Boss wants me to falsify a report. How should I document this unethical demand?Company doesn't follow security policies advertised to clientsUnderpaid and overworked, how should I approach my boss?Being a company's only web person, how should I expect to be treated?My employer is forcing its employees to defraud its customers, how should I handle this situation?Spending Project Money on Non Project WorkDid I overstep my bounds by creating a tool “behind my manager's back”, during non-work hours?How do I write technical handover documentation before leaving a company?Politics and promotion after angering now-retiring senior employeeHow to deal with favoritism in a scrum team?Co-worker team leader wants to inject his friend's awful software into our development. What should I say to our common boss?How do I tell my boss that I'm quitting soon, especially given that a colleague just left this week
How is the excise border managed in Ireland?
Getting UPS Power from One Room to Another
Does the new finding on "reversing a quantum jump mid-flight" rule out any interpretations of QM?
Teaching a class likely meant to inflate the GPA of student athletes
Is it a bad idea to to run 24 tap and shock lands in standard
Ability To Change Root User Password (Vulnerability?)
Active low-pass filters --- good to what frequencies?
Why not invest in precious metals?
Is it safe to change the harddrive power feature so that it never turns off?
English word for "product of tinkering"
Are polynomials with the same roots identical?
How to ensure color fidelity of the same file on two computers?
How come the nude protesters were not arrested?
How to hide an urban landmark?
How can I end combat quickly when the outcome is inevitable?
Traversing Oceania: A Cryptic Journey
Fixing obscure 8080 emulator bug?
Second (easy access) account in case my bank screws up
Wooden cooking layout
CSV how to trim values to 2 places in multiple columns using UNIX
Determining fair price for profitable mobile app business
Check if three arrays contains the same element
With Ubuntu 18.04, how can I have a hot corner that locks the computer?
LuaLaTex - how to use number, computed later in the document
Boss wants me to falsify a report. How should I document this unethical demand?
Company doesn't follow security policies advertised to clientsUnderpaid and overworked, how should I approach my boss?Being a company's only web person, how should I expect to be treated?My employer is forcing its employees to defraud its customers, how should I handle this situation?Spending Project Money on Non Project WorkDid I overstep my bounds by creating a tool “behind my manager's back”, during non-work hours?How do I write technical handover documentation before leaving a company?Politics and promotion after angering now-retiring senior employeeHow to deal with favoritism in a scrum team?Co-worker team leader wants to inject his friend's awful software into our development. What should I say to our common boss?How do I tell my boss that I'm quitting soon, especially given that a colleague just left this week
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I work in IT, and my manager is trying to get my coworker and me to submit a falsified security scan to a client of ours. Basically, he wants us to submit a security scan modified to exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.
My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or if anything unethical is being done.
For me, the issue is very simple. I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in an attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.
So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."
Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.
ethics documentation california
edited May 25 at 15:25
terdon
1456
asked May 23 at 15:38
it-guyit-guy
1,0893512
|
show 8 more comments
I work in IT, and my manager is trying to get my coworker and me to submit a falsified security scan to a client of ours. Basically, he wants us to submit a security scan modified to exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.
My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or if anything unethical is being done.
For me, the issue is very simple. I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in an attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.
So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."
Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.
ethics documentation california
edited May 25 at 15:25
terdon
1456
asked May 23 at 15:38
it-guyit-guy
1,0893512
2
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
May 23 at 16:06
12
Regardless of what you end up telling your boss, I hope you have started to look for a new job. The client would probably look very highly on the fact that you are unwilling to cheat them.
– David K
May 23 at 16:12
46
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
May 23 at 16:24
2
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
May 23 at 19:58
1
Do you know the motivation for the false report? I ask because if this is as innocuous as ignorance to usual InfoSec policies, as a few have mentioned, education on this possibly being more a matter of having remediation plans vs. being perfect may go a long way.
– John Spiegel
May 23 at 21:15
|
show 8 more comments
I work in IT, and my manager is trying to get my coworker and me to submit a falsified security scan to a client of ours. Basically, he wants us to submit a security scan modified to exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.
My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or if anything unethical is being done.
For me, the issue is very simple. I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in an attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.
So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."
Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.
ethics documentation california
edited May 25 at 15:25
terdon
1456
asked May 23 at 15:38
it-guyit-guy
1,0893512
I work in IT, and my manager is trying to get my coworker and me to submit a falsified security scan to a client of ours. Basically, he wants us to submit a security scan modified to exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.
My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or if anything unethical is being done.
For me, the issue is very simple. I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in an attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.
So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."
Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.
ethics documentation california
ethics documentation california
edited May 25 at 15:25
terdon
1456
asked May 23 at 15:38
it-guyit-guy
1,0893512
edited May 25 at 15:25
terdon
1456
asked May 23 at 15:38
it-guyit-guy
1,0893512
edited May 25 at 15:25
terdon
1456
edited May 25 at 15:25
terdon
1456
edited May 25 at 15:25
terdon
1456
1456
asked May 23 at 15:38
it-guyit-guy
1,0893512
asked May 23 at 15:38
it-guyit-guy
1,0893512
asked May 23 at 15:38
it-guyit-guy
1,0893512
1,0893512
2
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
May 23 at 16:06
12
Regardless of what you end up telling your boss, I hope you have started to look for a new job. The client would probably look very highly on the fact that you are unwilling to cheat them.
– David K
May 23 at 16:12
46
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
May 23 at 16:24
2
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
May 23 at 19:58
1
Do you know the motivation for the false report? I ask because if this is as innocuous as ignorance to usual InfoSec policies, as a few have mentioned, education on this possibly being more a matter of having remediation plans vs. being perfect may go a long way.
– John Spiegel
May 23 at 21:15
|
show 8 more comments
2
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
May 23 at 16:06
12
Regardless of what you end up telling your boss, I hope you have started to look for a new job. The client would probably look very highly on the fact that you are unwilling to cheat them.
– David K
May 23 at 16:12
46
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
May 23 at 16:24
2
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
May 23 at 19:58
1
Do you know the motivation for the false report? I ask because if this is as innocuous as ignorance to usual InfoSec policies, as a few have mentioned, education on this possibly being more a matter of having remediation plans vs. being perfect may go a long way.
– John Spiegel
May 23 at 21:15
2
2
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
May 23 at 16:06
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
May 23 at 16:06
12
12
Regardless of what you end up telling your boss, I hope you have started to look for a new job. The client would probably look very highly on the fact that you are unwilling to cheat them.
– David K
May 23 at 16:12
Regardless of what you end up telling your boss, I hope you have started to look for a new job. The client would probably look very highly on the fact that you are unwilling to cheat them.
– David K
May 23 at 16:12
46
46
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
May 23 at 16:24
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
May 23 at 16:24
2
2
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
May 23 at 19:58
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
May 23 at 19:58
1
1
Do you know the motivation for the false report? I ask because if this is as innocuous as ignorance to usual InfoSec policies, as a few have mentioned, education on this possibly being more a matter of having remediation plans vs. being perfect may go a long way.
– John Spiegel
May 23 at 21:15
Do you know the motivation for the false report? I ask because if this is as innocuous as ignorance to usual InfoSec policies, as a few have mentioned, education on this possibly being more a matter of having remediation plans vs. being perfect may go a long way.
– John Spiegel
May 23 at 21:15
|
show 8 more comments
11 Answers
11
active
oldest
votes
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered May 23 at 15:51
dbeerdbeer
9,86972231
131
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
May 23 at 20:52
17
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
May 24 at 0:10
10
@it-guy: Your manager not responding is not enough to hold up in court by itself to prove the manager's guilt, but the absence of any mails stating "I never told you that" can be enough to ask the manager why they never responded (and if they claim they did, to prove that they did so). Even if that's not enough to convict the manager, it should be enough to not convict you of wrongdoing (note: I AM NOT A LAWYER)
– Flater
May 24 at 10:31
29
Not just for sticking to your ethics: OP's boss is setting him/her up as the sacrificial lamb if it goes south.
– Jared Smith
May 24 at 11:44
6
@R.Schmitz: There is a matter of overdoing that though. I agree with what you say and it is the best CYA approach (which does seem fitting for OP's particularly unethical situation) but I just want to add that it shouldn't be blindly applied to just any casual "maybe I'll need to cover my ass someday, who knows?" situation as it will create friction between you and the manager.
– Flater
May 24 at 11:47
|
show 8 more comments
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered May 23 at 17:57
mcknzmcknz
20.9k86883
4
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
May 24 at 4:03
15
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
May 24 at 4:22
1
@mcknz the lawyer will advise the client to cover his assets and stay in the legal white or light-gray area, damned be ethics.
– Mindwin
May 24 at 13:00
7
@Mindwin: A lawyer can't generally advise a client to break the law, but if there's any legal way to accomplish the OP's goals -- including ethics-related goals -- the lawyer can advise him how to do so. Lawyers don't just say "One legal option is X. Now that I've told you about X, I don't have to give you advice about any other options."
– ruakh
May 24 at 17:55
6
@Mindwin I mean, there's a very very high likelyhood that the ethical action and the legal action in this context line up. Ethically, lying about security vulnerabilities is bad. Legally, lying about security vulnerabilities (that your company was presumably contracted to help with, otherwise why are you doing a report on it?) is probably fraud.
– Delioth
May 24 at 19:24
|
show 2 more comments
So far, everything that manager has asked me to do related to this has
been spoken verbally. I have made several failed attempts to get him
to put anything in writing.
You don't make him put anything in writing. You put it in writing for him.
To: My Boss
Subject: Work order
Hi Boss,
As discussed, I put [unethical feature] you approached me about
yesterday on the backlog. I still have some questions on the legal
side of things and would be happy if we could talk through those
before we start working on it.
