after I resigned, my employer accessed my personal email to find out details about my new job

A reader writes:

I recently resigned from a job I have been at for nearly 15 years. The workplace became more and more uncomfortable throughout my tenure, with the boss yelling, the staff miserable, and deadlines being constantly changed. My job, which was more creative in nature, expanded to me doing pretty much everything. Eventually, I decided to start looking and was offered a new job (I used some advice from the site in interviewing and negotiations, so thanks!). I gave three weeks notice, although I was on vacation for one of those weeks.

My boss reacted badly to my resignation, as I thought she would. She tried to counteroffer but I held firm. Then she didn’t want me to tell anyone. I did tell my direct report who was going to take over most of my work but respected my boss’ wishes, even though I thought it was a very bad idea. The boss and second-in-command eventually told everyone the week I was leaving. I was insulted and yelled at for leaving and refusing to give them any info about where I was going. I knew they would find out at some point, but it was not their business. Eventually, as I was leaving on my last day, they demanded an exit interview (which I had been trying to do for weeks). It was a very rushed process, and I gave them all the information that they needed, but without my usual diligence because of the rushed nature.

I started my new job, and all is much better.

I recently needed to find something in my personal email and went to my “sent” folder to find it. While there, I noticed that all the details of my new job (the interview details, references, salary negotiations) had been forwarded to my old boss. Clearly, I did not do this. This was done during normal working hours while I was at my new company.

Nobody should have access to my personal email account. I am guessing that when I gave my former boss a list of important information, I accidentally included my personal email (used occasionally at work by me for work purposes as a favor, like using my Amazon Prime account to order things for the company). I had wiped my work laptop before returning it, so I think the only way they could have accessed it was through having my login information. (Note from Alison: Or they were using a keystroke logger and got it that way.)

The fact that this information was forwarded to my boss but not deleted makes me believe that the second-in-command was the one who did it. My former boss is barely tech savvy enough to sign into his own email, and the second-in-command is a little better but would not think to delete the sent emails.

So I am obviously furious. They have no right to know the personal details of my job. I was already deeply hurt by how I was treated after so many years of an excellent working relationship. Is this illegal? I am considering consulting a lawyer, but I don’t know how easy it would be to prove, although I imagine some tech-savvy person could confirm the IP address of the email access. Also, part of me wants to just let it go and not worry about my old company. On the other hand, this is immoral and egregious behavior, and I feel like they should not get away clean. Any suggestions about what to do?

What the hell.

Yes, sometimes employers are weird about not knowing where a resigning employee is going and do some snooping to try to find out — but that usually means stuff like asking around or looking at the person’s LinkedIn, not illegally breaking into your personal email for details.

And it almost certainly is illegal.

Employers do have a legal right to monitor employees’ use of work email, but they do not have the right to log into your personal email.

From a privacy standpoint, it’s important to note that employers can and do monitor activity occurring on their networks — and with certain monitoring programs, they could be able to see what you do in your personal email from their devices or on their network. Also, if you log into personal email from a work device, your employer’s software could capture your password … but they couldn’t then use that password to go rifling through your personal email account, which is what they apparently did to you.

It’s likely that your employer’s actions violated the Electronic Communication Privacy Act and the Stored Communications Act (both federal laws).

And legalities aside, it’s a genuinely outrageous violation of your privacy. It’s not that much different than if they’d shown up at your house and opened some letters from your mailbox, or forced their way inside to check out what you keep in your bureau drawers.

It’s an egregious enough invasion of privacy that you should indeed talk with a lawyer (and because of IP address logging, it shouldn’t be hard to prove at all; a lawyer can help with that piece of it).

{ 203 comments… read them below }

    1. Polar Vortex*

      Change all your passwords – if you accessed your bank account from your work computer or double checked on your student loans or whatever. If they were willing to do one, they’re willing to access everything else. (Doubly so if they share the same email/password combo that your email login used, or pw that matched your work login.)

      Also if you sync’d your firefox/chrome/whatever with a login – not only change the password but review and remove old devices.

      1. Keymaster of Gozer*

        I’d go a step further and say change the passwords only from a device that you are very sure is clean and protected.

        (I only use non-windows machines for that)

        1. Troutwaxer*

          Agreed. Change all your passwords from a computer with a newly installed OS. Also talk to someone who has the technical chops about getting a new computer so your old computer can be saved for its forensic value. Backup everything that does not relate to passwords – your technical person can assist you with that – and copy all those documents onto your new computer and reinstall all your applications. Note that if you used the corporate wifi with your cell phone that it may be compromised too, and your technical person will have to address that as well. But absolutely consult a technical expert before using your computer again.

          1. LikesToSwear*

            Yet another reason to be grateful that I’m overly paranoid and stand firm with my personal policy of never using the work wifi for my personal device.

      2. Well...*

        I shudder to consider it. Banking, investments, photos, personal chats, location and location history, some publication submissions* (preprints and peer-reviewed), and that’s before I even get to social media.

        *as an academic who’s jumped through a few postdocs, my personal email gets me into some professional systems.

        This is such an unbelievable breach of privacy, and I hope you go after them.

      3. rayray*


        I have said before I’d be royally screwed if anyone ever got my gmail password, and this story is a reminder that I need to get a more secured system in place. We use lastpass at work and I need to either pay for my own personal lastpass or see if I can also use this for my personal accounts as well.

        1. Bitwarden fan*

          Get Bitwarden, you can use it for free! I use it on all my devices, it syncs and doesn’t have the same issues as last pass. Easy to set up and start implementing. I pretty much only know the password to Bitwarden now, all my other passwords are randomized, which has come in handy more than once!

          1. Rainbow*

            +1 on Bitwarden. It’s super easy to switch over from Lastpass; I did it a few months ago after LP BS’d about their security breach. The free version is great and the paid version is highly reasonably priced.

        2. David*

          LastPass in particular has suffered at least one major data breach in the past year or so, and as security researchers have been investigating it, it’s come to light that the company has done a bad job of disclosing and responding to the breach, and that the way LastPass is implemented has some significant deficiencies that caused a lot more data to be revealed in the breach than was really necessary. To the point where most experts I’ve seen writing about this are flatly recommending that nobody should use LastPass anymore.

          As far as I’ve heard, good alternatives include Bitwarden (like another commenter suggested) and 1password. There’s also one called KeePassXC which is good – I use it myself – but it’s not a web service, it works on a local file, so it’s less convenient and more suitable for those who are a little more privacy conscious (or some might say paranoid lol).

          FWIW I would also recommend against using your work password manager account for your personal passwords because you could lose access if you ever lose your job suddenly, and also it’s conceivable that the IT team at your work might be able to access those passwords, depending on which password manager they use and how they have it set up.

