Skip to content
LPBN-Icon-v1 (1)
Legal Profession Blog
A Member of the Law Professor Blogs Network

“Forgot My Password” Email Access Leads To Bar Charges

By Michael Frisch

The Illinois Administrator recently filed a complaint alleging that an attorney engaged in misconduct as the CFO of an Illinois corporation that extracts and refines precious metals. 

The allegations involve the email account of an employee who had left.

When [employee] Wokoun began his employment with PMRS, he received from PMRS an email account with the address dwokoun@pmrs-refining.com (“work email”).

From at least the time Wokoun began his employment with PMRS to the date this complaint was filed, Wokoun also maintained an email account with Yahoo with the address d_wokoun@yahoo.com(“personal email”). During that time, Yahoo provided methods by which its users can regain access to their accounts in the event that their sign-on information was lost or forgotten.

On or about February 15, 2013, Wokoun added his mobile number, ending in “4695”, as a password recovery method for his personal email at Yahoo.

On or about March 16, 2013, Wokoun added his work email as an alternative password-recovery method for his personal email at Yahoo.

On March 1, 2014, Wokoun resigned from this employment with PMRS.

After Wokoun resigned from PMRS, Respondent deactivated Wokoun’s work email and all communications sent to dwokoun@pmrs-refining.com were automatically forwarded to another PMRS account with the address info@pmrs-refining.com (“the catch-all account”). All emails that were sent to inactive or misspelled PMRS accounts were automatically forwarded to this catch-all account, which Respondent monitored.

On March 4, 2014, three days after his resignation, Wokoun filed a three-count complaint against PMRS and its president, Sheldon Goldner (“Goldner”), in the Circuit Court of Cook County, in which Wokoun alleged battery, intentional infliction of emotional distress, and breach of contract. The clerk of the court docketed the matter as Wokoun v. PMRS and Sheldon Goldner, 2014-L-2339.

Following his resignation from PMRS, Wokoun did not remove his work email as a recovery method for his Yahoo email account until sometime after July 4, 2014. As a result, Respondent periodically received in PMRS’s catch-all account notifications of password changes to Wokoun’s personal email. Respondent did not notify Wokoun that his deactivated work email was still linked to his personal email, or that Respondent was receiving these notifications.

 On July 4, 2014, Yahoo’s password-recovery process required a user to go to Yahoo’s sign-on page and click “Forgot My Password”, upon which the user will be prompted to enter his Yahoo email account. Then, a user who had both a mobile number and an alternate email address on file could regain access to his Yahoo account in one of two ways: first, he could have received a SMS text message from Yahoo to his mobile number in which Yahoo would ask the user to enter an alphanumeric code provided by Yahoo and, upon entering the correct code, the user would be prompted to create and confirm a new password. This recovery method was Yahoo’s default option.

Alternatively, the user could have chosen to receive an email from Yahoo sent to the alternate email address in which Yahoo provided an account-specific uniform resource locater (“URL”) link that, upon clicking it within a 24-hour expiration period, would take the user to a Yahoo password-creation screen where the user can create and confirm a new password.

On July 4, 2014, during the pendency of Wokoun’s lawsuit against PMRS, Respondent took the steps detailed…above, and received in PMRS’s catch-all account a URL link provided by Yahoo. Respondent used the link to reset Wokoun’s password and intentionally gained access to Wokoun’s personal email account.

Upon gaining access to Wokoun’s personal email, Respondent performed with its inbox a search for “Jim Jackson”. Jim Jackson (“Jackson”) was the president of Chicago Direct Refiners, Inc., one of PMRS’s competitors. Respondent proceeded to open and read at least 15 email exchanges between Wokoun and Jackson that occurred between March 18, 2014 and June 1, 2014. In those emails, Wokoun and Jackson discussed the possibility of Wokoun becoming an employee or having a business relationship with Chicago Direct Refiners. Respondent subsequently provided copies of the emails he obtained from Wokoun’s personal email account to PMRS’s counsel.

On or about August 6, 2015, approximately 13 months after he first accessed Wokoun’s personal email inbox, Respondent, without disclosing his identity, mailed a package addressed to Wokoun’s attorney Daniel Hogan (“Hogan”) at Hogan’s business address. The package contained copies of the emails Respondent printed out from Wokoun’s personal email account…

On February 4, 2016, Wokoun filed with the court a motion for sanctions in case number 2014-L-2339. Wokoun’s sanction motion alleged that Respondent had wrongfully accessed Wokoun’s personal email account, which contained over 80 email communications between Wokoun and Hogan that were subject to attorney-client privilege. In his motion, Wokoun requested that the court enter a default judgment against the defendants and impose against them compensatory and punitive damages.

Sanctions were imposed in the litigation as a result that included a default on the merits.

 Here, the Administrator alleges that the respondent committed the state crime of computer tampering and engaged in conduct involving dishonesty in falsely representing to Yahoo that he needed a new password.

He also is alleged to have testified falsely in his deposition in the underlying litigation concerning the above conduct.

On January 23, 2015, Respondent gave his deposition in case number 2014-L-2339. During that deposition, Wokoun’s attorney Daniel Hogan asked Respondent the following question: “What investigation, if any, did you undertake to determine whether or not Dan Wokoun was involved with Chicago Direct Refiners of Illinois, Inc.?” In answering Hogan’s question, Respondent did not disclose that he had accessed Wokoun’s email on July 4, 2014.

On February 22, 2016, PMRS and Goldner filed with the court a response to Wokoun’s February 4, 2016 motion for sanctions. The defendants included in their response an affidavit executed by Respondent, in which Respondent stated that “on July 4, 2014, I clicked on a link contained in the most recent Yahoo email sent to the PMRS account” and that “after clicking the link and surprisingly being confronted with the Yahoo inbox, I was shocked to see that there were e-mails between Plaintiff and a known competitor.”

Respondent’s representation that he was “confronted” with Wokoun’s personal email inbox was false because at the time Respondent executed the February 22, 2016 affidavit, Respondent knew that he had taken multiple steps, including changing the password, in order to gain access to Wokoun’s personal email inbox, and that Yahoo never provided Respondent or PMRS with a link that led directly to Wokoun’s personal email inbox.

Respondent knew his representations…were false at the time he made them.

(Mike Frisch)

Posted in:
Bar Discipline & Process