Best, it-guy
You might then have a meeting where he tells you to go ahead with [unethical feature], not to worry about the legal side, and instructs you to no longer write emails summarizing your conversations. You will forget the part about not writing emails and send something like this:
To: My Boss
Subject: Work order, follow up
Hi Boss,
Just summarizing the discussion from 2 pm: You already checked with the legal side and the proper way to go about this is that I need to do [unethical thing] and [unethical thing]. I will probably have it ready by tomorrow afternoon.
Best, it-guy
If he's ambiguous, you remove the ambiguity in the summary, which makes it his responsibility to clarify if you misunderstood.
Do not forget to print out the emails and take them home (or just snap the screen with your phone), because companies who are willing to break the law are occasionally willing to "lose" emails.
answered May 24 at 14:02
PeterPeter
12.5k22246
add a comment |
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered May 23 at 18:04
O. JonesO. Jones
15.5k24378
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
May 23 at 19:55
2
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
May 23 at 20:11
3
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
May 24 at 0:30
2
The worst that can happen? Remember that engineer that just went to jail for several years for faking test results for stuff that was going into space?
– Loren Pechtel
May 24 at 13:57
1
Re: I wouldn't exactly call Equifax publicity "disastrous". They're still perfectly in business and their actual customers don't really seem to care. It was definitely bad publicity, but it wasn't really a disaster if the company responsible is still flourishing 2 years later.
– Delioth
May 24 at 19:27
|
show 4 more comments
I, unfortunately, have been in this situation a few times in my career.
First, you cannot continue working for this person, start looking for another job.
Second, I suggest you do what another suggested. Write it all in an email and ask for a yes/no confirmation. In that email, I would point out in the email that what you understand him requiring you to do is unethical and possibly illegal. "Confirm with Yes or No, or I will not do this unethical and possibly illegal thing." I have requested a signed document or digitally signed email before, and they always refuse.
One time, I was asked to sign off something as passing vulnerability tests and I would not because they wouldn't even allow me to have the scan run. The feces hit the air movement device later. I was contacted by a Colonel in the Inspector General's office about 6 months later asking for a written deposition, because I could not produce copies of the emails (I could not take them with me).......lots of firings, but I was already gone....By then I was on the other side of the world.
answered May 24 at 15:35
Michael BrininstoolMichael Brininstool
511
add a comment |
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered May 23 at 17:12
John SpiegelJohn Spiegel
2,397413
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
May 23 at 17:40
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
May 23 at 17:42
3
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
May 23 at 17:49
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
May 23 at 18:53
1
I would write explicitly in the email that you are opposed to this, as it is illegal. Also advise your boss explicitly not to remove the "draft" watermark and use the fraudulent report. And print out a copy of the email and the document, storing it somewhere that they won't readily find it.
– axsvl77
May 24 at 11:50
|
show 2 more comments
In the high tech company I work for, we have a role in the organization called an Ombudsman. It's their independent duty to offer advice and guidance in ethical/legal issues like this. In our company it can be completely anonymous if needed. If your company has such a role, I would suggest contacting them for guidance, as that is their job and duty.
answered May 24 at 14:15
MilwrdfanMilwrdfan
26814
useless advice for a manager that reports directly to the CEO, who is applying the original pressure. Read the question
– George M
May 24 at 23:10
4
The job of any employee, whether that be HR or an Ombudsman, is first and foremost to protect their employer. Unless this Ombudsman is an independent third-party (maybe paid by the government or the union), they will probably not be helpful. Do not, under any circumstance, ever assume that someone employed by the same employer as you, will put your interests over your employer's. There are certain, legally-defined, specific roles that have certain protections (e.g. a GDPR Data Protection Officer cannot be fired for doing his job), but that still doesn't mean that they are independent.
– Jörg W Mittag
May 25 at 10:31
1
It is not in the company's interests. If the Ombudsman is acting on behalf of the board then he will shut this sordid mess down.
– user2617804
May 26 at 9:59
add a comment |
What worked for me in the past: Make a report which describes what you actually did, including passages which what you should do/plan to do, but mark these explicitly as "not yet done", send it to your boss and tell him to redact it as he sees it fit, sign it off and send it to the customer.
A lot of people suddenly become much more careful if it's their signature and not their subordinates signature (in my case it was about an order to their "favorite supplier" instead of the cheapest one).
If your boss still wants to do this, then run from that company and depending on the severity of the situation pass the knowledge to appropriate institutions (-> legal question, talk to a lawyer).
answered May 26 at 9:39
SaschaSascha
10.3k22444
add a comment |
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered May 23 at 16:03
DanDan
11.3k41937
4
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
May 23 at 17:04
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
May 23 at 17:13
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
May 23 at 17:22
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
May 23 at 17:24
And when the client calls his company to tell them about the CD, and OP is known to have refused to fake a security scan, (there can't be that many vendors, and can't be that many people doing a security scan... that's specific work) then OP gets to decide if it was worth it.
– J. Chris Compton
May 24 at 14:02
|
show 1 more comment
I think that there is another option here that people may not like but that is being ignored. It revolves around the idea of who is the person who is committing fraud and how. If your desire is to continue to work at the company but avoid doing anything that could implicate you then I would recommend the following.
Create the version of the report your boss asked for then send it to him with the original attached and say the following.
I have created the report (with omitted answers) that you asked me to
prepare for company you will find it and the original report
attached to this email for comparison. I want you to know that I have
prepared the report in the hope that you will us it for internal
purposes only. I truly believe that the decision to share the edited
version of this document with company puts our company in a very
dangerous position as some of the issues in the original document are
real issues that might be exploited. In this light I urge you to use
the original.
I would then BCC the email to a personal email account as well as print out the full email (the raw email from your sent folder with all of the headers). If your boss replies and tells you to send the email to company that is the point where you say
For my own personal liability concerns I cannot in good conscience be the person to email this to company and I hope thats not a problem for you
I would say that this does a couple of different things:
a) independent of Fraud or the situation your boss gave you a work task to create a report and this may be a situation where you could get fired for not doing it creating the document and calling out it was requested makes it clear you are willing to complete tasks from your manager
(I truly understand that people wont agree with this but I see it as walking up to an ethical line without crossing it)
b) by providing the report in an email to your manager with the original it makes it very clear that the document should be considered for internal purposes. If your manager decides to use that document it is your manager who has committed fraud not you. (I will address what to do if he actually sends it later)
c) submitting this to your manager gives them a written chance to do the right thing. your manager might change their mind... hopefully.
d) BCC'ing printing and saving the email provides you with important physical evidence that might be necessary if you experience negative repercussions from this action
Finally I would argue that making the report isn't the difficult ethical question. I would say that
what is your responsibility if you know for certain that the your
manager/ the company has sent the document thereby committing fraud?
is a very complex question, I could make several recommendations in that vein but the true one that you absolutely should do is.
If your boss uses the edited report and as a direct or indirect result your company gains or otherwise continues contracts with the other company. Don't post on stack exchange, spend a couple hundred dollars and get advice from a labor attorney (that will be advice that has malpractice insurance)
answered May 27 at 22:59
DataminionDataminion
806
add a comment |
For me, there are two alternatives:
Do it, but protect yourself
Keep a document with the actions you've took, with a date of creation / modification younger than the mail you'll send to the client with excluded vulnerabilities. In this document, put by memory your discussions with your manager, the excluded vulnerabilities, and link to the real report.
Then take the actions you were told to, and send the mail with the edited report to your manager warning him for the vulnerabilities (or find another mail you already sent talking about it).
If this is found out by the client, you will be protected (and even if they ask you why you did this unethical thing consciently, you could say that you were pressured to).
Find a new job and get out ASAP
This is a toxic environment and/or a toxic management you have here. Try to get out without burning bridges and find another job before that. Win as much time as you can without having to edit the report, so you can leave before having to do it.
َ
edited May 25 at 15:25
Peter Mortensen
60857
answered May 24 at 12:13
S. MirandaS. Miranda
1114
1
"send the mail with the edited report to your manager" - This gives me a good idea: Although the manager refuses to respond in writing, you could still document what's happening by sending the un-edited report to the manager, commenting on the vulnerabilities, mentioning that this is the report that should be sent. This way you document that you and your manager were aware of the issues and have some evidence that you did address them properly. If still only the edited report gets to the client, the fact that this happened despite your documented concerns should get you out of and the
– JimmyB
May 24 at 12:22
manager into focus.
– JimmyB
May 24 at 12:22
8
Falsifying the report should in no way be an option here and I dont see how any decent professional would even consider it. Just look at what happened to those developers in the BMW emmisions scandal.
– ayrton clark
May 24 at 13:31
@ayrtonclark I agree, but in some cases you can't really choose. i'm not in this person shoes : if he is in a situation when he can't handle to lose his job, the only choice left is to follow the instructions, covering himself as much ah he can
– S. Miranda
May 24 at 13:37
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "423"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: false,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f137131%2fboss-wants-me-to-falsify-a-report-how-should-i-document-this-unethical-demand%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
StackExchange.ready(function ()
$("#show-editor-button input, #show-editor-button button").click(function ()
var showEditor = function()
$("#show-editor-button").hide();
$("#post-form").removeClass("dno");
StackExchange.editor.finallyInit();
;
var useFancy = $(this).data('confirm-use-fancy');
if(useFancy == 'True')
var popupTitle = $(this).data('confirm-fancy-title');
var popupBody = $(this).data('confirm-fancy-body');
var popupAccept = $(this).data('confirm-fancy-accept-button');
$(this).loadPopup(
url: '/post/self-answer-popup',
loaded: function(popup)
var pTitle = $(popup).find('h2');
var pBody = $(popup).find('.popup-body');
var pSubmit = $(popup).find('.popup-submit');
pTitle.text(popupTitle);
pBody.html(popupBody);
pSubmit.val(popupAccept).click(showEditor);
)
else
var confirmText = $(this).data('confirm-text');
if (confirmText ? confirm(confirmText) : true)
showEditor();
);
);
11 Answers
11
active
oldest
votes
11 Answers
11
active
oldest
votes
active
oldest
votes
active
oldest
votes
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered May 23 at 15:51
dbeerdbeer
9,86972231
131
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
May 23 at 20:52
17
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
May 24 at 0:10
10
@it-guy: Your manager not responding is not enough to hold up in court by itself to prove the manager's guilt, but the absence of any mails stating "I never told you that" can be enough to ask the manager why they never responded (and if they claim they did, to prove that they did so). Even if that's not enough to convict the manager, it should be enough to not convict you of wrongdoing (note: I AM NOT A LAWYER)
– Flater
May 24 at 10:31
29
Not just for sticking to your ethics: OP's boss is setting him/her up as the sacrificial lamb if it goes south.
