Protecting Your Company Data When An Employee Leaves
By Jasmine Su, Last updated: 2021-06-02 (originally published on 2019-02-15)
At some point in time, employees are bound to leave the organisation. As you bid farewell to your employee when he or she leaves, how do you ensure that they do not take sensitive company data along with them? What are your steps for protecting company data ?
In an ideal situation, people will leave the company under friendly circumstances and return back to company accumulated their years of hard work. Unfortunately, that ideal world does not exist. More often than not, people leave the organisation on a rather unhappy or bad terms. If it is the latter, there is the risk that these employees would attempt to put the company in the bad light by leaking confidential information about the company. According to survey, 31% have led to employees losing their jobs due to data breaches.
Here are some steps and protocols which organisations should adopt to ensure that no data leaves with an employee who has resigned or was terminated.
1.Utilize Robust Employee Agreements
The panic situation arises when an employee leaves who knows trade secret. An employer must utilize Non-compete and non-disclosure agreements with appropriate employees (which may include sales persons, engineers, IT professionals, and others depending on the nature of the company’s data) for protecting company data. These agreements should include policies encompass data loss prevention, are be reviewed and updated regularly, and comply with the nuances of different countries’ laws. As an employer, You must understand fundamentals of employment contract before signing.
2.Limit employee’s access to IT systems and premises
Steps should be taken to ensure that the leaving employee accesses’ to the company’s IT system and folders should be completely revoked. Ideally, this should be done at the earliest reasonable time, whether it is at the date or resignation, termination or at the start of their garden leave. Furthermore, while these systems may be located or accessed via the employer’s premises, do remember that other off-site items such as laptops or tablets should be wiped as well. This will minimise the risk of the leaving employee stealing sensitive information or gaining access into the company’s IT system even after he or she has left.
3.Proactively Monitoring Employee Activities.
You can employ monitoring solutions which monitor the individual actions of employees and find inconsistencies in behavior over time. For example, activities might include following the websites that employees visit, storing social media posts and instant message conversations, developing a list of files they downloaded or the forwarding of large numbers of emails to personal accounts.
If you decide to proactively monitor all employees, this activity should be included in your corporate employee handbook and you should educate them on why and how it will be used for protecting cooperate data. Employees do not want to feel that they are not trusted and that someone is watching their every move, so it is important to discuss how this activity will also protect them, the company and clients from cyber-attacks, malware, or unsafe actions by unwitting employees.
4.No Cause of Action or Criminal Charge Available
How a company stores and safeguards its data can potentially limit what types of legal remedies are available if data theft occurs. For example, a company must take steps to keep its valuable data confidential; otherwise that information may not be legally considered a “trade secret” under both the federal Defend Trade Secrets Act as well as most state trade secret laws. Further, there may be no “unauthorized access” claim under the Computer Fraud and Abuse Act if access to confidential information is broadly given to all employees.
5.Ensure the data protection on an employees device
An employee’s device might have synchronized information like email, contacts, and calendar entries, and sometimes data files, with the corporate network. Such data are productive as employee can access data from anywhere but it become problem when employee leaves the company. In this case the valuable and sometimes sensitive corporate data is now on an employee-owned device, and the company may or may not have the ability (legal or technical) to delete information from the employee’s device. Protecting company information or data is very difficult in such condition when an employee leaves the job.
For example, I worked with a law firm that fired its administrator, who had been using her own personal BlackBerry for remote access to email, calendar, and contacts. After the termination, the firm was unable to delete any of its data from the administrator’s BlackBerry, because no policy was in place before the termination granting them permission to wipe data from employees’ devices, and the administrator refused to grant them access after the termination. Detailed contact information and email exchanges with the firm’s clients were now in the hands of a non-employee of the firm, representing at the very least a compromise of the firm’s clients’ confidentiality, and possibly a breach of the law firm’s ethical responsibility.
so in these case an employer might create strong policy for ownership of such data and take right to delete such data.
6.Enforce the garden leave
Depending on the terms of the contract, many companies grant their leaving employee garden leave, regardless of whether they are joining a competitor company or not. Essentially, a garden leave is when an employee resigns and is required to stay away from work during the notice period while still remaining on the payroll. This is extremely useful in preventing an employee from immediately joining a competitor and risk stealing sensitive information over to the new company. You can implement this for high level staff for protecting company data.
7.Ensure steps are in place for employee to return any confidential information
Employees might be bound by contractual terms to return and not to use confidential information belonging to the employer. Such information may relate to a company’s private financial information, sales figures, customers lists and so forth. Hence, steps should be taken to identify and recover these confidential information, be it documentary or electronic. Furthermore, ensure that all off-site devices belonging to the leaving employee, such as tablets and laptops, should be return. Implementing these steps early in the process can reduce the possibility of company’s information being leaked or used by the leaving employee for their own purposes.
8. Backup and Archive All Data
Backup is always a right choice. While many companies already have company-wide data backup and archiving solutions in place – especially for email, they do not take into consideration the possibility that individuals or teams of employees might have storage solutions that are not approved by or unknown to the IT department.
A marketing department, for example, creates, stores and shares extremely large files to develop trade show graphics, high resolution printed collateral and other marketing materials. To enable the easy storage and transfer of these files between employees and outside vendors, marketing teams often use cloud storage tools like Dropbox which may be unknown to you and is never backed up on the corporate network.
An archiving solution takes data protection one step further with the ability to capture company data, store it indefinitely and protect it from employees attempting to change, steal, or delete content. However, remember that an employee who has been planning to gain access to company data for some time and has set up a separate, personal file syncing solution will be able to modify and delete data outside of the archive.
9.Communicate with your staff
In some situations, a leaving employee may approach other employees to try and persuade them to leave as well. Communicate with your employees to ensure a clear understanding that such behaviour is not acceptable and might be a breach to their own contractual obligations as well. Furthermore, be proactive in encouraging them to report any incidents a leaving employee make unlawful advances or caught stealing company’s sensitive information.
With data breaches becoming increasingly prevalent in the workplace today, coupled with a handful of potential thirsty-for-revenge employees, organisations need to take extra precautions to safeguard the company whenever an employee leaves. It might be a tedious task but it is necessary to enforce these steps. Ultimately, your company’s reputation and security of your customers and clients depend on it.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.