Phones across Hawaii lit up at 8:07 a.m. on January 13 with an alert that a ballistic missile was hurtling toward the state. Two minutes later, Governor David Ige learned that the alert had been mistakenly sent. But it took another excruciating 15 minutes before he took to Twitter to clarify that there was “NO missile threat to Hawaii.” Why the delay? Governor Ige later confessed that he forgot his Twitter password.
Employers can learn a lesson or two from the governor’s login woes. Having ready access to login credentials for your company’s online assets is crucial. Being locked out of your website, social media accounts, cloud services, and other digital assets can seriously damage your company’s operations and reputation. Securing user names and passwords is just as important as keeping track of the keys to your office or safe.
Here are five tips for keeping company login credentials safe and accessible:
- Designate a location for storing login credentials. Employees who are authorized to set up or modify online accounts on behalf of the company should be instructed to store login credentials in a designated location. That will prevent a frantic search for account information in mission-critical situations. The designated location can be a file in a specific folder or drive. If the file is encrypted (highly recommended), make sure the encryption code is stored in a safe place. In some situations, simply writing down login credentials on paper can work. Just make sure the paper is stored in a safe and identified location.
- Ensure that employees who need access to login credentials have it. Employees who need access to your online accounts should be told where login credentials for the accounts are stored. Supervisors of employees who regularly use online accounts should know where credentials are stored in case employees leave the company.
- Develop a protocol for modifying login credentials. Clearly articulate procedures for modifying login credentials to company accounts. For example, employees who make modifications should be required to inform their supervisor in writing about the changes and update the account information stored in the designated location.
- Use company e-mail addresses to set up accounts. Don’t allow employees to use personal e-mail addresses to register online accounts on behalf of the company. Only company e-mail addresses should be used to register accounts. If a login name or password needs to be reset, the reset confirmation e-mail is typically sent to the e-mail address under which the account is registered. If the registered e-mail address belongs to an individual, the company may not be able to complete the reset process if the employee (or ex-employee) refuses to cooperate.
- Specify ownership of online assets. Company policy should clearly specify that all online accounts created for the company are owned by the company, not the employee who registered them. Such a policy is especially important for social media accounts, which might seem like they belong to the employee who promotes the company using the accounts.
Having login credentials at your fingertips is important to your company’s success, even if the stakes don’t involve warnings of impending disaster.
Elijah Yip is a partner with Cades Schutte LLP in Honolulu, chair of its digital media and Internet law practice group, and an editor of Hawaii Employment Law Letter. He can be reached at 808-521-9326 or eyip@cades.com.