– Jared Smith
May 24 at 11:44
6
@R.Schmitz: There is a matter of overdoing that though. I agree with what you say and it is the best CYA approach (which does seem fitting for OP's particularly unethical situation) but I just want to add that it shouldn't be blindly applied to just any casual "maybe I'll need to cover my ass someday, who knows?" situation as it will create friction between you and the manager.
– Flater
May 24 at 11:47
|
show 8 more comments
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered May 23 at 15:51
dbeerdbeer
9,86972231
131
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
May 23 at 20:52
17
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
May 24 at 0:10
10
@it-guy: Your manager not responding is not enough to hold up in court by itself to prove the manager's guilt, but the absence of any mails stating "I never told you that" can be enough to ask the manager why they never responded (and if they claim they did, to prove that they did so). Even if that's not enough to convict the manager, it should be enough to not convict you of wrongdoing (note: I AM NOT A LAWYER)
– Flater
May 24 at 10:31
29
Not just for sticking to your ethics: OP's boss is setting him/her up as the sacrificial lamb if it goes south.
– Jared Smith
May 24 at 11:44
6
@R.Schmitz: There is a matter of overdoing that though. I agree with what you say and it is the best CYA approach (which does seem fitting for OP's particularly unethical situation) but I just want to add that it shouldn't be blindly applied to just any casual "maybe I'll need to cover my ass someday, who knows?" situation as it will create friction between you and the manager.
– Flater
May 24 at 11:47
|
show 8 more comments
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered May 23 at 15:51
dbeerdbeer
9,86972231
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered May 23 at 15:51
dbeerdbeer
9,86972231
answered May 23 at 15:51
dbeerdbeer
9,86972231
answered May 23 at 15:51
dbeerdbeer
9,86972231
answered May 23 at 15:51
dbeerdbeer
9,86972231
9,86972231
131
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
May 23 at 20:52
17
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
May 24 at 0:10
10
@it-guy: Your manager not responding is not enough to hold up in court by itself to prove the manager's guilt, but the absence of any mails stating "I never told you that" can be enough to ask the manager why they never responded (and if they claim they did, to prove that they did so). Even if that's not enough to convict the manager, it should be enough to not convict you of wrongdoing (note: I AM NOT A LAWYER)
– Flater
May 24 at 10:31
29
Not just for sticking to your ethics: OP's boss is setting him/her up as the sacrificial lamb if it goes south.
– Jared Smith
May 24 at 11:44
6
@R.Schmitz: There is a matter of overdoing that though. I agree with what you say and it is the best CYA approach (which does seem fitting for OP's particularly unethical situation) but I just want to add that it shouldn't be blindly applied to just any casual "maybe I'll need to cover my ass someday, who knows?" situation as it will create friction between you and the manager.
– Flater
May 24 at 11:47
|
show 8 more comments
131
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
May 23 at 20:52
17
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
May 24 at 0:10
10
@it-guy: Your manager not responding is not enough to hold up in court by itself to prove the manager's guilt, but the absence of any mails stating "I never told you that" can be enough to ask the manager why they never responded (and if they claim they did, to prove that they did so). Even if that's not enough to convict the manager, it should be enough to not convict you of wrongdoing (note: I AM NOT A LAWYER)
– Flater
May 24 at 10:31
29
Not just for sticking to your ethics: OP's boss is setting him/her up as the sacrificial lamb if it goes south.
– Jared Smith
May 24 at 11:44
6
@R.Schmitz: There is a matter of overdoing that though. I agree with what you say and it is the best CYA approach (which does seem fitting for OP's particularly unethical situation) but I just want to add that it shouldn't be blindly applied to just any casual "maybe I'll need to cover my ass someday, who knows?" situation as it will create friction between you and the manager.
– Flater
May 24 at 11:47
131
131
Perhaps send a confirmatory email back to the boss.
Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?– Stewart
May 23 at 20:52
Perhaps send a confirmatory email back to the boss.
Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?– Stewart
May 23 at 20:52
17
17
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
May 24 at 0:10
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
May 24 at 0:10
10
10
@it-guy: Your manager not responding is not enough to hold up in court by itself to prove the manager's guilt, but the absence of any mails stating "I never told you that" can be enough to ask the manager why they never responded (and if they claim they did, to prove that they did so). Even if that's not enough to convict the manager, it should be enough to not convict you of wrongdoing (note: I AM NOT A LAWYER)
– Flater
May 24 at 10:31
@it-guy: Your manager not responding is not enough to hold up in court by itself to prove the manager's guilt, but the absence of any mails stating "I never told you that" can be enough to ask the manager why they never responded (and if they claim they did, to prove that they did so). Even if that's not enough to convict the manager, it should be enough to not convict you of wrongdoing (note: I AM NOT A LAWYER)
– Flater
May 24 at 10:31
29
29
Not just for sticking to your ethics: OP's boss is setting him/her up as the sacrificial lamb if it goes south.
– Jared Smith
May 24 at 11:44
Not just for sticking to your ethics: OP's boss is setting him/her up as the sacrificial lamb if it goes south.
– Jared Smith
May 24 at 11:44
6
6
@R.Schmitz: There is a matter of overdoing that though. I agree with what you say and it is the best CYA approach (which does seem fitting for OP's particularly unethical situation) but I just want to add that it shouldn't be blindly applied to just any casual "maybe I'll need to cover my ass someday, who knows?" situation as it will create friction between you and the manager.
– Flater
May 24 at 11:47
@R.Schmitz: There is a matter of overdoing that though. I agree with what you say and it is the best CYA approach (which does seem fitting for OP's particularly unethical situation) but I just want to add that it shouldn't be blindly applied to just any casual "maybe I'll need to cover my ass someday, who knows?" situation as it will create friction between you and the manager.
– Flater
May 24 at 11:47
|
show 8 more comments
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered May 23 at 17:57
mcknzmcknz
20.9k86883
4
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
May 24 at 4:03
15
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
May 24 at 4:22
1
@mcknz the lawyer will advise the client to cover his assets and stay in the legal white or light-gray area, damned be ethics.
– Mindwin
May 24 at 13:00
7
@Mindwin: A lawyer can't generally advise a client to break the law, but if there's any legal way to accomplish the OP's goals -- including ethics-related goals -- the lawyer can advise him how to do so. Lawyers don't just say "One legal option is X. Now that I've told you about X, I don't have to give you advice about any other options."
– ruakh
May 24 at 17:55
6
@Mindwin I mean, there's a very very high likelyhood that the ethical action and the legal action in this context line up. Ethically, lying about security vulnerabilities is bad. Legally, lying about security vulnerabilities (that your company was presumably contracted to help with, otherwise why are you doing a report on it?) is probably fraud.
– Delioth
May 24 at 19:24
|
show 2 more comments
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered May 23 at 17:57
mcknzmcknz
20.9k86883
4
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
May 24 at 4:03
15
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
May 24 at 4:22
1
@mcknz the lawyer will advise the client to cover his assets and stay in the legal white or light-gray area, damned be ethics.
– Mindwin
May 24 at 13:00
7
@Mindwin: A lawyer can't generally advise a client to break the law, but if there's any legal way to accomplish the OP's goals -- including ethics-related goals -- the lawyer can advise him how to do so. Lawyers don't just say "One legal option is X. Now that I've told you about X, I don't have to give you advice about any other options."
– ruakh
May 24 at 17:55
6
@Mindwin I mean, there's a very very high likelyhood that the ethical action and the legal action in this context line up. Ethically, lying about security vulnerabilities is bad. Legally, lying about security vulnerabilities (that your company was presumably contracted to help with, otherwise why are you doing a report on it?) is probably fraud.
– Delioth
May 24 at 19:24
|
show 2 more comments
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered May 23 at 17:57
mcknzmcknz
20.9k86883
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered May 23 at 17:57
mcknzmcknz
20.9k86883
answered May 23 at 17:57
mcknzmcknz
20.9k86883
answered May 23 at 17:57
mcknzmcknz
20.9k86883
answered May 23 at 17:57
mcknzmcknz
20.9k86883
20.9k86883
4
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
May 24 at 4:03
15
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
May 24 at 4:22
1
@mcknz the lawyer will advise the client to cover his assets and stay in the legal white or light-gray area, damned be ethics.
– Mindwin
May 24 at 13:00
7
@Mindwin: A lawyer can't generally advise a client to break the law, but if there's any legal way to accomplish the OP's goals -- including ethics-related goals -- the lawyer can advise him how to do so. Lawyers don't just say "One legal option is X. Now that I've told you about X, I don't have to give you advice about any other options."
– ruakh
May 24 at 17:55
6
@Mindwin I mean, there's a very very high likelyhood that the ethical action and the legal action in this context line up. Ethically, lying about security vulnerabilities is bad. Legally, lying about security vulnerabilities (that your company was presumably contracted to help with, otherwise why are you doing a report on it?) is probably fraud.
