One consequence of the digitization of our world is that increasingly, ownership is viewed as belonging to the individual with login credentials for an account, as opposed to the business or entity that an account exists to serve.
As a case in point, we recently helped fire an embezzling office manager where a prickly issue emerged – the office was not using “domain” email addresses (e.g., email@example.com) but instead was using individual Gmail accounts like firstname.lastname@example.org. The question raised by our dentist client was how she could gain control over the Gmail account being used by her office manager.
We had to deliver the bad news that, notwithstanding that the name of the business was included right in the email account’s name, that in Google’s eyes, it is the departed office manager who is the “owner” of this account, and that Google has no procedure for the business owner to assert ownership over an individual email account, no matter what its name or how it has been used.
The potentially severe ramifications to a potentially hostile ex-employee having an ongoing ability to communicate with suppliers and patients should be obvious. It might be possible for the dentist in this case to remedy this by taking the former manager to court to compel them to turn over login information, but that is an expensive and slow way to correct a problem that should not have arisen at all. If your practice has a website, it also has a domain name registered to itself. It is tempting to make use of free and easy to set up Gmail or Hotmail email addresses rather than involve your IT company to set up domain-based email. However, as our client found out the hard way, the practice does not “own” these non-domain email addresses, whereas with domain-based email, you can revoke someone’s access or have a mailbox redirected to a different user with ease.
Another ownership issue that we encounter frequently relates to “merchant accounts.” When a practice accepts payment through credit cards, it establishes an account through a merchant service provider. The account is created in the name of the practice it serves, and the merchant service provider has the name of a “contact person” on file.
For many investigations that we do, we want to review activity in the merchant account to look for fraudulent transactions. Picture a situation where the office manager is under suspicion, but they are also the sole contact for the merchant account. If the monthly statements from this account are under the control of the suspect, the dentist, who wants to keep our investigation covert, will not want to go to this person out of the blue to ask for them. No problem, you say – you will just call the merchant service company and ask them to email duplicate copies of these statements to you. When you call the merchant service company, you receive a nasty surprise. They will not provide any information whatsoever to you without receiving authorization from the office manager. In fact, their protocol may be to call their contact to inform them that another party tried to access “their” information. Us not being able to access a key piece of information needed for our investigation is a problem, and the possibility of our involvement being revealed to the suspect because they receive a call from the merchant service provider is potentially a bigger issue.
Many online financial accounts, including merchant accounts, normally have the ability to provide for multiple contact people. The terms may vary slightly, but often there is provision for both an “account owner” and an “administrative contact.” The problem that we are seeing with some frequency is that in many cases there is only a single contact person listed, which makes them both the owner and admin contact. Since many of these accounts was set up by a team member, it may not have occurred to them to list the practice owner as the “owner” contact, and many dentists even discourage having themselves listed as a way of shielding themselves from receiving monthly statements and marketing emails that they would prefer not to deal with.
The ownership problem is not limited to retaliatory actions from a fired employee. What if your office manager was hit by a car? The same access issues exist.
And this problem has nothing to do with companies being difficult. Identity theft is rampant in our society, and every business needs to take precautions to ensure that it is not taking instructions from an identity thief. Unfortunately, this level of caution, when combined with the propensity of dentists to take little interest in non-clinical activities, can produce problematic results.
Your action step is to review the accounts used by your practice and to get yourself added as owner or a secondary contact for any “mission critical” business relationships. Obviously, this is far easier to do before you need access to these accounts in an adversarial situation.
Some of the accounts that should be reviewed to ensure that you have owner-level access are:
- Bank accounts. To their credit, banks have handled the difference between owner-level and staff-level access very nicely. If a staff member needs online access to your bank account, rather than sharing your login information as many dentists do, you can set them up with a more limited access that will allow them to check balances and verify if an item has cleared without having the ability to transfer funds or create new bill payees
- Merchant accounts
- Social media accounts. For a particularly egregious story of what a disgruntled ex-employee can do if they control a social media account, click HERE.
- Practice management software company
- Domain registration – imagine firing someone who has the sole control over your practice’s domain name. This person could shut down your website. Often domain registration is done by your IT company, who make themselves the contact. This approach is fine, but you also need to be listed as a contact in case the IT company goes out of business.
- Supplier accounts – every supplier should have you listed as the business owner.
So, if you are a practice owner, it’s time to take ownership of your stuff.