Feature

How to Monitor Workers' Use of IT Without Becoming Big Brother

CIOs asked to monitor employees' use of corporate IT are entering a difficult area for managers, as recent litigation shows. Here's how to do it right.

April 17, 2007 — CIO —

Arthur Riel says he was just doing his job.

When he was hired by Morgan Stanley in 2000 and put in charge of the $52 billion financial company’s e-mail archiving system, gaining access to its most sensitive corporate communications, the company was already involved in litigation that involved its e-mail retention policies. That suit would end in a landmark 2005 judgment against the bank, which awarded $1.57 billion in damages to financier Ronald Perelman. (In March 2007, Morgan Stanley won an appeal to Florida’s District Court of Appeal.)

It was part of Riel’s $500,000 a year job, he says, to make sure that would never happen again.

To do that, Riel had what he calls “carte blanche to go through e-mail.” What he says he discovered reading company e-mails throughout 2003 were what he construed as dubious business ethics, potential conflicts of interest and sexual banter within Morgan Stanley’s executive ranks that, he says, ran contrary to the bank’s code of conduct.

Based on his reading of executive e-mails, most notably CTO Guy Chiarello’s, Riel alleged that the e-mails showed the improper influence of Morgan Stanley’s Investment Banking division in how the IT department, with its multimillion-dollar budget, purchased technology products; the improper solicitation of tickets to New York Yankees–Boston Red Sox baseball games and other high-profile sporting events from vendors such as EMC; and the influencing, through one of Chiarello’s direct reports, of the outcome of Computerworld magazine’s Smithsonian Leadership Award process, of which Morgan Stanley was a sponsor. (Computerworld is a CIO sister publication.) “I reported what was basically a kickback scheme going on in IT,” Riel says.

E-mail exchanges that contained sexual banter and involved Riel’s boss, CIO Moira Kilcoyne, added to Riel’s conviction that something was wrong at the top. Believing, he says, that he was doing his duty, Riel claims to have sent hard copies of the offending e-mails to Stephen Crawford, Morgan Stanley’s then-CFO, on Jan. 15, 2004, anonymously via interoffice mail.

Riel’s superiors vigorously dispute his story.

First, according to a Morgan Stanley spokesperson, the company asserts that Riel was never authorized to monitor, read or disseminate other employees’ e-mails “as he saw fit.” Second, the spokesperson denies that a package of e-mails was either sent to or received by Crawford. And third, after conducting an internal investigation, the company maintains that it found no evidence warranting disciplinary action against anyone identified by Riel.

On Aug. 18, 2004, moments after Riel’s BlackBerry service was shut off, Kilcoyne, along with a vice president of HR, called Riel into her office. She told him that he was being placed on administrative leave with full pay. Morgan Stanley security searched his office and eventually found more than 350 e-mails on his PC, e-mails of which Riel was neither the writer nor the intended recipient.