– Delioth
May 24 at 19:24
|
show 2 more comments
4
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
May 24 at 4:03
15
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
May 24 at 4:22
1
@mcknz the lawyer will advise the client to cover his assets and stay in the legal white or light-gray area, damned be ethics.
– Mindwin
May 24 at 13:00
7
@Mindwin: A lawyer can't generally advise a client to break the law, but if there's any legal way to accomplish the OP's goals -- including ethics-related goals -- the lawyer can advise him how to do so. Lawyers don't just say "One legal option is X. Now that I've told you about X, I don't have to give you advice about any other options."
– ruakh
May 24 at 17:55
6
@Mindwin I mean, there's a very very high likelyhood that the ethical action and the legal action in this context line up. Ethically, lying about security vulnerabilities is bad. Legally, lying about security vulnerabilities (that your company was presumably contracted to help with, otherwise why are you doing a report on it?) is probably fraud.
– Delioth
May 24 at 19:24
4
4
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
May 24 at 4:03
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
May 24 at 4:03
15
15
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
May 24 at 4:22
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
May 24 at 4:22
1
1
@mcknz the lawyer will advise the client to cover his assets and stay in the legal white or light-gray area, damned be ethics.
– Mindwin
May 24 at 13:00
@mcknz the lawyer will advise the client to cover his assets and stay in the legal white or light-gray area, damned be ethics.
– Mindwin
May 24 at 13:00
7
7
@Mindwin: A lawyer can't generally advise a client to break the law, but if there's any legal way to accomplish the OP's goals -- including ethics-related goals -- the lawyer can advise him how to do so. Lawyers don't just say "One legal option is X. Now that I've told you about X, I don't have to give you advice about any other options."
– ruakh
May 24 at 17:55
@Mindwin: A lawyer can't generally advise a client to break the law, but if there's any legal way to accomplish the OP's goals -- including ethics-related goals -- the lawyer can advise him how to do so. Lawyers don't just say "One legal option is X. Now that I've told you about X, I don't have to give you advice about any other options."
– ruakh
May 24 at 17:55
6
6
@Mindwin I mean, there's a very very high likelyhood that the ethical action and the legal action in this context line up. Ethically, lying about security vulnerabilities is bad. Legally, lying about security vulnerabilities (that your company was presumably contracted to help with, otherwise why are you doing a report on it?) is probably fraud.
– Delioth
May 24 at 19:24
@Mindwin I mean, there's a very very high likelyhood that the ethical action and the legal action in this context line up. Ethically, lying about security vulnerabilities is bad. Legally, lying about security vulnerabilities (that your company was presumably contracted to help with, otherwise why are you doing a report on it?) is probably fraud.
– Delioth
May 24 at 19:24
|
show 2 more comments
So far, everything that manager has asked me to do related to this has
been spoken verbally. I have made several failed attempts to get him
to put anything in writing.
You don't make him put anything in writing. You put it in writing for him.
To: My Boss
Subject: Work order
Hi Boss,
As discussed, I put [unethical feature] you approached me about
yesterday on the backlog. I still have some questions on the legal
side of things and would be happy if we could talk through those
before we start working on it.
Best, it-guy
You might then have a meeting where he tells you to go ahead with [unethical feature], not to worry about the legal side, and instructs you to no longer write emails summarizing your conversations. You will forget the part about not writing emails and send something like this:
To: My Boss
Subject: Work order, follow up
Hi Boss,
Just summarizing the discussion from 2 pm: You already checked with the legal side and the proper way to go about this is that I need to do [unethical thing] and [unethical thing]. I will probably have it ready by tomorrow afternoon.
Best, it-guy
If he's ambiguous, you remove the ambiguity in the summary, which makes it his responsibility to clarify if you misunderstood.
Do not forget to print out the emails and take them home (or just snap the screen with your phone), because companies who are willing to break the law are occasionally willing to "lose" emails.
answered May 24 at 14:02
PeterPeter
12.5k22246
add a comment |
So far, everything that manager has asked me to do related to this has
been spoken verbally. I have made several failed attempts to get him
to put anything in writing.
You don't make him put anything in writing. You put it in writing for him.
To: My Boss
Subject: Work order
Hi Boss,
As discussed, I put [unethical feature] you approached me about
yesterday on the backlog. I still have some questions on the legal
side of things and would be happy if we could talk through those
before we start working on it.
Best, it-guy
You might then have a meeting where he tells you to go ahead with [unethical feature], not to worry about the legal side, and instructs you to no longer write emails summarizing your conversations. You will forget the part about not writing emails and send something like this:
To: My Boss
Subject: Work order, follow up
Hi Boss,
Just summarizing the discussion from 2 pm: You already checked with the legal side and the proper way to go about this is that I need to do [unethical thing] and [unethical thing]. I will probably have it ready by tomorrow afternoon.
Best, it-guy
If he's ambiguous, you remove the ambiguity in the summary, which makes it his responsibility to clarify if you misunderstood.
Do not forget to print out the emails and take them home (or just snap the screen with your phone), because companies who are willing to break the law are occasionally willing to "lose" emails.
answered May 24 at 14:02
PeterPeter
12.5k22246
add a comment |
So far, everything that manager has asked me to do related to this has
been spoken verbally. I have made several failed attempts to get him
to put anything in writing.
You don't make him put anything in writing. You put it in writing for him.
To: My Boss
Subject: Work order
Hi Boss,
As discussed, I put [unethical feature] you approached me about
yesterday on the backlog. I still have some questions on the legal
side of things and would be happy if we could talk through those
before we start working on it.
Best, it-guy
You might then have a meeting where he tells you to go ahead with [unethical feature], not to worry about the legal side, and instructs you to no longer write emails summarizing your conversations. You will forget the part about not writing emails and send something like this:
To: My Boss
Subject: Work order, follow up
Hi Boss,
Just summarizing the discussion from 2 pm: You already checked with the legal side and the proper way to go about this is that I need to do [unethical thing] and [unethical thing]. I will probably have it ready by tomorrow afternoon.
Best, it-guy
If he's ambiguous, you remove the ambiguity in the summary, which makes it his responsibility to clarify if you misunderstood.
Do not forget to print out the emails and take them home (or just snap the screen with your phone), because companies who are willing to break the law are occasionally willing to "lose" emails.
answered May 24 at 14:02
PeterPeter
12.5k22246
So far, everything that manager has asked me to do related to this has
been spoken verbally. I have made several failed attempts to get him
to put anything in writing.
You don't make him put anything in writing. You put it in writing for him.
To: My Boss
Subject: Work order
Hi Boss,
As discussed, I put [unethical feature] you approached me about
yesterday on the backlog. I still have some questions on the legal
side of things and would be happy if we could talk through those
before we start working on it.
Best, it-guy
You might then have a meeting where he tells you to go ahead with [unethical feature], not to worry about the legal side, and instructs you to no longer write emails summarizing your conversations. You will forget the part about not writing emails and send something like this:
To: My Boss
Subject: Work order, follow up
Hi Boss,
Just summarizing the discussion from 2 pm: You already checked with the legal side and the proper way to go about this is that I need to do [unethical thing] and [unethical thing]. I will probably have it ready by tomorrow afternoon.
Best, it-guy
If he's ambiguous, you remove the ambiguity in the summary, which makes it his responsibility to clarify if you misunderstood.
Do not forget to print out the emails and take them home (or just snap the screen with your phone), because companies who are willing to break the law are occasionally willing to "lose" emails.
answered May 24 at 14:02
PeterPeter
12.5k22246
edited May 27 at 13:03
answered May 24 at 14:02
PeterPeter
12.5k22246
answered May 24 at 14:02
PeterPeter
12.5k22246
answered May 24 at 14:02
PeterPeter
12.5k22246
12.5k22246
add a comment |
add a comment |
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered May 23 at 18:04
O. JonesO. Jones
15.5k24378
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
May 23 at 19:55
2
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
May 23 at 20:11
3
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
May 24 at 0:30
2
The worst that can happen? Remember that engineer that just went to jail for several years for faking test results for stuff that was going into space?
– Loren Pechtel
May 24 at 13:57
1
Re: I wouldn't exactly call Equifax publicity "disastrous". They're still perfectly in business and their actual customers don't really seem to care. It was definitely bad publicity, but it wasn't really a disaster if the company responsible is still flourishing 2 years later.
– Delioth
May 24 at 19:27
|
show 4 more comments
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered May 23 at 18:04
O. JonesO. Jones
15.5k24378
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
May 23 at 19:55
2
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
May 23 at 20:11
3
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
May 24 at 0:30
2
The worst that can happen? Remember that engineer that just went to jail for several years for faking test results for stuff that was going into space?
– Loren Pechtel
May 24 at 13:57
1
Re: I wouldn't exactly call Equifax publicity "disastrous". They're still perfectly in business and their actual customers don't really seem to care. It was definitely bad publicity, but it wasn't really a disaster if the company responsible is still flourishing 2 years later.
– Delioth
May 24 at 19:27
|
show 4 more comments
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered May 23 at 18:04
O. JonesO. Jones
15.5k24378
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered May 23 at 18:04
O. JonesO. Jones
15.5k24378
answered May 23 at 18:04
O. JonesO. Jones
15.5k24378
answered May 23 at 18:04
O. JonesO. Jones
15.5k24378
answered May 23 at 18:04
O. JonesO. Jones
15.5k24378
15.5k24378
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
May 23 at 19:55
2
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
May 23 at 20:11
3
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
May 24 at 0:30
2
The worst that can happen? Remember that engineer that just went to jail for several years for faking test results for stuff that was going into space?