          1. MassMatt*

            I don’t get how 3rd party password managers are a solution. We are told never to write down passwords on a list, and basically 3rd party systems have all your passwords on a list, accessible via the internet. It sounds like a terrible idea to me.

            1. PotatoEngineer*

              Password managers solve some problems while creating other problems, and you have to decide which problems are more important.

              The existing problems: people reuse passwords, and they can’t remember 50 different passwords — and they especially can’t remember 50 difficult-to-guess passwords. Some people get around this by using a password algorithm, but the typical ones I hear about are “name of website + some fixed password”, so if you’ve cracked one, you’ve cracked them all, but it would require some individual work and can’t be automated across a database of passwords stolen from a service.

              The new problem of password managers: all your passwords are in one place. There’s a lot of fancy crypto magic to make sure that nobody can steal them, but… magic has its limits, and LastPass is showing that. Some people fix this with programs like KeePassXC, where the password vault is a file you control, and you can put it only on the computers/services you trust, making it impossible for a central breach to steal your password-vault file.

              Pick your poison. (Personally, I’m using LastPass, and due to the recent breach I have changed my password, but I need to both change all of my individual passwords and move to another service. But I have limited spoons at the moment, so that’s a “soon” thing instead of a “now” thing.)

        3. Sarah in Boston*

          Don’t use LastPass. It used to be my top rec and I’ve used it for years but the recent breaches and more importantly how they’ve handled them? Nope. Not any more. 1Password has been great so far.

          1. Maleficent2022*

            We just switched from LasPass to 1Password. And I absolutely believe my employer would pull something like this, except that they don’t want the crap show of bad publicity that would come from it. They already struggle hard enough to have a barely respectable reputation.

        4. Been There*

          Please switch away from lastpass. They had a very serious security breach last year.

      4. MassMatt*

        I would mention this on Glassdoor also. It may not get seen by many people but they deserve to be named and shamed.

      1. Well...*

        Or if it’s already on, go through your “remembered devices” list and remove those the company has access to.

        1. Observer*


          But it’s pretty certain that the OP doesn’t have 2FA on their email or their ex-boss (assistant) could not have accessed their email.

          1. Well...*

            I was thinking that they had ticked “remember this device” which turns off 2FA on specific devices. Her work-owned laptop might have it turned off, even if she wiped it.

    2. Observer*

      And change your email password!

      Also any OTHER password.

      And 2FA – at least on your email, and preferably on any other account you have. Use an app or keyfob rather than your email as the 2nf factor where you can.

      It may sound a little paranoid, but your ex-boss is nuts and it’s not just one person.

      1. Nina*

        I’ve always maintained a personal phone that is used exclusively for 2FA, nobody ever gets the number, especially not work. I keep just enough credit on it to stop them shutting off the SIM, it’s a beat-up old Nokia, but it receives texts which is all it needs to do.

        1. Observer*

          Except that SMS 2fa is going the way of the dodo. With good reason – it’s terribly insecure.

    3. Mockingjay*

      I’m so glad of these suggestions, because I had no advice to offer. I am completely gobsmacked.

      (I thought I was diligent about limiting personal usage on my work laptop and my company is very good about respecting boundaries; but I should probably change a few habits.)

      OP, we are hoping the best outcome for you and will be looking for an update.

    4. XF1013*

      And check your Trash folder, in case they deleted any messages.

      And check your email filters, in case they set up something like “forward a copy of all incoming emails from [new employer] to [old boss].”

      1. Shiny Penny*

        I didn’t even think of email filters and automated forwarding! I hope OP takes them to task for this privacy breach.

    5. DJ Abbott*

      Reading this, I’m so, so glad I haven’t used my employers internet with my phone, and I use only my phone for banking, social media, and email. I had no idea, I was just too lazy to get the Wi-Fi login from them, plus being new I didn’t want to impose.
      So I’d like to suggest that going forward, OP only uses their phone or tablet with their own Internet while doing personal things at work.

  1. Hi, I'm Troy McClure*

    OP, I hope you’re able to hold these awful employers accountable. Their behaviour is disgusting and sets a worrying example for any worker who comes after you. Whatever you do, we’ll all be cheering you on.

  2. Corrigan*

    The audacity! What the hell.

    Not that you needed it, but this is certainly more confirmation that you made the right decision leaving that place.

  3. fine tipped pen aficionado*

    This is absolutely wild. I really hope you consult with a lawyer, LW! That process will be exhausting but people like this need to experience consequences for their actions and potential employees there should find out about this when they research the org.

    I’m just stunned.

    1. Miette*

      Backing this suggestion up big time! And act soon–I don’t know if your former job has effective HR or not, but if they do, your old boss needs to feel some discomfort over this very soon.

  4. Polar Vortex*

    My first thought reading this was “burn it to the ground”. Agreed with Alison, lawyer up, and go scorched earth policy with them. This is so far beyond the pale they need to panic like animals in the fire scene in Bambi.

  5. Just Another Zebra*

    Step 1: Change all your passwords, today. Immediately.

    Step 2: Consult a lawyer.

    This is so egregious, OP, and I’m sorry you’re going through this. Good job getting away from these people!

    1. Lexi Lynn*

      And #3 inform your new company that your old company hacked your personal email and may try to interfere with your new job. And if they do, share that with your lawyer.

      1. Shiny Penny*

        Yes! I would be concerned about all sorts of petty behavior coming from the ex-boss.

      2. Elizabeth the Ginger*

        #4, if/when your lawyer says it’s okay to talk about it, don’t be shy about sharing the facts of what happened with anyone at your old job, like your former direct report, as well as on Glassdoor or similar. (Don’t do this until the lawyer gives you the go-ahead, though.)

      3. TeapotNinja*

        Do NOT mention this to anyone other than your lawyer, because if for some reason it turns out to be false, YOU can be in trouble.

        Play this one by the book.

        1. wordswords*

          I definitely wouldn’t throw around accusations without a lawyer’s OK, but I’d think it might be reasonable to say something like “hey, fyi, I’ve found out that there’s a chance my personal email might have gotten hacked. Obviously I’ve changed all my passwords and am dealing with the situation, and I don’t use this email for work things, but I wanted to give you a heads-up just in case.”

  6. Keymaster of Gozer*

    Illegal as all heck and start with a lawyer. There is NO excuse for what they did, none.

    (Sidenote: working in IT I’ve heard the ‘I thought it was my account!’ or ‘they left the screen open!’ or ‘I had to see if they were doing something illegal!’ excuses a few times. It’s all complete bull)

    I have had to completely change my personal email account in the past due to it being hacked. My current one has a multilayered authentication on it that is probably on the paranoid side but never again.

    1. Well...*

      I wonder if they used a device where LW had turned off MFA (like if she had to log in a lot at work, she might have just clicked “remember this device” or something similar)…

      1. Keymaster of Gozer*

        There’s a lot of possibilities as to how they did it, most of which will need a professional IT bod to find out but ultimately the actions of the former employer show that they lose any claim of it being an accident.

