13

I thought of this when reading the Meta case regarding negative testing.

Say a state has a law regarding data-retention of log files for banks.

A manager instructs an employee to wipe drive of logs. The employee is knowledgeable enough to know that this log, it is for data-retention, but they do not know any laws regarding how long data must be retained, or what needs to be retained (or deleted).

Could employees have charges filed against them for such type of actions? Has this already occurred?

What obligation does the employee need to know of laws if they have some knowledge, but not expert knowledge. e.g. "Sure boss, I will wipe that important drive. vs I do not think it is legal to wipe that important drive. vs I was informed by counsel that it is illegal to wipe that important drive."

How would an employee know that negative testing is illegal in New York? Where in the chain of obedience is the responsibility laid at(corporate officers)?

paulj
  • 1,572
  • 7
  • 17

3 Answers3

16

An employer doesn't have the authority to authorize its employees to violate the law. An employee who personally participates in a crime has both criminal and civil liability for the employee's actions.

Private sector employers have vicarious respondeat superior civil liability for the actions of their employees taken in the scope of their duties. In other words, anything that an employee of a private sector employer is liable for, the employer is also liable for.

Governmental employers do not have vicarious respondeat superior civil liability for the civil rights violations of the employees.

Direct civil as opposed to vicarious civil liability, and criminal liability for an employer (governmental or private) is generally limited to acts carried out by employees of the entity at the direction of senior management or pursuant to a policy, explicit or implicit, of the employer.

This said, it is the nature of large employers to break tasks into component parts spread over many employees in different parts of the employing entity. In some circumstances, an individual employee's role may be such that the employee lacks sufficient information about the overall course of action of the employer to know that their actions are part of an overall course of conduct by the employer that constitutes a crime or tort.

For example, to retreat to an old school example, suppose that there is an employee who sits in front of a shredding machine all day and feeds paper into and clears paper jams, etc. whose job is to shred whatever documents are put in a bin next to his work station. This guy, who makes no decisions regarding what is to be shredded and has no real knowledge of why documents are being shredded, probably doesn't have criminal or civil liability if his labor is used to illegal destroy some documents. For all the shredder guy knows, he could simply be destroying redundant copies of documents to free up space in the filing cabinets while a single archival copy is retained.

Typically, criminal laws require some level of mens rea (i.e. intent) which may be intent to do something in particular, it may be knowledge of certain facts, or what have you. An employee is generally only going to face criminal liability is the employee who carries out the wrongful act on behalf of the employer does so with the requisite knowledge and intent set forth in the criminal statute.

ohwilleke
  • 211,353
  • 14
  • 403
  • 716
  • 6
    In this particular case, it is absolutely not illegal for an employee to delete logs. No law forbids that. It's illegal for a company to not retain records. That is a responsibility of the company as legal entity, not any particular employee, and that does not prescribe or forbid any one specific action. – Davor Feb 01 '23 at 16:22
  • 1
    when a company performs an illegal act, it can be deliberately set up so that no employee (except the manager who authorizes the whole thing) knows that what is being done is illegal – user253751 Feb 01 '23 at 17:34
  • 2
    @user253751 as ignorance of the law is generally no defence, it would have to set up so that no employee knows what the overall action is - not just that the don't know that it is illegal because they don't know the law. Ignorance of the circumstances of your action is often a defence. – bdsl Feb 01 '23 at 19:01
  • @bdsl yes that's what I said. – user253751 Feb 01 '23 at 19:01
  • @Davor in this particular case the log and the record are the same thing. Claiming that deleting logs is fine, just not records, dosen't really help. What is needed is a way to identify what is eligible for deletion when. Which, yes, would forbid one from the specific action of deleting. – candied_orange Feb 01 '23 at 19:24
  • To go back to the shredder analogy, if you have one person responsible for deciding what files go in which filing cabinet, and one responsible for deciding that filing cabinets should be shredded, without looking at whats in them, in addition to the employee that does the shredding, who if any would be responsible for the liability of deleting the records? – user1937198 Feb 02 '23 at 02:21
  • @user1937198 Deciding to shred documents without knowing what you are shredding is probably itself culpable as you are acting with reckless disregard for the possibility that you may be breaking the law. But, it is hard to imagine a company setting up a system where someone just randomly decides to destroy documents without knowing what they are. – ohwilleke Feb 02 '23 at 02:25
  • 1
    Maybe not arbitrarily. But introducing policies to remove documents based on details that have nothing to do with the underlying record like the physical location (an office is shut down), or when the files where stored at that location, are entirely expectable. They should go through all the records, but if you have TB of data, it would not be surprising to not do so. – user1937198 Feb 02 '23 at 02:38
  • @user1937198 The criminal exposure would be on the person who substantively makes the decision regarding what to destroy in a way that is illegal with the knowledge that it could be illegal. The exact basis for deciding what to destroy would inform whether someone implementing a policy would be exposed to liability for wrongful conduct. – ohwilleke Feb 02 '23 at 02:43
  • @ohwilleke it's hard to imagine a company, that wishes to destroy documents that it is obligated to retain, setting up a system that makes it difficult to prosecute such illegal activity? Come on, you're imagining it right now aren't you? – candied_orange Feb 02 '23 at 15:44
  • @candied_orange Honestly, in my experience, this is something that is almost always done out of ignorance rather than out of defiance and intentional circumvention of the law. – ohwilleke Feb 02 '23 at 15:53
  • @ohwilleke which is exactly how it's supposed to look, right? What I'm not hearing is of is any mechanism that motivates such a company to make it possible to hold them accountable. – candied_orange Feb 02 '23 at 18:07
  • @candied_orange Firms that are together enough to gain a legal understanding of record retention law typically want to be squeaky clean, especially in tech, where a large share of all firms aspire to go public or be acquired by a bigger firm which invites third-parties to do in depth due diligence of their legal compliance in all respects. The motive to comply is mostly to smooth over that medium term big payout. – ohwilleke Feb 02 '23 at 20:23
  • @ohwilleke and such third-parties can be relied on to sort out the difference between appearing squeaky clean and truly being accountable? Because a company that structurally enables shenanigans is never actually more valuable than the other kind? – candied_orange Feb 02 '23 at 20:57
5

Directions from management doesn’t change the legality of one’s actions. Knowledge of what one is doing can. In your described scenario, unless the employees position placed a duty on them, their ignorance will probably protect them.

Disclaimer: actual innocence is not a 100% guarantee of acquittal, let alone protection from prosecution. If one suspects that records are being illegally destroyed and they either will or have participated in the destruction, they might want to retain an attorney.

jmoreno
  • 2,039
  • 1
  • 10
  • 16
4

Your description doesn't point us to a specific state law, so we can't tell for sure. However, it is highly unlikely that it is a general crime in any state for a person to delete records. A data retention law would impose the obligation on the bank, not on "the bank and all employees". Murder and theft are laws that apply to everybody, but restrictions on commerce generally apply to the business and not to everybody with some relation to the business. The business might get fined, but even if an employee "willfully" deletes data that is supposed to be retained, they cannot be prosecuted. Less slack is cut for government employees, so that a government clerk willfully destroying government records can be a crime. Unless you have in mind some surprising law where personal liability is created, an employee will not be prosecuted for an action in violation of a business regulation. If you have a specific real law in mind, that would be worth discussing.

user6726
  • 214,947
  • 11
  • 343
  • 576