– Loren Pechtel
May 24 at 13:57
1
Re: I wouldn't exactly call Equifax publicity "disastrous". They're still perfectly in business and their actual customers don't really seem to care. It was definitely bad publicity, but it wasn't really a disaster if the company responsible is still flourishing 2 years later.
– Delioth
May 24 at 19:27
|
show 4 more comments
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
May 23 at 19:55
2
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
May 23 at 20:11
3
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
May 24 at 0:30
2
The worst that can happen? Remember that engineer that just went to jail for several years for faking test results for stuff that was going into space?
– Loren Pechtel
May 24 at 13:57
1
Re: I wouldn't exactly call Equifax publicity "disastrous". They're still perfectly in business and their actual customers don't really seem to care. It was definitely bad publicity, but it wasn't really a disaster if the company responsible is still flourishing 2 years later.
– Delioth
May 24 at 19:27
1
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
May 23 at 19:55
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
May 23 at 19:55
2
2
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
May 23 at 20:11
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
May 23 at 20:11
3
3
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
May 24 at 0:30
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
May 24 at 0:30
2
2
The worst that can happen? Remember that engineer that just went to jail for several years for faking test results for stuff that was going into space?
– Loren Pechtel
May 24 at 13:57
The worst that can happen? Remember that engineer that just went to jail for several years for faking test results for stuff that was going into space?
– Loren Pechtel
May 24 at 13:57
1
1
Re: I wouldn't exactly call Equifax publicity "disastrous". They're still perfectly in business and their actual customers don't really seem to care. It was definitely bad publicity, but it wasn't really a disaster if the company responsible is still flourishing 2 years later.
– Delioth
May 24 at 19:27
Re: I wouldn't exactly call Equifax publicity "disastrous". They're still perfectly in business and their actual customers don't really seem to care. It was definitely bad publicity, but it wasn't really a disaster if the company responsible is still flourishing 2 years later.
– Delioth
May 24 at 19:27
|
show 4 more comments
I, unfortunately, have been in this situation a few times in my career.
First, you cannot continue working for this person, start looking for another job.
Second, I suggest you do what another suggested. Write it all in an email and ask for a yes/no confirmation. In that email, I would point out in the email that what you understand him requiring you to do is unethical and possibly illegal. "Confirm with Yes or No, or I will not do this unethical and possibly illegal thing." I have requested a signed document or digitally signed email before, and they always refuse.
One time, I was asked to sign off something as passing vulnerability tests and I would not because they wouldn't even allow me to have the scan run. The feces hit the air movement device later. I was contacted by a Colonel in the Inspector General's office about 6 months later asking for a written deposition, because I could not produce copies of the emails (I could not take them with me).......lots of firings, but I was already gone....By then I was on the other side of the world.
answered May 24 at 15:35
Michael BrininstoolMichael Brininstool
511
add a comment |
I, unfortunately, have been in this situation a few times in my career.
First, you cannot continue working for this person, start looking for another job.
Second, I suggest you do what another suggested. Write it all in an email and ask for a yes/no confirmation. In that email, I would point out in the email that what you understand him requiring you to do is unethical and possibly illegal. "Confirm with Yes or No, or I will not do this unethical and possibly illegal thing." I have requested a signed document or digitally signed email before, and they always refuse.
One time, I was asked to sign off something as passing vulnerability tests and I would not because they wouldn't even allow me to have the scan run. The feces hit the air movement device later. I was contacted by a Colonel in the Inspector General's office about 6 months later asking for a written deposition, because I could not produce copies of the emails (I could not take them with me).......lots of firings, but I was already gone....By then I was on the other side of the world.
answered May 24 at 15:35
Michael BrininstoolMichael Brininstool
511
add a comment |
I, unfortunately, have been in this situation a few times in my career.
First, you cannot continue working for this person, start looking for another job.
Second, I suggest you do what another suggested. Write it all in an email and ask for a yes/no confirmation. In that email, I would point out in the email that what you understand him requiring you to do is unethical and possibly illegal. "Confirm with Yes or No, or I will not do this unethical and possibly illegal thing." I have requested a signed document or digitally signed email before, and they always refuse.
One time, I was asked to sign off something as passing vulnerability tests and I would not because they wouldn't even allow me to have the scan run. The feces hit the air movement device later. I was contacted by a Colonel in the Inspector General's office about 6 months later asking for a written deposition, because I could not produce copies of the emails (I could not take them with me).......lots of firings, but I was already gone....By then I was on the other side of the world.
answered May 24 at 15:35
Michael BrininstoolMichael Brininstool
511
I, unfortunately, have been in this situation a few times in my career.
First, you cannot continue working for this person, start looking for another job.
Second, I suggest you do what another suggested. Write it all in an email and ask for a yes/no confirmation. In that email, I would point out in the email that what you understand him requiring you to do is unethical and possibly illegal. "Confirm with Yes or No, or I will not do this unethical and possibly illegal thing." I have requested a signed document or digitally signed email before, and they always refuse.
One time, I was asked to sign off something as passing vulnerability tests and I would not because they wouldn't even allow me to have the scan run. The feces hit the air movement device later. I was contacted by a Colonel in the Inspector General's office about 6 months later asking for a written deposition, because I could not produce copies of the emails (I could not take them with me).......lots of firings, but I was already gone....By then I was on the other side of the world.
answered May 24 at 15:35
Michael BrininstoolMichael Brininstool
511
answered May 24 at 15:35
Michael BrininstoolMichael Brininstool
511
answered May 24 at 15:35
Michael BrininstoolMichael Brininstool
511
answered May 24 at 15:35
Michael BrininstoolMichael Brininstool
511
511
add a comment |
add a comment |
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered May 23 at 17:12
John SpiegelJohn Spiegel
2,397413
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
May 23 at 17:40
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
May 23 at 17:42
3
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
May 23 at 17:49
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
May 23 at 18:53
1
I would write explicitly in the email that you are opposed to this, as it is illegal. Also advise your boss explicitly not to remove the "draft" watermark and use the fraudulent report. And print out a copy of the email and the document, storing it somewhere that they won't readily find it.
– axsvl77
May 24 at 11:50
|
show 2 more comments
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered May 23 at 17:12
John SpiegelJohn Spiegel
2,397413
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
May 23 at 17:40
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
May 23 at 17:42
3
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
May 23 at 17:49
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
May 23 at 18:53
1
I would write explicitly in the email that you are opposed to this, as it is illegal. Also advise your boss explicitly not to remove the "draft" watermark and use the fraudulent report. And print out a copy of the email and the document, storing it somewhere that they won't readily find it.
– axsvl77
May 24 at 11:50
|
show 2 more comments
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered May 23 at 17:12
John SpiegelJohn Spiegel
2,397413
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered May 23 at 17:12
John SpiegelJohn Spiegel
2,397413
answered May 23 at 17:12
John SpiegelJohn Spiegel
2,397413
answered May 23 at 17:12
John SpiegelJohn Spiegel
2,397413
answered May 23 at 17:12
John SpiegelJohn Spiegel
2,397413
2,397413
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
May 23 at 17:40
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
May 23 at 17:42
3
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
May 23 at 17:49
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
May 23 at 18:53
1
I would write explicitly in the email that you are opposed to this, as it is illegal. Also advise your boss explicitly not to remove the "draft" watermark and use the fraudulent report. And print out a copy of the email and the document, storing it somewhere that they won't readily find it.
– axsvl77
May 24 at 11:50
|
show 2 more comments
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
May 23 at 17:40
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
May 23 at 17:42
3
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
May 23 at 17:49
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
May 23 at 18:53
1
I would write explicitly in the email that you are opposed to this, as it is illegal. Also advise your boss explicitly not to remove the "draft" watermark and use the fraudulent report. And print out a copy of the email and the document, storing it somewhere that they won't readily find it.
– axsvl77
May 24 at 11:50
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
May 23 at 17:40
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
May 23 at 17:40
1
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
May 23 at 17:42
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
May 23 at 17:42
3
3
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
May 23 at 17:49
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
May 23 at 17:49
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
May 23 at 18:53
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
May 23 at 18:53
1
1
I would write explicitly in the email that you are opposed to this, as it is illegal. Also advise your boss explicitly not to remove the "draft" watermark and use the fraudulent report. And print out a copy of the email and the document, storing it somewhere that they won't readily find it.
– axsvl77
May 24 at 11:50
I would write explicitly in the email that you are opposed to this, as it is illegal. Also advise your boss explicitly not to remove the "draft" watermark and use the fraudulent report. And print out a copy of the email and the document, storing it somewhere that they won't readily find it.
– axsvl77
May 24 at 11:50
|
show 2 more comments
In the high tech company I work for, we have a role in the organization called an Ombudsman. It's their independent duty to offer advice and guidance in ethical/legal issues like this. In our company it can be completely anonymous if needed. If your company has such a role, I would suggest contacting them for guidance, as that is their job and duty.
answered May 24 at 14:15
MilwrdfanMilwrdfan
26814
useless advice for a manager that reports directly to the CEO, who is applying the original pressure. Read the question
– George M
May 24 at 23:10
4
The job of any employee, whether that be HR or an Ombudsman, is first and foremost to protect their employer. Unless this Ombudsman is an independent third-party (maybe paid by the government or the union), they will probably not be helpful. Do not, under any circumstance, ever assume that someone employed by the same employer as you, will put your interests over your employer's. There are certain, legally-defined, specific roles that have certain protections (e.g. a GDPR Data Protection Officer cannot be fired for doing his job), but that still doesn't mean that they are independent.
– Jörg W Mittag
May 25 at 10:31
1
It is not in the company's interests. If the Ombudsman is acting on behalf of the board then he will shut this sordid mess down.
