Countless formal and informal studies show that most employees retain at least some company data when they leave a job. The reasons vary from the benign (such as when an employee inadvertently keeps a work flash drive) to the more malicious (such as in the case of an employee’s deliberate theft of company trade secrets for use at a new job). Motivation matters only so much, though, because even the innocent retention of data can have far-reaching consequences.
Much like an ocean seal swimming through shark-infested waters, threats can come from any direction. There are the obvious ones, such as those involved when a new competitor hires your company’s best employees and encourages them to bring “their work with them.” The threats can also be more indirect. For example, an employee who copies large swaths of data for use as evidence to support a good-faith wrongful termination claim against the company can still, under the right circumstances, trigger a reportable data breach or a breach of the company’s contractual obligations to a third party.
The threats can even arise from third parties that come into contact with your data. A departing employee may back up her work computer to a personal cloud storage account and accidently change the parent folder’s permissions to “public.” Not only can this lead to the loss of valuable intellectual property—in the unfortunate event the publicly-shared folder included protected data—a state or federal agency may also use the company’s inability to detect or prevent the exfiltration (removal) of sensitive data as a basis to issue fines.
The threats can also be opportunistic. An employee with access to payroll and benefits databases who is working out the final weeks of a reduction in force notice period may decide to save her coworkers’ personal information for later use in the event she cannot find subsequent employment, becomes financially desperate, and determines that “borrowing” her former coworkers’ tax refunds is a financial cure-all. Perhaps this employee also works in IT and knows where to go on the internet to sell her coworkers’ identities. Whether arising in the context of a private lawsuit filed by the affected persons, a government investigation, or a shareholder derivative lawsuit, a fact finder may determine that the offending employee shouldn’t have had access to the data in the first place.
The threats can even come from inaction. For example, when reviewing the computer of a technical employee recently terminated for performance, a company may discover that the employee often backed up data to a flash drive to work on weekends. In the event he doesn’t respond to requests to return or delete data retained in that fashion, it may reasonably determine that he doesn’t pose a significant enough “threat” to justify the costs of litigation. While certainly understandable from a cost-benefit perspective, failing to act could undermine the protected trade secret status of an entire category of data in other scenarios and, in the right context, even undermine the enforceability of other employees’ noncompete agreements.
Striking a Balance
Regardless of how robust your security program is, there are always employees who will find vulnerabilities and exploit them. Clearly, employees must be able to collect, access, and use company data in the ordinary course of business. Convenience is the enemy of security, however, and that is especially true in the digital domain. You must therefore implement policies, procedures, and safeguards that strike an appropriate balance between security and convenience and, more importantly, reflect a company-wide commitment to security. Here are a few suggestions:
Know your company’s data flow and identify potential sources of data leakage. You cannot defend your digital castle without knowing where to place your guards. Thus, you must determine:
- What kinds of data they maintain;
- How data are collected, stored, used, and destroyed;
- Where data are stored, copied, and backed up;
- Who can access the data, how access is decided, and how it is policed; and,
- The potential avenues through which data can be exfiltrated to a location beyond the company’s control.
The good news is many companies have already thoroughly mapped their data flow and performed a vulnerability analysis. The bad news is those that have not probably have more significant concerns than departing employees because they are likely not in compliance with some U.S. and foreign cyber security and data privacy laws (GDPR being the most notable example).
Nevertheless, no matter how secure an environment a company believes it maintains, it’s certainly not uncommon for companies to discover unanticipated vulnerabilities after significant or embarrassing damage is done. It could even be something as simple as a forgotten legacy database available to a large set of employees that copies information from a more restricted database. Even so, a company cannot hope to reasonably anticipate potential sources of data leaks unless it can track the complete life cycle of its data from creation to disposal.
When it comes to access rights, follow the principle of least privilege. Many employees test the limits of their access at some point, typically by simple “data snooping.” Employees should be granted as few privileges as possible, preferable only those necessary to perform their job. This applies to data access privileges, computer and device privileges, application privileges, network privileges, and internet privileges. As clear cut examples, only the appropriate level of management should be granted access to “big picture” financial data, and very few employees should ever be given administrator level rights to their computer. At the end of the day, it’s significantly more difficult to exfiltrate data if the employee doesn’t have access to it in the first place.
Completely deactivate access on the employee’s last day. To avoid cutting off access too quickly or too late, this step requires close coordination between the employee’s managers, HR, and IT. Ideally, create a written protocol for departing employees using your data flow map as a guide to help ensure that all potential avenues of access are accounted for, including e-mail, network and remote login credentials, and mobile device access. Don’t disable her e-mail account, however. Instead, make sure her e-mails are forwarded to a manager’s account so that they can be monitored. Also, change the passwords of all client, vendor, or third-party accounts linked to the departing employee (Salesforce, ADP, etc.). Finally, remotely wipe all company data from her mobile devices.
Always conduct an exit interview. The exit interview is probably the most effective way to prevent data retention. While it can be a valuable tool for soliciting employee feedback, ensuring that coworkers know where data has been stored, and recovering company property, it’s also your first opportunity to assess any threat the employee may pose.
If she executed an nondisclosure or noncompete agreement, give her a copy and review it with her. Even if she didn’t sign any formal agreements, still remind her that she is prohibited from using or disclosing your company’s confidential information. Also, formally request that she return all company property, including mobile devices and credit cards, and agree to a process for returning them. Finally, if she is subject to a restrictive covenant, ask her where she will be working next and what her new job’s roles and responsibilities will be. Although employees aren’t always honest during exit interviews, a misrepresentation about their next job is certainly relevant in any subsequent litigation. Take notes of what she tells you, or better yet, prepare a written exit interview questionnaire for her to complete. Make sure you confirm her contact information, including a mobile phone number and e-mail address.
Trust but verify—audit departing employees’ activities and preserve evidence. Following separation, review the employee’s computer to determine if she recently deleted any data, connected any storage devices, or ran any unauthorized programs that didn’t require installation (such as encryption or erasing applications that can load from a flash drive). Additionally, most network servers and content archiving systems have logging capabilities that allow a company’s IT department to create various levels of alerts triggered by suspicious activity. Although exactly what constitutes “suspicious activities” is highly fact-specific, common examples include:
- Multiple attempts to access unauthorized data or certain classes of unauthorized data;
- Bulk file copying of any kind;
- Attempted installation of unapproved software;
- A new mobile device;
- The use of a non-company virtual private network; and
- Remote access that is inconsistent with the employee’s historical usage.
If you’re confident with the rules you set up to trigger alerts, then review all alerts associated with the employee for at least the last 90 days. If you are less confident that your alert rules will identify suspicious activities, then manually review her activities for the last 90 days. If any behavioral anomalies warrant further investigation, turn off her computer and arrange to have it forensically imaged and analyzed. If your IT department has the capabilities to conduct a forensic review, then make sure to image the hard drive first because continued operation of the computer can overwrite evidence of recent suspicious activity.
While the threat of data leakage can never be eliminated, it can be minimized and mitigated with proper security practices that anticipate how a company’s data can leave its control. Departing employees present a particularly vulnerable attack vector because they typically know what data they have access to, where it is located, and how it can be copied. Companies must therefore make sure to take this risk seriously by incorporating strategies for dealing with departing employees into its security program. Your company’s survival may very well be at stake.