finds this USA Today article written about the incident. Imagine that coming up in a job interview!
Everyone's looking bad here. But the worst offender was the college itself. Not for its decision to consolidate operations but for having no internal control process in place to protect itself from IT staffers having too much access (and power) over its mission critical systems. Sadly, most small businesses are also in the same boat and put way too much trust in their outside and internal IT people. For the great majority, it's not a problem. But when something like this incident happens, it can be crippling. The lesson: all of a company's online accounts must be in the company's name and not in the name of an individual staffer. Make sure more that more than one person has access to this information, too.
"You can outsource some of the processing," Gene Spafford, founder and executive director emeritus of Purdue University's Center for Education and Research in Information Assurance and Security, told USA Today. "But you can't outsource the responsibility."
There's good news. A few days after the news broke, the college announced that it was able to access its Google account and that "all students have regained access and none of the data was compromised during the lockout." Phew, that was a close one. Let's hope everyone's learned a little from that adventure.
A version of this column originally appeared on Inc.com.