– user2617804
May 26 at 9:59
add a comment |
In the high tech company I work for, we have a role in the organization called an Ombudsman. It's their independent duty to offer advice and guidance in ethical/legal issues like this. In our company it can be completely anonymous if needed. If your company has such a role, I would suggest contacting them for guidance, as that is their job and duty.
answered May 24 at 14:15
MilwrdfanMilwrdfan
26814
useless advice for a manager that reports directly to the CEO, who is applying the original pressure. Read the question
– George M
May 24 at 23:10
4
The job of any employee, whether that be HR or an Ombudsman, is first and foremost to protect their employer. Unless this Ombudsman is an independent third-party (maybe paid by the government or the union), they will probably not be helpful. Do not, under any circumstance, ever assume that someone employed by the same employer as you, will put your interests over your employer's. There are certain, legally-defined, specific roles that have certain protections (e.g. a GDPR Data Protection Officer cannot be fired for doing his job), but that still doesn't mean that they are independent.
– Jörg W Mittag
May 25 at 10:31
1
It is not in the company's interests. If the Ombudsman is acting on behalf of the board then he will shut this sordid mess down.
– user2617804
May 26 at 9:59
add a comment |
In the high tech company I work for, we have a role in the organization called an Ombudsman. It's their independent duty to offer advice and guidance in ethical/legal issues like this. In our company it can be completely anonymous if needed. If your company has such a role, I would suggest contacting them for guidance, as that is their job and duty.
answered May 24 at 14:15
MilwrdfanMilwrdfan
26814
In the high tech company I work for, we have a role in the organization called an Ombudsman. It's their independent duty to offer advice and guidance in ethical/legal issues like this. In our company it can be completely anonymous if needed. If your company has such a role, I would suggest contacting them for guidance, as that is their job and duty.
answered May 24 at 14:15
MilwrdfanMilwrdfan
26814
answered May 24 at 14:15
MilwrdfanMilwrdfan
26814
answered May 24 at 14:15
MilwrdfanMilwrdfan
26814
answered May 24 at 14:15
MilwrdfanMilwrdfan
26814
26814
useless advice for a manager that reports directly to the CEO, who is applying the original pressure. Read the question
– George M
May 24 at 23:10
4
The job of any employee, whether that be HR or an Ombudsman, is first and foremost to protect their employer. Unless this Ombudsman is an independent third-party (maybe paid by the government or the union), they will probably not be helpful. Do not, under any circumstance, ever assume that someone employed by the same employer as you, will put your interests over your employer's. There are certain, legally-defined, specific roles that have certain protections (e.g. a GDPR Data Protection Officer cannot be fired for doing his job), but that still doesn't mean that they are independent.
– Jörg W Mittag
May 25 at 10:31
1
It is not in the company's interests. If the Ombudsman is acting on behalf of the board then he will shut this sordid mess down.
– user2617804
May 26 at 9:59
add a comment |
useless advice for a manager that reports directly to the CEO, who is applying the original pressure. Read the question
– George M
May 24 at 23:10
4
The job of any employee, whether that be HR or an Ombudsman, is first and foremost to protect their employer. Unless this Ombudsman is an independent third-party (maybe paid by the government or the union), they will probably not be helpful. Do not, under any circumstance, ever assume that someone employed by the same employer as you, will put your interests over your employer's. There are certain, legally-defined, specific roles that have certain protections (e.g. a GDPR Data Protection Officer cannot be fired for doing his job), but that still doesn't mean that they are independent.
– Jörg W Mittag
May 25 at 10:31
1
It is not in the company's interests. If the Ombudsman is acting on behalf of the board then he will shut this sordid mess down.
– user2617804
May 26 at 9:59
useless advice for a manager that reports directly to the CEO, who is applying the original pressure. Read the question
– George M
May 24 at 23:10
useless advice for a manager that reports directly to the CEO, who is applying the original pressure. Read the question
– George M
May 24 at 23:10
4
4
The job of any employee, whether that be HR or an Ombudsman, is first and foremost to protect their employer. Unless this Ombudsman is an independent third-party (maybe paid by the government or the union), they will probably not be helpful. Do not, under any circumstance, ever assume that someone employed by the same employer as you, will put your interests over your employer's. There are certain, legally-defined, specific roles that have certain protections (e.g. a GDPR Data Protection Officer cannot be fired for doing his job), but that still doesn't mean that they are independent.
– Jörg W Mittag
May 25 at 10:31
The job of any employee, whether that be HR or an Ombudsman, is first and foremost to protect their employer. Unless this Ombudsman is an independent third-party (maybe paid by the government or the union), they will probably not be helpful. Do not, under any circumstance, ever assume that someone employed by the same employer as you, will put your interests over your employer's. There are certain, legally-defined, specific roles that have certain protections (e.g. a GDPR Data Protection Officer cannot be fired for doing his job), but that still doesn't mean that they are independent.
– Jörg W Mittag
May 25 at 10:31
1
1
It is not in the company's interests. If the Ombudsman is acting on behalf of the board then he will shut this sordid mess down.
– user2617804
May 26 at 9:59
It is not in the company's interests. If the Ombudsman is acting on behalf of the board then he will shut this sordid mess down.
– user2617804
May 26 at 9:59
add a comment |
What worked for me in the past: Make a report which describes what you actually did, including passages which what you should do/plan to do, but mark these explicitly as "not yet done", send it to your boss and tell him to redact it as he sees it fit, sign it off and send it to the customer.
A lot of people suddenly become much more careful if it's their signature and not their subordinates signature (in my case it was about an order to their "favorite supplier" instead of the cheapest one).
If your boss still wants to do this, then run from that company and depending on the severity of the situation pass the knowledge to appropriate institutions (-> legal question, talk to a lawyer).
answered May 26 at 9:39
SaschaSascha
10.3k22444
add a comment |
What worked for me in the past: Make a report which describes what you actually did, including passages which what you should do/plan to do, but mark these explicitly as "not yet done", send it to your boss and tell him to redact it as he sees it fit, sign it off and send it to the customer.
A lot of people suddenly become much more careful if it's their signature and not their subordinates signature (in my case it was about an order to their "favorite supplier" instead of the cheapest one).
If your boss still wants to do this, then run from that company and depending on the severity of the situation pass the knowledge to appropriate institutions (-> legal question, talk to a lawyer).
answered May 26 at 9:39
SaschaSascha
10.3k22444
add a comment |
What worked for me in the past: Make a report which describes what you actually did, including passages which what you should do/plan to do, but mark these explicitly as "not yet done", send it to your boss and tell him to redact it as he sees it fit, sign it off and send it to the customer.
A lot of people suddenly become much more careful if it's their signature and not their subordinates signature (in my case it was about an order to their "favorite supplier" instead of the cheapest one).
If your boss still wants to do this, then run from that company and depending on the severity of the situation pass the knowledge to appropriate institutions (-> legal question, talk to a lawyer).
answered May 26 at 9:39
SaschaSascha
10.3k22444
What worked for me in the past: Make a report which describes what you actually did, including passages which what you should do/plan to do, but mark these explicitly as "not yet done", send it to your boss and tell him to redact it as he sees it fit, sign it off and send it to the customer.
A lot of people suddenly become much more careful if it's their signature and not their subordinates signature (in my case it was about an order to their "favorite supplier" instead of the cheapest one).
If your boss still wants to do this, then run from that company and depending on the severity of the situation pass the knowledge to appropriate institutions (-> legal question, talk to a lawyer).
answered May 26 at 9:39
SaschaSascha
10.3k22444
answered May 26 at 9:39
SaschaSascha
10.3k22444
answered May 26 at 9:39
SaschaSascha
10.3k22444
answered May 26 at 9:39
SaschaSascha
10.3k22444
10.3k22444
add a comment |
add a comment |
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered May 23 at 16:03
DanDan
11.3k41937
4
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
May 23 at 17:04
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
May 23 at 17:13
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
May 23 at 17:22
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
May 23 at 17:24
And when the client calls his company to tell them about the CD, and OP is known to have refused to fake a security scan, (there can't be that many vendors, and can't be that many people doing a security scan... that's specific work) then OP gets to decide if it was worth it.
– J. Chris Compton
May 24 at 14:02
|
show 1 more comment
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered May 23 at 16:03
DanDan
11.3k41937
4
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
May 23 at 17:04
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
May 23 at 17:13
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
May 23 at 17:22
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
May 23 at 17:24
And when the client calls his company to tell them about the CD, and OP is known to have refused to fake a security scan, (there can't be that many vendors, and can't be that many people doing a security scan... that's specific work) then OP gets to decide if it was worth it.
– J. Chris Compton
May 24 at 14:02
|
show 1 more comment
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered May 23 at 16:03
DanDan
11.3k41937
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered May 23 at 16:03
DanDan
11.3k41937
edited May 23 at 16:11
answered May 23 at 16:03
DanDan
11.3k41937
answered May 23 at 16:03
DanDan
11.3k41937
answered May 23 at 16:03
DanDan
11.3k41937
11.3k41937
4
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
May 23 at 17:04
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
May 23 at 17:13
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
May 23 at 17:22
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
May 23 at 17:24
And when the client calls his company to tell them about the CD, and OP is known to have refused to fake a security scan, (there can't be that many vendors, and can't be that many people doing a security scan... that's specific work) then OP gets to decide if it was worth it.
– J. Chris Compton
May 24 at 14:02
|
show 1 more comment
4
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
May 23 at 17:04
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
May 23 at 17:13
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
May 23 at 17:22
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
May 23 at 17:24
And when the client calls his company to tell them about the CD, and OP is known to have refused to fake a security scan, (there can't be that many vendors, and can't be that many people doing a security scan... that's specific work) then OP gets to decide if it was worth it.