        (Sidenote from the IT department: yes, we can if required by an investigation track every single keystroke on your computer. But anything pertaining to personal passwords cannot be stored or used or looked at. We’d be violating laws left right and centre if we took a look at your personal email for any reason.
        And unethical people don’t hold careers in IT for long. Generally)

    2. L.H. Puttgrass*

      So very, very illegal. In addition to the Stored Communications Act and the Wiretap Act, this very likely violates the Computer Fraud and Abuse Act, too. Basically, it’s a smorgasbord of potential federal criminal charges (and civil liability). And unlike a lot of conduct that theoretically violates federal law, accessing someone’s e-mail without permission usually leaves a bit fat trail of evidence.

  7. JMR*

    99% of the time, when someone writes in about some horrible thing their employer did and asks if it’s illegal, Alison’s response is, “No, it’s stupid and wrong, but it’s not illegal.” I think this might be the first letter I’ve read where the answer is “Actually, yes, that IS illegal.”

    1. starsaphire*

      This is TOTALLY headcanon, but I’ve always assumed that Alison held back anything that came through that was illegal, especially if it was identifiable enough that publishing about it could potentially cause issues if things went to court.

      Insert fanfic disclaimer here. ;)

      1. Unkempt Flatware*

        No, I don’t believe she does that and there have been letters where Alison says, Yes that is illegal and here’s what you should do.

  8. Falling Diphthong*

    I’m agog.
    • On the one hand, what I’m thinking of doing is illegal
    • On the other hand, if I just wait the information I want will no doubt become evident

    And landed on “Yup, doing the illegal thing so I can know NOW. I’m just curious!!!”

    To follow on the excellent opening advice, change your passwords on everything. Especially any account you might have accessed from the work computer, followed by those you think you didn’t just to be safe. (I’m guessing Alison is right about the key logger.)

    I think if you want to consider a legal case it’s worth talking to a lawyer. Even if you don’t try to take it to court, I believe for a couple of hundred one will write a Cease and Desist letter instructing the company to cease and desist breaking into your personal email account to poke around and send itself stuff, which if received at enough levels above your immediate managers could lead to much gnashing of minions, and fees to consult their own lawyers and figure out where else these people who can’t figure out screen caps might have left an electronic trail covered in the company fingerprints.

    You’re also allowed to change all the passwords and then draw a hard line across thinking about the company again. But make sure you document just in case there’s a later arriving piece of evidence of malfeasance that changes your mind.

    1. I'm Just Here for the Cats!!*

      If I was OP I would double check my Amazon account. change passwords and whatever else that you can do with Amazon because I can totally see them hacking into that to charge stuff or even try to change the email and password becuase they feel it’s “their” account.

    2. Artemesia*

      She doesn’t want cease and desist — that horse is out. She wants ‘punish these people’ — maybe it will mean money for her or just damage to them, but this needs to be escalated to punish.

  9. Zzzzzz*

    and screen grab, screen grab, screen grab. write down all deets now while fresh in mind. good luck!

  10. A Little Bit Alexis*

    Your former boss and second-in-command might not be aware enough of this to do it, given your letter, but I would also check your email settings and see if any secondary emails have been added to the account as a recovery email– this is a common way for outside parties to maintain access to someone’s email after they’ve gained unlawful access.

    Many emails also keep logs of sign-in locations, which is essentially what IP logging is, but many email services break this down even easier for the user and actually list the geographic region of the login.

    Concur with speaking to a lawyer. In the meantime you can lookup the IP information yourself from the email header of the email that got forwarded (lots of walkthroughs online of how to do this), and then pop the IP you find into an IP lookup tool (such as whatismyIPaddress dot com) and get the basics of the IP service provider. If the service provider matches that of your former company, that’s more info to give the lawyer. Of course, whatever you do, change your password, enable two-factor authentication, and do not delete those emails that got fwded.

    1. Ashley*

      Yes – Get the IP history log sooner then later before it has been to long and harder to access.

  11. Other Alice*

    In addition to what everyone suggested, if you’re on friendly terms with your former coworkers I don’t think you’d be out of line warning them not to log into any personal account at work.

    1. ursula*

      100% this. Even if legal action isn’t financially worth it for you, letting all of your friendly former coworkers know what happened is free and effective.

    2. DisneyChannelThis*

      Might want to hold off until after talking to the lawyer. If you are going to sue ex company, you don’t want them getting a hint that you know what they did before the lawyer sends it.

        1. Observer*

          Having a conversation with ex-coworkers where you tell them that “someone that wasn’t me forwarded information from my person email to Boss” is not something that makes is easy to sue the OP.

          Of course, the OP should talk to their lawyer, but more because of not spooking ex-employer than worry over a suit.

          1. Troutwaxer*

            Not spooking the ex-employer is also a good reason. (I disagree with you on the other issue because the old employer is obviously messed-up and dysfunctional – what they’ll do if sued is not necessarily going to involve anything resembling respect for the law or a ordinary legal thinking.) But there are lots of good legal/professional reasons not to aim anything, good, bad, or neutral at the old work or old coworkers.

            1. Observer*

              I agree that ex-employer is a loon. But that’s all the more reason not to try to game out what they will do. Because the only thing you can be sure of is that they are not going to be reasonable, realistic and concerned about legalities, if they even recognize that there could be an issue there.

    3. Delta Delta*

      Nope nope nope. Because OP does not know who the source was. All OP knows is that the email got forwarded to the boss. OP has no way to know who is friendly and who is not. OP should remain mum until advised otherwise.

  12. OrigCassandra*

    I believe there’s one situation in which your personal email could be legally rifled. All of the following must be true:

    * Your former workplace is a public agency.
    * You commingled work with personal email on your personal email account.
    * A sunshine-law records request came in related to your work.
    * Your workplace determined that email on your personal account was relevant to that records request.

    This is why public employees really, really, really need not to commingle personal and work email. (Folks in the not-uncommon situation of needing to BCC yourself as a butt-covering or anti-boss-butt-covering measure: use an account specific to that use rather than your regular personal email account, just in case.)

    But if any one of the above criteria isn’t true — your ex-bosses are cruisin’ for a bruisin’, OP. Give ’em hell.

    1. Governmint Condition*

      Depending on local/state laws, it may also require that you be notified first.

        1. Anon for this*

          Same! Curiosity is not a reason. And it has to be related to actual work.

          I refuse to link my work & personal devices. And I have our Records people backing me up.

      1. Empress Matilda*

        Yep. Even if all of the above were true, they can’t just do it – they have to notify you of the request, give you time to comply, and I would imagine a certain number of escalating reminders before they finally say “We’re going in ourselves if you don’t comply by [DATE.]”

