This story is part of our October 2025 issue. To read the print version, click here.

One of my employees, let’s call him Steve, accidentally sent an email with the wrong attachment to the whole company of 100 people. Unfortunately, that attachment had employee data that could have led to identity theft. Thankfully, IT jumped in quickly and was able to delete the email before too many people opened it, though we don’t know for sure how many did.

I don’t want to fire this person if I don’t have to, but this is a serious mistake. What I need to know is: What would you consider appropriate signs of remorse, and what kind of action plan should be put in place so that this is handled with a formal write-up instead of resulting in job loss?

I’m glad that you aren’t jumping straight to termination. Mistakes happen, and while this one was a doozy, it does sound like it was a legitimate mistake. Firing the person won’t make someone else less likely to make the same mistake, and Steve (unless he’s shown a pattern of flaky behavior) is unlikely to do this again.

But your question is a bit off-putting. You understand it was a mistake, albeit a serious one. Your IT department was able to mitigate the effects. I presume you told employees who opened the email to delete it. Did Steve not apologize? Did he not indicate that he feels bad?

If that’s the case — if Steve is saying, “I don’t understand why everyone is so upset. It’s not like I sent it to the New York Times!” then that’s a huge problem.

But if you’re looking for groveling — well, that’s a problem on your side too. Let’s break this down.

What “appropriate remorse” means

I suspect that you’re not looking for remorse so much as you are looking for assurance that this kind of data breach won’t happen again. At least, I hope that’s the case.

If you’re looking for Steve to grovel at your feet and beg forgiveness, it’s probably best that you and Steve part ways. If you’re not going to forgive him, no amount of remorse will do.

And that’s important to remember — someone can only be so sorry before it starts causing problems in your relationship.

There is, of course, an inappropriate level of apathy. As I said, if Steve is defiant, defensive or doesn’t see what he did as wrong, that’s a red flag and also an indication that you should consider letting Steve go.

However, if he has apologized, expressed regret, promised not to make this type of mistake again and has worked with the company to prevent such errors from occurring again, that is appropriate remorse.

And then it’s in your hands. Can you forgive? If so, then appropriate remorse has been met.

Different people will react, well, differently. So while you might sob if you made this error, Steve may not, and that’s okay. What you want to see is action beyond the apology. What steps is he taking to stop this from happening again?

An action plan

As you didn’t say exactly how the error happened, an action plan may or may not be necessary. If Steve attached the wrong Excel file, no amount of action planning will guarantee that doesn’t happen again. You can say, “Make sure you double-check your attachment before you hit send,” but that’s about it.

If Steve was working on 14 projects at once across three computer screens, you can make efforts to help Steve focus on one project at a time. Caution: This may mean reducing Steve’s workload. Errors happen when employees are overworked.

Another possible thing to do is ask why Steve had a file with personal employee data. Yes, companies need the names, birthdates, Social Security numbers and home addresses of all employees. However, it’s quite rare to need to input all that information into a spreadsheet.

If you’re sending data to your benefits provider via an Excel file, there is probably a better, more secure way to do that. Invest in an HR system that helps keep confidential data secure and protected.

Steve, since he clearly has access to this information, is probably your best source for the solution and actions to take next. He knows why he had that file that he accidentally sent to everyone.

And, of course, another course of action is to require a double check before sending an email to “all.” Many email accounts will allow you to set up a warning if you’re sending to too many people.

In other words, this isn’t about Steve’s performance; it’s about ensuring that no one makes this error again. Once you’ve done that, let it go. You’ve documented the error, so if Steve makes another big mistake, you can show him the door. But for now, you’ve done enough.

–

Stay up to date on business in the Capital Region: Subscribe to the Comstock’s newsletter today.