Stephen Robertson, a self-described computer “guru”, could be the poster boy for Bad Hire Days.

Robertson worked for Corgan Associates, a Dallas architecture and interior design firm, and was terminated on December 18, 1998 for “theft, dishonesty, and misuse of the company’s computer system to hack into other companies’ computers,” according to documents filed by prosecutors in Dallas County, Texas.

According to those documents, three days later, on December 21st, Robertson hacked into Corgan Associates’ computer network. His intrusion was detected and on December 29th, he signed an agreement not to access Corgan Associates computer network again.

Employer Lesson #1:

At the root of behavioral event interviewing is the idea that past performance predicts future performance.  This idea is not restricted to job performance. If you catch an employee hacking other companies’ networks, you should probably evaluate your own network security when you terminate him. Then, when the former employee actually does hack into your network, don’t give him yet another free pass!

One assumes that Corgan Associates felt that they had dodged a bullet and were glad to see the last of Stephen Robertson. Except that they weren’t – not by a long shot.

Less than two weeks later, on January 11, 1999, Robertson went to work for the movie theater chain Cinemark as a systems administrator.

Employer Lesson #2:

Court documents do not indicate whether Cinemark attempted to verify Robertson’s prior employment at Corgan Associates or, if they did, whether they inquired into his reason for termination or eligibility for rehire. Imperative Information Group always recommends that prospective employers also ask former employers:

  • Whether the individual ever acted in a threatening, coercive, or abusive manner,
  • Whether there was ever any reason to question the individuals’ integrity or honesty, and
  • If there is anything of which an employer considering this individual for a security-sensitive position should be aware (and the point of Bad Hire Days is that all positions are security sensitive).

Had Cinemark asked these questions and Corgan Associates chosen to answer them directly a lot of headaches might have been avoided.

On March 31, 2001, while still employed at Cinemark, court documents indicate that Robertson used a “back door” he had built into Corgan Associates network more than two years earlier.  Robertson had access to Corgan Associates’ network for one hour, twenty six minutes, and fifty two seconds, during which time he made changes to key network data. He also sent an anonymous email (or so he thought) to a former colleague at Corgan Associates, taunting him for the insecurity of his network. (See employer lesson #1 above.)

Local authorities were contacted and on August 30, 2001, Robertson (who still worked for Cinemark) was indicted in a Dallas County district court.

Six months later, on February 13, 2002, Robertson pleaded guilty to “breach of computer security,” a state jail felony. In the courts’ documents, he admits that he illegally accessed and damaged Corgan Associates’ network. As a part of his plea deal, he was given five years of deferred probation, which meant that if he managed to stay out of trouble for five years, the indictment against him would be dismissed. He was fined $1,500 and ordered to pay Corgan Associates restitution in the amount of $5,749.

Employer Lesson #3:

This is a good example of why employers should (where not prohibited by state law) include dismissed cases (such as deferred adjudication cases where the probation has been completed) in their examination of an applicant’s criminal history. Robertson admitted in writing to the misconduct with which he was charged. An employer’s concern is whether it is reasonable to believe that the person engaged in the conduct alleged – not the shenanigans of the court system to expedite the processing of criminal cases through their backlogged system.

The Dallas County district court’s documents clearly list his employer as Cinemark, which begs the question of whether they were made aware of Robertson’s legal problems by the court or his probation officer. It is hard to imagine that they were aware of the admissions in his plea agreement and continued to grant him access to their own network.

Employer Lesson #4:

Many of the defendants in the criminal justice system are employed at the time of their arrest. Many are convicted over the course of their employment and, if no jail time is required during the work week, the employer is often unaware of the conviction. Employers should have policies that require employees to report any arrests to HR immediately. Employers should also consider a policy that requires background checks over the course of employment. Many of Imperative Information Group’s clients run criminal background checks on an annual or bi-annual basis. Also, anyone who drives in the course of business should also have a driving history requested on an annual basis.

Certainly Robertson had learned his lesson from all of these troubles and straightened his life out to become a model citizen and employee, one might say. Well, not quite.

Two and half years after his guilty plea in Dallas County, Robertson committed a new computer offense – this time against Cinemark.

In mid-2004, Cinemark moved Robertson to “contractor status” and told him that his services would no longer be needed after that November. On November 19, 2004, Robertson illegally accessed Cinemark’s network and, according to his later admission in federal court, “removed some of my personal files, accessed a SQL server and stopped the service for financial applications… deleted a 60 GB PeopleSoft database, and stopped the automatic routines for the Cinemark server.”

The US Secret Service investigated this offense and Robertson was indicted in federal court for computer sabotage.

On December 12, 2006, Robertson’s Dallas County probation was discharged unsatisfactorily with a note that he was now in federal custody. (See employer lesson #3 above.)

On January 11, 2007, Robertson entered into a plea agreement with the federal prosecutor. He pleaded guilty to computer sabotage and was sentenced to 41 months in federal prison followed by three years of probation. He was also ordered to pay Cinemark $106,300 in restitution. He was released from the Federal Bureau of Prisons on September 29, 2009 (less than 41 months most likely because of time served awaiting trial and good time received) and will likely be on probation until 2012.

Now here’s the kicker – while his criminal history would dissuade almost any employer from hiring him in any capacity that dealt with computers, Robertson has formed his own consulting practice according to his LinkedIn profile and professional website. Clients listed since his release include The City of Dallas and Parkland Health and Hospital System (Dallas’ public hospital system).

 

Employer Lesson #5:

Even though they are not bona-fide employees, companies are often held responsible for the actions of contractors. Likewise, once an individual has access to your premises (real or virtual), their status as an employee has little bearing on the amount of damage they can do to your assets, reputation, people, customers, or the general public. Procurement, HR, and other departments need to cooperate to ensure that the same “standard of care” that is applied to employees is applied to contract and consulting staff.