    2. Observer*

      Even with all of these things being true, it can’t be done the way it happened here.

      So, in the US, illegal.

      1. Charlotte Lucas*

        And I think it’s pretty clear this isn’t government. They would have ways of accessing things like Amazon that doesn’t require private accounts. For the same reasons of transparency.

        1. Observer*


          Really, my point is that EVEN in government with all of those other requirements, this would have been out of line – very out of line. Once you are in private? The line is not even dot on the horizon anymore.

    3. Called Birdy*

      A friend who works for a public agency where I want to work told me that any emails could be subject to FOIA. I wonder how a future employee’s privacy is protected when those emails contain someone’s address, DOB, disability accommodation request, etc. What other guidelines would you give to someone new to working for a public agency to protect one’s privacy?

      1. govvie*

        There are detailed rules around FOIA requests that would prevent your personal information from being released. FOIA requests have to be specific; requesters can’t just go fishing. The warning against commingling work and personal stuff serves three purposes: (1) agencies must retain records of official communications and your personal email would not meet the legal requirements, (2) if you handle sensitive info, your personal email would not provide appropriate protections, and (3) if there was a FOIA request, agency employees might need to look through your work email to comply with the request. In the process, they might see other emails that are personal, if you’ve used your work email for personal stuff.

        In general, I write every work email assuming that it will be reassuring by someone who doesn’t know me or my job, because that’s always a possibility.

  13. Upper Learning*

    Related question that might also help OP.
    In situations like this where the recommendation is to contact a lawyer, how do you go about doing that? Just google “employment lawer in [city]”? What are some good things to look for when trying to find a reputable person among the ambulance-chasers and other potentially scammy search engine results?
    I think that for a lot of us, finding a lawyer is a totally unknown situation. Not knowing where to start or what to look for can discourage people from seeking legal action when they absolutely should do so. I think any advice on how to go about this would be helpful beyond just this question!

    1. Jezebella*

      You can also find a lawyer through your state bar association. If you have a weekly paper that does annual “best of” awards, see if they include lawyer categories. has reviews and ratings. Google reviews are certainly worth a peep, but take them with a grain of salt.

      1. ShysterB*

        Second the suggestion for US residents to try state (and county!) bar association referral services. Just google “[state or county] bar association referral.”

        But as a lawyer, I also suggest that the best place to start if you are at a loss is to ask friends/family/coworkers. Even if they don’t know someone who practices the sort of law you need, they might know a lawyer who DOES know someone who practices in the required area.

    2. metadata minion*

      I would love to see an interview or ask-the-readers or something along those lines from people who have actually taken legal action against an employer. It’s obviously going to vary a lot depending on what the case is about, who the employer is, etc., but I really have zero clue what range I should be imagining in terms of price, time, and general hassle level.

      1. nda anon*

        As someone who has had to do exactly that, it’s almost certainly more of all those things than you would expect. I personally spent around 10k USD, a year, and an enormous amount of hassle all to find out that when the other party is that out of touch with reality and willing to go scorched earth on you, unless you want to move to litigation (a lot more time and expense needed) you’re basically out of luck.

      2. alas rainy again*

        Metadata minion, I had to threaten to sue my former employer to contest a at-fault dismissal. It costed me 6k$ to recover 15k$ back pay and get the paperwork needed for unemployment indemnities (European salaried job). It costed me more in terms of energy and time, so I needed that unemployment paperwork!

      3. Anon 4 now*

        I am in the middle of a court battle with a federal program for YEARS of back-pay. I had to find a lawyer specializing in an EXTREMELY niche field (I think there are 3 in the USA… no more than 5 total). So far my court costs are $20k (flat fee that covers the lawyers’ cost and court fees), but I’ve recouped half of the owed pay already. I started this process in 2019, IIRC, and probably won’t see an ultimate resolution before 2024. The hassle level at the beginning was extreme – researching regulations, going over my story ad nauseum, collecting every relevant scrap of information, collating it for review by my attorney, etc, etc, etc. My case is highly specific, although the generalities will help anyone else in my situation who has to follow in my shoes, so it’s worth it for me to be a trailblazer. Now that we’re in the court system and all documentation has been provided its simply a matter of setting what the government is claiming, refuting the claims with tangible evidence already collated, and then waiting for the next round. I can go weeks without even thinking about it now, as the ball is no longer on my side.

    3. Curious*

      In this case, tho, OP is the victim of a crime. While having your own private lawyer may help you effectively to navigate the system, if you can’t afford or easily find one, it seems to me that you can still report this to the local or federal criminal authorities.

      1. STAT!*

        Yes, I’m curious why there aren’t more people suggesting the OP report this crime to the relevant authorities, as well as thinking about civil litigation. As to which, who ARE the relevant authorities? (Assuming this happened in the USA.) Though I’m guessing that wandering into the local cop shop is not the right answer.

    4. Anne of Green Gables*

      Many state bar associations also have a “find a lawyer” feature. In NC, you enter your zip code and area of specialization and are matched with (I think) up to 3 lawyers in your area. It is up to you to make contact. If you use one of them, there is a flat fee for your initial consultation. (Last time I used it, it was $50 for 30 min consultation.)

    5. Coverage Associate*

      As a lawyer who only works for corporations, when a friend wants a referral and I don’t have a friend with expertise, I refer people to the county bar association’s referral service. Around here, participating lawyers are really conscientious about making it a real consultation. You pay like $50, and they give you all the advice they can in 30 minutes. It’s not a hard sell or just a gimmick to get you to sign up for more services. (Lawyers do that all the time, but through their own seminars and advertising, not through referral services.)

      While a lawyer can walk you through your options for outcomes, one thing to consider is what outcome you want. Do you want a bad behavior to stop? Do you want money? Do you want to embarrass the other side publicly or otherwise “make them pay”? Each goal has different costs in terms of time and money from you.

    6. Ashley*

      And I would look at employment law with cyber security specialty if I was going after money. Your area will determine your options, but often you need a lawyer that specializes in X if you want to win big or if it will be a nasty fight.

      1. L.H. Puttgrass*

        Agreed. This isn’t really an employment law case. It’s a privacy/computer-abuse case that happened at the office.

  14. Sunrise Salute*

    I had wiped my work laptop before returning it, so I think the only way they could have accessed it was through having my login information.

    Wait, did you use your work asset to access your personal email? Consult a lawyer, bc using a work-owned asset changes the equation of what they are entitled to access.

    1. Keymaster of Gozer*

      I can’t speak to US law but it doesn’t change anything here. Even if I see someone access their personal email on our network (which isn’t allowed) the most I can do is block the access. It does not give me the right to see their stuff.

    2. IT Manager*

      I don’t believe it does. There is case law that says if you take reasonable precautions (password and ssl encryption in the Supreme Court case I remember reading about) then they are NOT allowed to access it even if you logged in from a work device.

