IAAL (this is not legal advice). An offered but undelivered gift conveys no legal obligation on the would-be donor. In order for it to become an enforceable contract, some sort of additional consideration would need to be required from the employee over and above their existing work (e.g. overtime, extending a contract, etc.), and a promise to do that would need to be accepted from the company.
This is covered in first-year contract law.
That said, an employee might be able to recover from injuries on the basis of promissory estoppel if they relied on the promise of a bonus to their detriment.
If:
1. The company sent bonus emails in 2019 via email
2. The offending email was from 'happyholidays@godaddy.com' (instead of 'goCLaddy.com')
would it change the legal perspective? I could totally see myself seeing such an email and making decisions based on the premise that I had additional income coming. I think I've read advice in the past that if a "reasonable person" would believe it, then it counts as an informal contract or something.
Yeah, promissory estoppel is a thing. It's not technically a contract, but it's equitable relief that might be available if there's reliance and no other remedy.
I wonder if any jurisdiction has laws against entrapment against their workers. If not there ought to be a law that forbids employees from setting their workers up for failure.
The most extreme example (I can think of) would be that the company gets a pentester to attempt to bribe employees to disclose privileged materials to an apparently unprivileged person. Would you see this 'as a promise for compensation'?
Not if the tester was an outside contractor and it’s reasonable to be suspicious of someone you don’t know asking for information in exchange for money. But it’s a different story if a company worker was doing the “test” and offered me money for company information. That’s pretty much my normal job (get paid for giving people information), why should anyone be suspicious of that?
Obviously we could come up with details that make it sound completely ridiculous, or totally normal. If someone calls me and says they’ll share the bounty/award money for helping them fix a problem, that sounds normal. If a janitor offers to pay me money to throw away proprietary info without shredding it, that sounds suspicious.
But the point here is that an internal email about having to put in info for your bonus isn’t necessarily suspicious. I have my regular pay and my travel reimbursement deposited into two different accounts right now, so I wouldn’t bat an eye at needing to provide account info for a bonus.
b) Someone telling you they'll help you steal a TV from your friend's house
To be the same thing? Because one involves a perfectly reasonable and legal promise, and one does not. If you can't tell the difference, remind me not to invite you over.
For someone who is not a lawyer, you're making some strong statements about the legal aspects of this situation.
Yes, it's true that an undelivered gift is not a contract...but you seem to have forgotten (or possibly never learned) about promissory estoppel. If the giftee was told of the gift and reasonably acted upon the expectation of the gift, then the gifter could very well be obligated to actually deliver the gift. This is covered in first-year contract law. There are indeed a great number of cases on this point in which the gifter was required to provide the gift.
Also, generally employee bonuses are considered compensation for labor, not gifts. Labor laws trump contract laws. If a company tells an employee that they are getting extra compensation through an official means of communication (like an internal email), they may very well be bound to that, even if it turns out the email was just a phishing test sent by the IT department. You do not fuck with the Labor Board.
You're totally right about promissory estoppel (I updated my other comments about that). It's been awhile since I was in 1L :). Again, nothing I say should be construed as legal advice. Appreciate the feedback.
That nickff's comment asked whether both a promise of a bonus and a promise of a bribe would be equally considered a "promise of compensation"? That's who I was replying to.
Whether or not a promise of a gift is a legally binding contract, there's a vast difference between a promise of a gift and a promise of a bribe.
If a company had a pen tester offer bribes to people, and those employees accept bribes, the pen test was indeed failed and those employees should be rightfully reprimanded. That's good security.
If a company had a pen tester send what appears to be a perfectly legitimate message to employees offering them a company bonus for responding (during a worldwide pandemic where everyone is short on money), and then says it was a pen test and they've failed, that company is awful and heartless. There might not be a legal case against them, but the company is still deserving of public scorn and outrage.
Put yourself on the other side. If their employees are failing this test when they send such messages themselves, the company cannot feel comfortable that they are secure if a malicious actor sends such messages to their staff. It's a case of bad vs. worse. There are no winners here.
It's a message from a valid internal email address. If a company's own email servers can't tell the difference between valid internal mail and external phishing, that's the company's problem, not the employees. If the company's email is hacked so that a hacker can send valid emails from a legitimate internal email address, that's the company's problem, not the employees. Nothing of value was learned by this test, besides the disdain GoDaddy has for their own employees.
If I put myself on the other side, I'd stop producing gross sexist ads, stop supporting overreaching internet legislation, and stop treating my employees like garbage.
If a hacker hacked the CEO's email address, and then used that address to email their secretary asking for information, and the secretary responded.... that is not a security failure on the secretary's part. That's the CEO's security issue, and the company's security issue. Therefore, it's a useless pen test, unless the purpose is to tell employees no emails from anyone can be trusted.
A phishing email can come from the inside. But seeing whether employees will respond to a valid internal email is not a test of employee security. And in this case, it was as heartless as it was useless.
IANAL, but I could imagine a court interpreting this as a promise for compensation.