– J. Chris Compton
May 24 at 14:02
4
4
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
May 23 at 17:04
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
May 23 at 17:04
1
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
May 23 at 17:13
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
May 23 at 17:13
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
May 23 at 17:22
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
May 23 at 17:22
1
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
May 23 at 17:24
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
May 23 at 17:24
And when the client calls his company to tell them about the CD, and OP is known to have refused to fake a security scan, (there can't be that many vendors, and can't be that many people doing a security scan... that's specific work) then OP gets to decide if it was worth it.
– J. Chris Compton
May 24 at 14:02
And when the client calls his company to tell them about the CD, and OP is known to have refused to fake a security scan, (there can't be that many vendors, and can't be that many people doing a security scan... that's specific work) then OP gets to decide if it was worth it.
– J. Chris Compton
May 24 at 14:02
|
show 1 more comment
I think that there is another option here that people may not like but that is being ignored. It revolves around the idea of who is the person who is committing fraud and how. If your desire is to continue to work at the company but avoid doing anything that could implicate you then I would recommend the following.
Create the version of the report your boss asked for then send it to him with the original attached and say the following.
I have created the report (with omitted answers) that you asked me to
prepare for company you will find it and the original report
attached to this email for comparison. I want you to know that I have
prepared the report in the hope that you will us it for internal
purposes only. I truly believe that the decision to share the edited
version of this document with company puts our company in a very
dangerous position as some of the issues in the original document are
real issues that might be exploited. In this light I urge you to use
the original.
I would then BCC the email to a personal email account as well as print out the full email (the raw email from your sent folder with all of the headers). If your boss replies and tells you to send the email to company that is the point where you say
For my own personal liability concerns I cannot in good conscience be the person to email this to company and I hope thats not a problem for you
I would say that this does a couple of different things:
a) independent of Fraud or the situation your boss gave you a work task to create a report and this may be a situation where you could get fired for not doing it creating the document and calling out it was requested makes it clear you are willing to complete tasks from your manager
(I truly understand that people wont agree with this but I see it as walking up to an ethical line without crossing it)
b) by providing the report in an email to your manager with the original it makes it very clear that the document should be considered for internal purposes. If your manager decides to use that document it is your manager who has committed fraud not you. (I will address what to do if he actually sends it later)
c) submitting this to your manager gives them a written chance to do the right thing. your manager might change their mind... hopefully.
d) BCC'ing printing and saving the email provides you with important physical evidence that might be necessary if you experience negative repercussions from this action
Finally I would argue that making the report isn't the difficult ethical question. I would say that
what is your responsibility if you know for certain that the your
manager/ the company has sent the document thereby committing fraud?
is a very complex question, I could make several recommendations in that vein but the true one that you absolutely should do is.
If your boss uses the edited report and as a direct or indirect result your company gains or otherwise continues contracts with the other company. Don't post on stack exchange, spend a couple hundred dollars and get advice from a labor attorney (that will be advice that has malpractice insurance)
answered May 27 at 22:59
DataminionDataminion
806
add a comment |
I think that there is another option here that people may not like but that is being ignored. It revolves around the idea of who is the person who is committing fraud and how. If your desire is to continue to work at the company but avoid doing anything that could implicate you then I would recommend the following.
Create the version of the report your boss asked for then send it to him with the original attached and say the following.
I have created the report (with omitted answers) that you asked me to
prepare for company you will find it and the original report
attached to this email for comparison. I want you to know that I have
prepared the report in the hope that you will us it for internal
purposes only. I truly believe that the decision to share the edited
version of this document with company puts our company in a very
dangerous position as some of the issues in the original document are
real issues that might be exploited. In this light I urge you to use
the original.
I would then BCC the email to a personal email account as well as print out the full email (the raw email from your sent folder with all of the headers). If your boss replies and tells you to send the email to company that is the point where you say
For my own personal liability concerns I cannot in good conscience be the person to email this to company and I hope thats not a problem for you
I would say that this does a couple of different things:
a) independent of Fraud or the situation your boss gave you a work task to create a report and this may be a situation where you could get fired for not doing it creating the document and calling out it was requested makes it clear you are willing to complete tasks from your manager
(I truly understand that people wont agree with this but I see it as walking up to an ethical line without crossing it)
b) by providing the report in an email to your manager with the original it makes it very clear that the document should be considered for internal purposes. If your manager decides to use that document it is your manager who has committed fraud not you. (I will address what to do if he actually sends it later)
c) submitting this to your manager gives them a written chance to do the right thing. your manager might change their mind... hopefully.
d) BCC'ing printing and saving the email provides you with important physical evidence that might be necessary if you experience negative repercussions from this action
Finally I would argue that making the report isn't the difficult ethical question. I would say that
what is your responsibility if you know for certain that the your
manager/ the company has sent the document thereby committing fraud?
is a very complex question, I could make several recommendations in that vein but the true one that you absolutely should do is.
If your boss uses the edited report and as a direct or indirect result your company gains or otherwise continues contracts with the other company. Don't post on stack exchange, spend a couple hundred dollars and get advice from a labor attorney (that will be advice that has malpractice insurance)
answered May 27 at 22:59
DataminionDataminion
806
add a comment |
I think that there is another option here that people may not like but that is being ignored. It revolves around the idea of who is the person who is committing fraud and how. If your desire is to continue to work at the company but avoid doing anything that could implicate you then I would recommend the following.
Create the version of the report your boss asked for then send it to him with the original attached and say the following.
I have created the report (with omitted answers) that you asked me to
prepare for company you will find it and the original report
attached to this email for comparison. I want you to know that I have
prepared the report in the hope that you will us it for internal
purposes only. I truly believe that the decision to share the edited
version of this document with company puts our company in a very
dangerous position as some of the issues in the original document are
real issues that might be exploited. In this light I urge you to use
the original.
I would then BCC the email to a personal email account as well as print out the full email (the raw email from your sent folder with all of the headers). If your boss replies and tells you to send the email to company that is the point where you say
For my own personal liability concerns I cannot in good conscience be the person to email this to company and I hope thats not a problem for you
I would say that this does a couple of different things:
a) independent of Fraud or the situation your boss gave you a work task to create a report and this may be a situation where you could get fired for not doing it creating the document and calling out it was requested makes it clear you are willing to complete tasks from your manager
(I truly understand that people wont agree with this but I see it as walking up to an ethical line without crossing it)
b) by providing the report in an email to your manager with the original it makes it very clear that the document should be considered for internal purposes. If your manager decides to use that document it is your manager who has committed fraud not you. (I will address what to do if he actually sends it later)
c) submitting this to your manager gives them a written chance to do the right thing. your manager might change their mind... hopefully.
d) BCC'ing printing and saving the email provides you with important physical evidence that might be necessary if you experience negative repercussions from this action
Finally I would argue that making the report isn't the difficult ethical question. I would say that
what is your responsibility if you know for certain that the your
manager/ the company has sent the document thereby committing fraud?
is a very complex question, I could make several recommendations in that vein but the true one that you absolutely should do is.
If your boss uses the edited report and as a direct or indirect result your company gains or otherwise continues contracts with the other company. Don't post on stack exchange, spend a couple hundred dollars and get advice from a labor attorney (that will be advice that has malpractice insurance)
answered May 27 at 22:59
DataminionDataminion
806
I think that there is another option here that people may not like but that is being ignored. It revolves around the idea of who is the person who is committing fraud and how. If your desire is to continue to work at the company but avoid doing anything that could implicate you then I would recommend the following.
Create the version of the report your boss asked for then send it to him with the original attached and say the following.
I have created the report (with omitted answers) that you asked me to
prepare for company you will find it and the original report
attached to this email for comparison. I want you to know that I have
prepared the report in the hope that you will us it for internal
purposes only. I truly believe that the decision to share the edited
version of this document with company puts our company in a very
dangerous position as some of the issues in the original document are
real issues that might be exploited. In this light I urge you to use
the original.
I would then BCC the email to a personal email account as well as print out the full email (the raw email from your sent folder with all of the headers). If your boss replies and tells you to send the email to company that is the point where you say
For my own personal liability concerns I cannot in good conscience be the person to email this to company and I hope thats not a problem for you
I would say that this does a couple of different things:
a) independent of Fraud or the situation your boss gave you a work task to create a report and this may be a situation where you could get fired for not doing it creating the document and calling out it was requested makes it clear you are willing to complete tasks from your manager
(I truly understand that people wont agree with this but I see it as walking up to an ethical line without crossing it)
b) by providing the report in an email to your manager with the original it makes it very clear that the document should be considered for internal purposes. If your manager decides to use that document it is your manager who has committed fraud not you. (I will address what to do if he actually sends it later)
c) submitting this to your manager gives them a written chance to do the right thing. your manager might change their mind... hopefully.
d) BCC'ing printing and saving the email provides you with important physical evidence that might be necessary if you experience negative repercussions from this action
Finally I would argue that making the report isn't the difficult ethical question. I would say that
what is your responsibility if you know for certain that the your
manager/ the company has sent the document thereby committing fraud?
is a very complex question, I could make several recommendations in that vein but the true one that you absolutely should do is.
If your boss uses the edited report and as a direct or indirect result your company gains or otherwise continues contracts with the other company. Don't post on stack exchange, spend a couple hundred dollars and get advice from a labor attorney (that will be advice that has malpractice insurance)
answered May 27 at 22:59
DataminionDataminion
806
answered May 27 at 22:59
DataminionDataminion
806
answered May 27 at 22:59
DataminionDataminion
806
answered May 27 at 22:59
DataminionDataminion
806
806
add a comment |
add a comment |
For me, there are two alternatives:
Do it, but protect yourself
Keep a document with the actions you've took, with a date of creation / modification younger than the mail you'll send to the client with excluded vulnerabilities. In this document, put by memory your discussions with your manager, the excluded vulnerabilities, and link to the real report.