      This is different from monitoring “she is accessing personal email now” or prohibiting “you’re not allowed to access personal email at work, I’m going to fire you for that”. Both those are allowed. But snooping your personal email is not. Not by eavesdropping on the connection and not by stealing your password and logging in themselves.

      1. Elizabeth the Ginger*

        Yeah, this is more like the digital version of “you put your house key on the work-issued key ring, so we made a copy of it while you were here and then after you quit used it to go into your house and check out your medicine cabinet and your sock drawer.”

    3. Observer*

      Consult a lawyer, bc using a work-owned asset changes the equation of what they are entitled to access.

      Not that much!

      Using company resources means that they are allowed to look at what was left on the computer. It never gives them the right to actually log into someone’s account and do whatever.

      There is a ton of case law on the matter.

    4. Eldritch Office Worker*

      IANAL but I am in HR and handle a lot of these policies. They can *monitor* this email use if it happens on company equipment, but to independently log into OP’s personal email and forward something that is almost certainly beyond the scope of their authority, unless OP signed something (which is why you really need a lawyer). Particularly since this seems to have happened after OP was no longer employed there, they’re in reallyyyy dicey territory if they try to enforce even previous consent that might have been given. Monitoring and collecting data is not the same as accessing and using, under these policies.

    5. Radioactive Cyborg Llama*

      I think there needs to be a legitimate business reason for that to apply.

    6. I'm Just Here for the Cats!!*

      no it doesn’t. It is still their PERSONAL account. And it sounds like they were required to use their personal accounts for work purposes. So in fact they were taking advantage of the OP.

      An employer can block certain sites and such so that people don’t have access but that doesnt mean that if someone uses a work computer to check their email or bank account it means that its now the company’s and they have the right to access you personal property.

  15. bighairnoheart*

    You know what’s wild to me? Your ex-employer did all this just to find out where you ended up! You said yourself they would have probably learned about it eventually, that’s just the way these things tend to work. But the fact that they sunk this low and hacked into your email to get info they absolutely could have discovered through legal means is just so brazen. And then to not even have the ability to appropriately cover their tracks… OP, I hope you find an amazing lawyer who will absolutely relish taking them to task for this, because they deserve everything that’s coming to them.

    1. DisneyChannelThis*

      Like sooner or later you update your linkedin, or you show up mentioned in a press release or blog post by the company… They could have just waited a couple months! The audacity and entitlement!

      1. Troutwaxer*

        This brings up another point of necessary paranoia. Make sure your new work knows what your old work did BEFORE someone from your old work calls your new work and says something horrible. (Like let them know immediately, preferably in casual conversation, I think.)

        1. Snow Globe*

          I wouldn’t just slip it in during casual conversation; I think a direct conversation with LW’s current supervisor would be in order, where LW specifies that they are concerned about what the former employer is planning on doing with the information that they gathered.

          1. Troutwaxer*

            You might be right, but I think this is a difficult one for someone who doesn’t know the OP’s current employer to parse. Depending on the people and work culture, it might be important to have a very formal meeting on the subject, or it might be best to approach it outside of the official channels. I can see it working either way.

    2. ScruffyInternHerder*

      …and have all details of the offer including interview (notes?), offers, salary negotiation.

      AKA nothing that they’re in need of.

      1. Lawyer
      2. Change all passwords and eliminate all trusted devices from your accounts
      3. Verify that no stray emails have been added for password recover
      4. Change your password challenge questions
      5. Back to the lawyer – do whatever they guide you to do. And definitely see what the lawyer’s take on informing your current employer of this hack.

      1. I'm Just Here for the Cats!!*

        #6 update us with information because we are all INVESTED in this crazy story!!

    3. LTR FTW*

      Yes, it’s absolutely wild. And they did something SO STUPID too — the forwarding is so blatant. They could have taken a screen shot and OP would have been none the wiser.

  16. JoshR*

    OP: Please please please, in addition to changing your passwords, set up multi-factor authentication, also known as MFA, 2FA, or (in Google’s ecosystem) 2-step verification. Ideally take the option to use an authenticator app on your phone (though text messages are still better than nothing). You do not want other people getting into your email, even if they somehow get or guess your password, and this is the best way to prevent it.

    1. skipjack*

      Hijacking this comment to add:

      You can remove access from particular computers your Google account. Do that now!!

      In your Gmail, at the top right, click on the button with your name. You’ll see a dropdown that allows you to go to your Google Account. Once in your Google Account, go to Security. Scroll down until you see a section called “Your devices”. You can click on any of those devices and log out or flag them for Google to review.

      1. skipjack*

        typed too fast! *You can remove access from particular computers FROM your Google account

    1. SereneScientist*

      Also seconding/thirding/fourthing all of the comments to change passwords and secure your accounts. While I don’t wish to cast aspersions on your former employers, what they did already is fucking egregious and exercising caution is warranted here.

  17. old curmudgeon*

    I concur with all the excellent advice about talking to an attorney, changing passwords and taking other security-related steps, but I’d also be concerned about your toxic former employer trying to cause problems with your new employer. Have you contacted your new manager and/or HR department to let them know that your former employer is engaging in illegal activities to try to make your life difficult? If not, that might be good to do before your current employer receives a baffling contact from Toxic Former Boss.

    Good luck to you, OP, and do please update us on how things go!

  18. madge*

    That’s so far beyond the pale, I don’t know that there are strong enough words.

    -Change all passwords
    -Contact employment attorney
    -Post on Glassdoor and anywhere else you can think of (yes, they’ll know it’s you but you might decide that doesn’t bother you)
    -Feel free to mention this to whomever. The farther news of this behavior spreads, the better

    1. metadata minion*

      I think you probably want to hold off on Glassdoor posting and such until after you speak to a lawyer, if you’re seriously considering legal action (which I agree is completely justified!).

  19. shrinking violet*

    OMG. I’m almost speechless. But only almost.
    Please — lawyer. Now.
    Please, please — change all your passwords, even for things you are 100% positive you never accessed from work.
    Please please please — update us after you speak with a lawyer!!! (pretty pretty please!)

  20. WillowSunstar*

    I’m surprised the personal email wasn’t blocked by the company. All personal email accounts are blocked by our IT so we couldn’t access them on our work laptops if we wanted to. That being said, it’s not a good idea to assume any privacy on a work computer, and especially these days as many companies are using monitoring software. Definitely print out the email though with all the headers so you have the paper copy once your passwords have been changed.

    1. Yvette*

      Same here. Not only can’t I access my personal email from work, I cannot even send an email outside of the company. (consultant at a major financial company). Even without that I agree that it is never a good idea to do anything remotely personnel on a work machine.

      1. Emma*

        Finance companies tend to be very concerned about employees emailing sensitive information outside the company, so we’re often more restrictive on things like personal email access, USB sticks etc than companies in other industries.

