Posts Tagged ‘law’

The Story Continues. Unfortunately.

May 3, 2012 1 comment

This blog was never meant to be about my personal life. It was intended to give my views on technology and security issues, and how businesses within those sectors operate. However, events have conspired against me and it appears that what is foremost in my mind is not the Lumia 800 in my pocket, nor the iPad 3 I’m writing this on, but the much more complex subject of employment law.

At the end of my last post, I was just starting a week away from the office, on garden leave, before starting my new job. All was good, I was able to get some work done around the house (while making sure I kept myself available for work if called), and the sun even decided to shine. One week later, my final pay packet came through.

£600 short.

Taking advice from ACAS, I wrote to the directors reminding them that I was entitled to be paid up until the end of the month, and giving them a fortnight to react. With no response, I contacted ACAS again and took up their offer of their conciliation service, which attempts to resolve disputes through amicable means. Three weeks in, there has been no success (that I’m aware of at the time of writing), no payslips, no P45 and most importantly no payment.

In the past month, I’ve learnt a number of things about my former employer. Rather than admit to his own mistakes, my former colleagues were told that I was dismissed. And earlier today I had a phone call from a recruiter friend who’d come across my CV as it was a few months ago, and was calling me to ask if I’d gone out of my mind; I am far from the only former employee to have had a negative experience there, with tales including constantly late pay and all leave being cancelled at the last minute (including holidays booked and paid for months in advance).

I’ve also spent quite a bit of time reading up on employment law:

  • I left with 2.5 days leave outstanding, but due to the distribution
    of bank holidays in the UK I am entitled to the pay for 3.5; I was 3 months into a calendar year containing 8 holidays and, with only one having passed I was entitled to be paid for one other.
  • A company must give notice if they require holidays to be taken as part of garden leave. Needless to say, this notice has not been given.
  • The concept of “unfair dismissal” does not exist until an employee has been working in a company for at least 2 years. In my case this does not apply as I had resigned, but even then notice periods still apply.
  • Even when an employee is dismissed for gross misconduct, they are still entitled to be paid for the outstanding leave. There are literally no circumstances where is it legal to withhold pay in this manner.

In summary: my former employer has no right, whatever they may have decided to believe about the circumstances of my departure, to withhold around £1,000 of owed pay. It’s not a route I ever wanted to take, but unless there is a significant development tomorrow I will be forced to take them to an employment tribunal.

Update: Despite having tried to get hold of the directors of my former employer multiple times over the past few weeks, ACAS have been unable to talk to anyone capable of resolving this situation amicably. Their own rules do not permit them to identify themselves (except to the people they are wanting to talk to) as being from ACAS, but if you are ever left a message by someone “needing to talk about an urgent HR matter” and “not a sales call”, it’s a fair bet there’s trouble ahead.

So, notice to restore full pay has been given and ignored. ACAS conciliation service has, through no fault of ACAS’s, failed. Its now time to fill in ET1, and start the process officially. Wish me luck!

Categories: Uncategorized Tags: ,


November 17, 2011 Leave a comment

One of the nice things about being in a senior position within a small company is that, every so often, you come across a situation that happens so rarely that no documentation nor process exists, and it’s entirely your responsibility to work out from scratch what needs to be done.

Being the most experienced within the company on our infrastructure and security, it fell to me to write the procedure for ensuring that any individual leaving the company is locked out as securely as possible. As I write this, less than a day away from leaving my job at Acme, the person leaving the company – the person who needs to be locked out – is myself.

The standard technical parts are easy enough: change all admin passwords, change every single password in the Password Database (Yes, it will take a while. Yes, I did advise against it. No, I can’t help. Because then you’d have to tell me the new passwords!). But two major unknowns exist; one legal, one social.

Legal Lockdown

The legal part is relatively simple: make it clear to the soon-to-be-ex employee (STBEE) that they are no longer entitled to access the company’s systems by spelling out, in as much detail as required, that their access is revoked to:

  • Any company system
  • Any system run by the company on behalf of a client
  • Any system run by a client whose access has previously been a privileged right of the company

except for those rights granted to any other anonymous or generic individual; this allows, for example, a STBEE to visit a former client’s website, but not to use any security credentials on that site that may have been supplied as a part of their employment.

It may be advantageous to get the STBEE to sign a document agreeing to the above, just to ensure their understanding is complete.

Social Networking

The social part is where the rabbit hole opens, and specifically social engineering. A company can spend all its time locking an individual out, but there is always the risk (depending upon the nature of the departure) of the user contacting third parties claiming to be acting on behalf of the company.

  • How do you protect against a email being sent to your hosting provider, designed to match the style of your infrastructure manager but cancelling a client’s service?
  • How can you stop a rogue employee contacting the IT department of your biggest client and creating a new account that acts as their backdoor?

The only chance that a company has to counter this is to make sure that the other usage of social is taken into account: communication.

  • Ensure that all employees, clients and suppliers are aware that the individual is no longer an employee.
  • Ask that any supplier always confirm any out-of-the-ordinary request, either by email or phone.
  • Ensure that any change to any configuration or payment is fully understood.

It’s not perfect; time after time, social engineering has been shown to be one of the most dangerous types of hacking in existence and at the same time the most difficult to protect against. But through communication there is still at least a chance.