Then take the actions you were told to, and send the mail with the edited report to your manager warning him for the vulnerabilities (or find another mail you already sent talking about it).
If this is found out by the client, you will be protected (and even if they ask you why you did this unethical thing consciently, you could say that you were pressured to).
Find a new job and get out ASAP
This is a toxic environment and/or a toxic management you have here. Try to get out without burning bridges and find another job before that. Win as much time as you can without having to edit the report, so you can leave before having to do it.
َ
edited May 25 at 15:25
Peter Mortensen
60857
answered May 24 at 12:13
S. MirandaS. Miranda
1114
1
"send the mail with the edited report to your manager" - This gives me a good idea: Although the manager refuses to respond in writing, you could still document what's happening by sending the un-edited report to the manager, commenting on the vulnerabilities, mentioning that this is the report that should be sent. This way you document that you and your manager were aware of the issues and have some evidence that you did address them properly. If still only the edited report gets to the client, the fact that this happened despite your documented concerns should get you out of and the
– JimmyB
May 24 at 12:22
manager into focus.
– JimmyB
May 24 at 12:22
8
Falsifying the report should in no way be an option here and I dont see how any decent professional would even consider it. Just look at what happened to those developers in the BMW emmisions scandal.
– ayrton clark
May 24 at 13:31
@ayrtonclark I agree, but in some cases you can't really choose. i'm not in this person shoes : if he is in a situation when he can't handle to lose his job, the only choice left is to follow the instructions, covering himself as much ah he can
– S. Miranda
May 24 at 13:37
add a comment |
For me, there are two alternatives:
Do it, but protect yourself
Keep a document with the actions you've took, with a date of creation / modification younger than the mail you'll send to the client with excluded vulnerabilities. In this document, put by memory your discussions with your manager, the excluded vulnerabilities, and link to the real report.
Then take the actions you were told to, and send the mail with the edited report to your manager warning him for the vulnerabilities (or find another mail you already sent talking about it).
If this is found out by the client, you will be protected (and even if they ask you why you did this unethical thing consciently, you could say that you were pressured to).
Find a new job and get out ASAP
This is a toxic environment and/or a toxic management you have here. Try to get out without burning bridges and find another job before that. Win as much time as you can without having to edit the report, so you can leave before having to do it.
َ
edited May 25 at 15:25
Peter Mortensen
60857
answered May 24 at 12:13
S. MirandaS. Miranda
1114
1
"send the mail with the edited report to your manager" - This gives me a good idea: Although the manager refuses to respond in writing, you could still document what's happening by sending the un-edited report to the manager, commenting on the vulnerabilities, mentioning that this is the report that should be sent. This way you document that you and your manager were aware of the issues and have some evidence that you did address them properly. If still only the edited report gets to the client, the fact that this happened despite your documented concerns should get you out of and the
– JimmyB
May 24 at 12:22
manager into focus.
– JimmyB
May 24 at 12:22
8
Falsifying the report should in no way be an option here and I dont see how any decent professional would even consider it. Just look at what happened to those developers in the BMW emmisions scandal.
– ayrton clark
May 24 at 13:31
@ayrtonclark I agree, but in some cases you can't really choose. i'm not in this person shoes : if he is in a situation when he can't handle to lose his job, the only choice left is to follow the instructions, covering himself as much ah he can
– S. Miranda
May 24 at 13:37
add a comment |
For me, there are two alternatives:
Do it, but protect yourself
Keep a document with the actions you've took, with a date of creation / modification younger than the mail you'll send to the client with excluded vulnerabilities. In this document, put by memory your discussions with your manager, the excluded vulnerabilities, and link to the real report.
Then take the actions you were told to, and send the mail with the edited report to your manager warning him for the vulnerabilities (or find another mail you already sent talking about it).
If this is found out by the client, you will be protected (and even if they ask you why you did this unethical thing consciently, you could say that you were pressured to).
Find a new job and get out ASAP
This is a toxic environment and/or a toxic management you have here. Try to get out without burning bridges and find another job before that. Win as much time as you can without having to edit the report, so you can leave before having to do it.
َ
edited May 25 at 15:25
Peter Mortensen
60857
answered May 24 at 12:13
S. MirandaS. Miranda
1114
For me, there are two alternatives:
Do it, but protect yourself
Keep a document with the actions you've took, with a date of creation / modification younger than the mail you'll send to the client with excluded vulnerabilities. In this document, put by memory your discussions with your manager, the excluded vulnerabilities, and link to the real report.
Then take the actions you were told to, and send the mail with the edited report to your manager warning him for the vulnerabilities (or find another mail you already sent talking about it).
If this is found out by the client, you will be protected (and even if they ask you why you did this unethical thing consciently, you could say that you were pressured to).
Find a new job and get out ASAP
This is a toxic environment and/or a toxic management you have here. Try to get out without burning bridges and find another job before that. Win as much time as you can without having to edit the report, so you can leave before having to do it.
َ
edited May 25 at 15:25
Peter Mortensen
60857
answered May 24 at 12:13
S. MirandaS. Miranda
1114
edited May 25 at 15:25
Peter Mortensen
60857
edited May 25 at 15:25
Peter Mortensen
60857
edited May 25 at 15:25
Peter Mortensen
60857
60857
answered May 24 at 12:13
S. MirandaS. Miranda
1114
answered May 24 at 12:13
S. MirandaS. Miranda
1114
answered May 24 at 12:13
S. MirandaS. Miranda
1114
1114
1
"send the mail with the edited report to your manager" - This gives me a good idea: Although the manager refuses to respond in writing, you could still document what's happening by sending the un-edited report to the manager, commenting on the vulnerabilities, mentioning that this is the report that should be sent. This way you document that you and your manager were aware of the issues and have some evidence that you did address them properly. If still only the edited report gets to the client, the fact that this happened despite your documented concerns should get you out of and the
– JimmyB
May 24 at 12:22
manager into focus.
– JimmyB
May 24 at 12:22
8
Falsifying the report should in no way be an option here and I dont see how any decent professional would even consider it. Just look at what happened to those developers in the BMW emmisions scandal.
– ayrton clark
May 24 at 13:31
@ayrtonclark I agree, but in some cases you can't really choose. i'm not in this person shoes : if he is in a situation when he can't handle to lose his job, the only choice left is to follow the instructions, covering himself as much ah he can
– S. Miranda
May 24 at 13:37
add a comment |
1
"send the mail with the edited report to your manager" - This gives me a good idea: Although the manager refuses to respond in writing, you could still document what's happening by sending the un-edited report to the manager, commenting on the vulnerabilities, mentioning that this is the report that should be sent. This way you document that you and your manager were aware of the issues and have some evidence that you did address them properly. If still only the edited report gets to the client, the fact that this happened despite your documented concerns should get you out of and the
– JimmyB
May 24 at 12:22
manager into focus.
– JimmyB
May 24 at 12:22
8
Falsifying the report should in no way be an option here and I dont see how any decent professional would even consider it. Just look at what happened to those developers in the BMW emmisions scandal.
– ayrton clark
May 24 at 13:31
@ayrtonclark I agree, but in some cases you can't really choose. i'm not in this person shoes : if he is in a situation when he can't handle to lose his job, the only choice left is to follow the instructions, covering himself as much ah he can
– S. Miranda
May 24 at 13:37
1
1
"send the mail with the edited report to your manager" - This gives me a good idea: Although the manager refuses to respond in writing, you could still document what's happening by sending the un-edited report to the manager, commenting on the vulnerabilities, mentioning that this is the report that should be sent. This way you document that you and your manager were aware of the issues and have some evidence that you did address them properly. If still only the edited report gets to the client, the fact that this happened despite your documented concerns should get you out of and the
– JimmyB
May 24 at 12:22
"send the mail with the edited report to your manager" - This gives me a good idea: Although the manager refuses to respond in writing, you could still document what's happening by sending the un-edited report to the manager, commenting on the vulnerabilities, mentioning that this is the report that should be sent. This way you document that you and your manager were aware of the issues and have some evidence that you did address them properly. If still only the edited report gets to the client, the fact that this happened despite your documented concerns should get you out of and the
– JimmyB
May 24 at 12:22
manager into focus.
– JimmyB
May 24 at 12:22
manager into focus.
– JimmyB
May 24 at 12:22
8
8
Falsifying the report should in no way be an option here and I dont see how any decent professional would even consider it. Just look at what happened to those developers in the BMW emmisions scandal.
– ayrton clark
May 24 at 13:31
Falsifying the report should in no way be an option here and I dont see how any decent professional would even consider it. Just look at what happened to those developers in the BMW emmisions scandal.
– ayrton clark
May 24 at 13:31
@ayrtonclark I agree, but in some cases you can't really choose. i'm not in this person shoes : if he is in a situation when he can't handle to lose his job, the only choice left is to follow the instructions, covering himself as much ah he can
– S. Miranda
May 24 at 13:37
@ayrtonclark I agree, but in some cases you can't really choose. i'm not in this person shoes : if he is in a situation when he can't handle to lose his job, the only choice left is to follow the instructions, covering himself as much ah he can
– S. Miranda
May 24 at 13:37
add a comment |
Thanks for contributing an answer to The Workplace Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f137131%2fboss-wants-me-to-falsify-a-report-how-should-i-document-this-unethical-demand%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
May 23 at 16:06
12
Regardless of what you end up telling your boss, I hope you have started to look for a new job. The client would probably look very highly on the fact that you are unwilling to cheat them.
– David K
May 23 at 16:12
46
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
May 23 at 16:24
2
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
May 23 at 19:58
1
Do you know the motivation for the false report? I ask because if this is as innocuous as ignorance to usual InfoSec policies, as a few have mentioned, education on this possibly being more a matter of having remediation plans vs. being perfect may go a long way.
– John Spiegel
May 23 at 21:15