    2. OrigCassandra*

      Varies by industry. I’m in academe, so I have a lot of freedom.

      Highly-regulated industries — finance, health — typically get pretty locked-down.

    3. I'm Just Here for the Cats!!*

      Not all companies are that strict. It sounds like the OP didn’t have a work email. Surprisingly this is how many places are.

      1. Susannah*

        No, LW indeed had a work email, but said s/he occasionally logged onto personal email to access things like Amazon prime for the company’s benefit.

        And I’ve found that not too many places ban you from accessing private email at work; some (financial, public employee, etc.) do so for security reasons. Others have a general policy not to use social media/personal email much at work, for productivity reasons.

        1. Office Gumby*

          Generally, it’s a good policy to ban personal emails at a place of employment.

          Long time ago at one of my Day Jobs, we could check our personal email accounts. One day someone in a different department checked theirs, clicked on some spam and unleashed a cryptovirus on our system. While the damage was mitigated by a clever IT orc and a robust backup system, the PTBs realised that there was no legitimate business reason for people to be checking personal emails at work, so that got banned.

          Since then, nobody has been able to put forward a reasonable case for this ban to be lifted.

  21. Meghan*

    This is so smarmy on part of the boss, it makes me feel gross. Seconding all of the advice above, and please come back with an update if you end up nailing them to the wall (legally or otherwise). So glad that you’re out of there.

  22. Shiny Penny*

    I hope we get an update on this one. I would be contacting a lawyer and not letting this go.

  23. Abogado Avocado*

    Yes, change all your passwords. And determine what your monetary damages are. Ordinarily, violations of the law are not enough for a civil action. Usually, you need to have been damaged in some concrete, economic manner. Yes, you do see lawsuits seeking damages for pain and suffering, but most jurisdictions require a proveable economic injury before pain and suffering can be compensated. Of course, this is why you want to consult a lawyer: to determine what your jurisdiction allows.

    Additionally, be aware that the criminal laws may be implicated here. Most jurisdictions have laws that criminalize unauthorized access of a person’s email. So, you may want to ask any lawyer you consult whether it is worth it to make a criminal complaint to your local prosecutor.

  24. Lan*

    What the …?
    I have a related question. Can the employer in that case force you to tell were you are going?
    Because I have seen a few times were an someone quit and give their two weeks. Boss ask were they are going, because if it is a direct competitor, they are not going to want that person to work those two weeks. Is there a difference if going to a competitor?

    1. ScruffyInternHerder*

      I’m not sure that they can technically do so, though I understand where you’re coming from.

      I’ve seen a most interesting and petty thing ages ago – someone left, and his leaving was publicized by Llama Grooming R Us as “best wishes on your newest endeavors as a chocolate tempering expert at XYZ”. Reality? He was leaving to start “Local Llama Groomers LTD”. It was a very poorly kept secret. I think the owner at Llama Grooming R Us was trying to make the guy who left look bad? It didn’t. It made that owner look kind of foolish though.

    2. Observer*

      The boss can’t force you to do anything. Now, sometimes the boss has a legitimate reason to ask, but in such a case the only thing they can do is say “OK, then today is your last day.”

    3. mlem*

      They could choose to walk you the same day if they don’t trust you not to be going to competitor (or want to claim it’s about that), but unless there’s a contract, there’s not much else they can do. And they can choose to walk you out the same day for pretty much any non-protected reason.

    4. I'm Just Here for the Cats!!*

      I think thats where NDA’s and contracts that state you wont work with competitors for X amount of time after leaving, or within X miles of the job.

      Its rare that these things can hold up. Especially if your job is not anything that has confidential information or you could ‘steal’ clients from.

  25. AnonMurphy*

    This is awful, full stop.

    I work in compliance and help review our policies for a 2500 employee company. There is absolutely no expectation of privacy, even as to the content of your personal email, while YOU are working on an employer-owned device. I’m outraged at the how and why of them logging into your account. Be aware that the company policies (assuming they are done properly) probably cover the monitoring of your work, but I’m not at all sure about what they might say about accessing personal accounts. Definitely worth a lawyer consult, but I also wouldn’t be surprised if there is something they can whip out and use as a shield (such as an employee handbook or policy doc that you would have attested to each year).

    Best of luck – I think that is egregious and should be actionable. Please keep us updated? I’m actually asking my team what they think (my boss has a law degree).

    1. Observer*

      There is absolutely no expectation of privacy, even as to the content of your personal email, while YOU are working on an employer-owned device.

      That’s actually not entirely true. Yes, you (employer) can sniff on all non-encrypted traffic on your network and log all keystrokes on the computer (although I’m pretty sure that in some jurisdictions you need to let people know about this kind of monitoring). But actually going into someone’s email? No, not even from their work issues computer.

  26. Observer*

    Your ex-boss is TERRIBLE.

    Talk to a lawyer, but odds are that you won’t have grounds for a civil action, because you won’t be able to prove damages. Even “infliction of emotional distress” is not going to fly – the bar there is extremely high, and it doesn’t sound like you would meet it.

    I’d be surprised if anything would happen with a criminal complaint, but I’d check with a lawyer if filing this could be useful in the long term if (or when) something similar happens and someone else reports it.

    Also, if this is a larger organization that has a legal counsel or even just pretends to want to be law abiding you may want to let legal / CEO know about this (after talking to your lawyer). If the company is halfway decent and smart they will recognize that the is legal minefield for them. You may never hear anything back, but I would not be shocked it Ex-Boss and 2nd In Command have some career repercussions over this.

    1. ScruffyInternHerder*

      I also wonder (because IA*so*NAL here) if new company would potentially have sort of claim here as well, if I read that right and they have her offer letter, interview notes, negotiations, etc.

    2. Keymaster of Gozer*

      Oh that’s an excellent point. If they’re a large firm with a (decent) IT department they’d have a good knowledge of what to do about data security violations carried out by members of staff. Or the legal department would.

      Definitely after lawyer discussion though. If they’ve got a dodgy IT department you might find all proof suddenly vanish.

    3. Marny*

      It varies by state, but some “invasion of privacy” claims presume a certain amount of damages just to serve as a deterrent to privacy invaders. One doesn’t have to prove actual monetary loss, just the violation.

    4. L.H. Puttgrass*

      Talk to a lawyer, but odds are that you won’t have grounds for a civil action, because you won’t be able to prove damages. Even “infliction of emotional distress” is not going to fly – the bar there is extremely high, and it doesn’t sound like you would meet it.

      Nitpick time: Technically, OP would still have grounds for a civil action, but might not have standing. It’s complicated, but basically “standing” is a matter of whether a federal court can even hear your claim. If you don’t have standing, the court doesn’t have jurisdiction, and you’re done. It used to be that if the statute you’re suing under provided for a minimum amount of damages, that was enough to satisfy the harm needed for standing, but then the Supreme Court did their thing in a case called Spokeo and now who knows. But I digress.

