“If IT does something that they shouldn’t, then the general employee thinks, I’m going to find a way to get around the monitoring because we can’t even trust the people in IT,” says David Zweig, an associate professor of organizational behavior at the University of Toronto at Scarborough. “It’s a cycle of increasing deviance, which, unfortunately, could create more monitoring.”

At Network Services Company (NSC), a distributor in the paper and janitorial supply industry, CIO Paul Roche asserted control over how and when his IT department can access employee systems and, working with HR and legal, he has developed a policy for dealing with suspected employee infractions. For example, the IT policy states that IT personnel can’t start snooping around employees’ PCs without prior HR approval. “Employees know we’re not going to look the other way,” says Roche.

Any CIO’s mettle—no matter how rock-solid his policy or relationships—will be tested when one of his own crosses the line and breaks the trust between users and the IT department. “The expectation has to be that if you’re going to give someone authority, at some point it will be misused,” says Khalid Kark, a senior security analyst at Forrester Research. “And who will guard the guards?”

Bad Guys and Do-Gooders
Despite Riel’s assertion that Morgan Stanley had no policy for which systems and e-mail accounts he could access, Morgan Stanley says Riel was never authorized to do what he did. (No one from Morgan Stanley’s IT department was made available for this article.)

Morgan Stanley isn’t alone in having to deal publicly with renegade IT employees. Wal-Mart disclosed last March that over a four-month period one of its systems technicians, Bruce Gabbard, had monitored and recorded telephone conversations between Wal-Mart public relations staffers and a New York Times reporter. “These recordings were not authorized by the company and were in direct violation of the established operational policy that forbids such activity without prior written approval from the legal department,” Wal-Mart said in a statement. In addition, Wal-Mart revealed that Gabbard had “intercepted text messages and pages, including communications that did not involve Wal-Mart associates,” which the company maintains “is not authorized by company policies under any circumstances.” Gabbard, who was fired, claimed in an April Wall Street Journal article that his “spying activities were sanctioned by superiors.” Wal-Mart says that it has removed the recording equipment and related hardware from the system. “Any future use of this equipment will be under the direct supervision of the legal department,” Wal-Mart stated.