      It’s definitely something to talk to a lawyer about, though. Some of the laws OP’s former employer seems to have violated include statutory damages and allow for recovery of attorneys fees and costs (which is key to getting a lawyer to take the case). And in the case of the Computer Fraud and Abuse Act, courts have been pretty darn open-minded in what they accept as “damages.” So I wouldn’t assume that OP couldn’t show damages or wouldn’t be able to pursue a civil action.

      I agree, though, that unless OP could show something pretty egregious, a federal prosecutor probably isn’t going to be interested. Not that logging into an former employee’s personal e-mail isn’t egregious, but a prosecutor is probably going to want something more to make it worth their time.

      1. I'm Just Here for the Cats!!*

        It would let OP know how long they have been accessing their personal email. For all they know its been going on for months, even before giving their resignation.

  27. HonorBox*

    Holy smokes. I thought “I got yelled at and insulted” was going to be the point of the letter but then it only got worse. This situation is awful and I’m so sorry you’re having to go through this. I can’t for the life of me imagine having the audacity to go through someone’s personal email… even if they left it wide open on their desk… and to grab personal information related to a job offer. That sucks. I hope they get what they deserve.

    Please do update us!

  28. irene adler*

    RE: wiping a work laptop of all files

    There are programs out there that can retrieve erased files from wiped hard drives.

    Although more likely a keyboard logger at work here, as mentioned.

    Just wanted to suggest that it’s a good idea to think about what one puts on a work computer in the first place. Wiping the hard drive is not 100 % fool proof in removing the files you want removed from other people’s access.

    Still, not an acceptable thing to do this to the OP.

    1. Observer*

      There are programs out there that can retrieve erased files from wiped hard drives.

      It depends on what was used. Also, it generally requires the right software AND some technical skill. Hard to imagine that any reasonably competent IT department would do that and then hand over the actual password.

        1. Observer*

          Agreed. There are too many things that a company can legitimately do, that you need to be careful.

          It’s just that in this case, the OP is almost certainly correct in their guess as to how this happened.

          1. irene adler*

            “It’s just that in this case, the OP is almost certainly correct in their guess as to how this happened.”
            Oh yeah. Totally agree!

            I’ve had some personal experiences that left me very surprised regarding the technical abilities of any one or any entity. As such, I exercise caution with my personal accounts/information when using any computer equipment not my own. And destroy my own hard drives when it’s time to dispose of any of my computer equipment (fortunately I don’t have any employer computer equipment that has my personal stuff on it-so not an issue for me.).

  29. Dances With Code*

    These kinds of situations are why I refuse to put any employer apps on my personal devices, including the proprietary corporate authenticator app that many of my colleagues use in lieu of security keys for login. I don’t log into personal accounts on a work device nor vice versa. period. If work functions require something my employer doesn’t provide, it’s not my problem Dropbox, some cloud service, whatever… I’m not compromising that firewall to give them use of my accounts, which could destroy that metaphorical personal-work firewall.

    1. Observer*

      he proprietary corporate authenticator app that many of my colleagues use in lieu of security keys for login

      Yeah, that’s one I wouldn’t do either. Aside from anything else, this stuff is not so easy to do RIGHT. Why would you roll your own with all of the inherent problems that come with that, rather than using one from a company that invests huge sums in security?

    2. Minerva*

      Right on. My boss tried to get my to download access to my work email to my personal device and my response was “The company will not allow me to access my personal email at all on my work device because it is deemed a security issue. I am uncomfortable with work email on my personal device for similar reasons. If the company would like to issue me a phone I am happy to carry it with me.”

      Matter was dropped. Unfortunately I did lose the fight about keeping my work 2Fa off my device as they simply refused to offer physical tokens and they said if I felt so strongly about it I don’t have to have the ability to work remotely (pre-COVID days).

    3. old curmudgeon*

      Yup, my employer (state gov’t) went to a 2FA app that had to be downloaded onto each employee’s personal cell phone, and that was a HARD nope from me. No bloody way am I putting that software on my own personal property; either issue me a VPN fob or I’ll put in my retirement notice today.

  30. Brain the Brian*

    I feel like we’ll need an update first to confirm this, but this is nearly an automatic entry for this year’s Worst Boss Award. Holy crud.

  31. Sara without an H*

    I have nothing to add to the excellent advice given above. By all means, do consult a lawyer. Do NOT, however, do anything that might tip off your former employer that you know what they did. I’m not expert enough to know if they can cover their tracks after the fact, but if they know you have caught them, they may try.

    I also agree with those who recommended that you brief your new employer. You might also want to schedule time with someone in your new IT department and make sure there’s no way Bad Former Employer can follow you into your new employer’s system. Again, I don’t have enough expertise to know if that’s even possible, but it’s worth getting some advice from somebody who does.

    Good luck, congratulations on the new job, and please update us in the future.

    1. Troutwaxer*

      “You might also want to schedule time with someone in your new IT department and make sure there’s no way Bad Former Employer can follow you into your new employer’s system.”

      Oooh! Excellent point!

  32. Monty*

    OP, you mentioned that you occasionally used your personal email at work for thinks like taking advantage of your Amazon Prime account to order supplies. Aside from the egregious privacy violation of sending themselves your new work details, I would be seriously concerned about your boss using your Prime account. Your former boss has already revealed themselves to have absolutely no grasp on basic human decency, never mind the law. Check your credit card statement and see if you can lock down your account security. I am so sorry this is happening to you.

    1. I'm Just Here for the Cats!!*

      Thats what I thought too. Make sure you have access to your account, change any and all passwords. Maybe even remove your credit cards for a while. I don’t know if Amazon does 2 factor but if they do set that up.

  33. Bam Bam*

    It is absolutely illegal. It is not hard to prove. Find a lawyer and go after her. This is disgusting behavior and she should lose her job for it.

  34. BridgeofFire*

    Worst boss of the year candidate? I’d say this is definitely way up there. Even if this wasn’t illegal, and it almost certainly is…WHAT THE ABSOLUTE FUDGESICLE? I’m just…I…What makes this FORMER boss feel like she has any right to even keep tabs on a former employee, much less invade the employee’s privacy in such a blatant way.

    My brain is currently caught between owie and rage mode.

  35. Chilly delta blues*

    Please contact a lawyer and then update us. Even if they just send a letter your former company needs to know this wasn’t okay. If they think it is who knows what else they might try with the next person leaving!

    Please update too.

  36. 2 Cents*

    OP, if you were using Chrome, did you save your personal email password that way? (Not blaming you in ANY WAY) but maybe that did it? I know you said you wiped your computer, but I found stuff still popped up after I thought I’d erased everything.

    At the very least, I’d let my old coworkers know what happened.

    1. Troutwaxer*

      Yes, stuff like this is why I say the OP should consult a professional computer tech.

  37. CSRoadWarrior*

    Please change your password. Immediately. This is not only an invasion of privacy, but imagine if an unknown hacker did this. It does not make it any better. In addition, I highly suggest setting 2FA to add a layer of protection.

    If it is your email today, it might be your bank account tomorrow. Not saying your employer has access to that as well, but this would not only make me upset. It would also freak me out. Anyone who has unauthorized access to your login details and accounts is NOT okay.

  38. Michelle Smith*

    OMG OP WTF?!?!?!?!? This is such an egregious violation of your privacy! I’m glad you got out of there, but my goodness I hope you update us about what you decide to do (even if you do let it go). I’m really hoping they at least get the pants scared off of them by being called out by an attorney for their blatantly illegal behavior.

  39. Snooks*

    See a lawyer. Follow Troutwaxer’s advice about informing your new employer and their IT.

  40. Laure001*

    They’re so stupid, too! They could have just read the emails, or copied pasted the content, with OP never being the wiser.

    1. irene adler*

      Or erased the email from the sent folder.
      Which makes it very clear whoever did this was not computer savvy at all.

  41. Diana Trout*

    Sometimes I read these and I can’t WAIT for the follow-up. This is one of those times. I hope you report this to every possible authority….

  42. DocVonMitte*

    Please write a Glassdoor review and include this as well so future employees are aware.

  43. Miss Pantalones En Fuego*

    I’m confused by the statement about accidentally including the personal email and Amazon account. Does the OP mean that they gave the old company her passwords for both by mistake?

    1. Office Drone*

      Probably not. The OP stated that they believe they inadvertently included their personal email address in a list of information given to the former boss. If that email address was accessed on the work laptop, all that was necessary—as Alison noted—to get the password was to use a keyboard logger (software that records keystrokes, and something employers can use to monitor activity on work laptops, which they own).

      But while the employer can legitimately use a keyboard logger to check activity, they can’t legitimately use it to open up an employee’s personal email account, which it looks like this employer might have done.

  44. Tiger Snake*

    Telecommunication Act, Data Protection Act and the Computer Misuse Act…. Not to mention what they’ll be like as a future reference, considering this…

    I work in IT Security. This is illegal as heck. As in, there’s potentially criminal charges here, not just civil. It depends, but you should absolutely pursue it and your next steps absolutely need to be to get a lawyer. Not just any old employment lawyer in this case; you need a good lawyer who actually understands computers.

    This could well end up needing some specialist expertise to help you win – the evidence is absolutely on the computers, but you need some computer forensics specialists to get it and that gets complicated fast. This is not He-Said-She-Said. There is absolutely evidence on the servers that proves exactly who did what, if only the right machines can be pulled. Those services are avaliable, but you need the right legal case to seize their computer data, because that’s where the evidence will be. And that’s very, very doable; but they and their lawyers aren’t going to like it, and that’s why you need a lawyer who can demand the right data in the first place.

    Basically what I’m saying is that you should get a really cutthroat lawyer, and you should be looking for a lawyer who understands computer investigations. They’re going to know how to make this rote and common instead of unusual, and they’re going to know how much it will likely cost and have those specialty contacts you need. To find that lawyer, you need to know what outcome you’re after. Shop around, ask them smart questions, consider both the criminal and civil angles. Good luck.

  45. Katie*

    I assume anything I do on a work computer is accessible by my employer. Personal email account included. I don’t use any work equipment to access my email, banking, etc.

    1. allathian*

      Sure, personal emails may be accessible in areas where keyloggers are legal. They’re illegal in my jurisdiction. But it’s another matter entirely if actually using that information would be legal, which it wouldn’t be, not even in the US.

      1. Observer*

        It would be a problem even if the OP were still working and had not wiped their device.

        These two facts are ADDITIONAL problems not the heart of it.

    2. Observer*

      As a practical matter, that’s probably good practice. As a matter of law, absolutely NOT. The fact that you access email on your work issued device is NOT permission for your employer to actually access your personal email even if they have the password.

  46. Manglement Survivor*

    I hope your lawyer, advises, legal action!! And I hope you follow through. If you haven’t already, you should check all of your sent mail from that time. To make sure they didn’t forward anything else important.

  47. Bubbles*

    Oh my, I would be beyond furious. This is a massive privacy invasion, and apart from new employer details, what other emails did they look at while in OP’s private inbox?

    I’m also shocked by having a nearly 15-year tenure and then being berated for wanting to leave.

    What selfish, selfish, immoral people. Absolutely toxic and well done for getting out of there.

    Now that you’re high and dry, I seriously hope you’ll give them their comeuppance.

  48. WaitWhat*

    Could this have been a case of the second in command accessing LW’s machine while it was left unlocked?

  49. Delta Delta*

    If I’m reading this correctly, OP *did not work there anymore* when this happened. That means that not only did the employer have some method for obtaining and storing their password (keylogger, from the sounds of things), but they waited until after OP didn’t work there, logged in, and forwarded an email, leaving a digital trail and a nice fat date/time stamp. For those saying, “whatever you do on a work computer is fair game!” seem to be missing things like a) federal law and b) the timing of the volitional acts. This isn’t “oops I walked by and saw something.” This isn’t going to end well for the employer.

  50. Hackthis*

    Apologies if this was already mentioned above (186 comments): always use two factor authentication. Preferably an authenticator app, but text message is better than nothing.

    Also, put a security pin on your cell phone account so that someone can’t trick the carrier’s tech support from moving your cell number to a new phone to intercept your text messages. It’s surprisingly easy to add and use the pin, and it’s surprisingly easy to steal your cell phone number if you don’t set a pin.

    Every account you own should be protected by two factor authentication. It’s not perfect, but it’s the best that non-computer scientists can do. It would almost certainly have prevented OP’s problem.

    1. Observer*

      always use two factor authentication. Preferably an authenticator app, but text message is better than nothing.

      Yes x 1million!

      It would almost certainly have prevented OP’s problem.


  51. Observer*

    I’m seeing a number of comments about key loggers. There is an interesting trick that one can use to bypass the problem, and that is to NOT *type* the password, but copy it from somewhere and paste it in. And make sure that you only use sites that actually encrypt your password when it’s sent over the network rather than in plain text. That keeps the sniffers from getting your password.

  52. HearTwoFour*

    OP, please, please, please give us an update as soon as there is ANYTHING to report!

  53. Blather blather*

    I had someone who read thru all my personal texts after I was let go – I had tethered the laptop to my personal phone (no company phone provided) in case of theft (a lot of travel required) and this person must have guessed my password in between the time I left and the time I got home to change everything. It was so violating. I would love to see the resolution on this one.

Comments are closed.