The Problems of Departing Employees and the Data They Leave Behind


Employee turnover is not just a human resources issue at most corporations. Using today's technology, many employees create, produce and store communications and work product not just electronically, but in virtual environments. The gadgets and communication methods at our disposal result in corporate proprietary information – even confidential data – routing through e-mails, voice mails, and instant messages. And all of this data is no longer stored on corporate networks, rather, it is found on laptops and cell phones that may or may not belong to the employer. But all of this data belongs to the organization for which the individual is employed, so what does this mean for corporate IT and legal departments when employees leave the company?

The importance of protecting confidential Information is amplified by the competitive marketplace and faltering economy.  Organizations need readily accessible solutions to reduce loss and theft of confidential information by departing employees. 

How to stop losing money through the theft of proprietary information

Protecting intellectual property and confidential information is critical in maintaining and growing market share.  According to a December 2007 study by the American Bar Association, U.S. businesses lose an estimated $59 billion due to intellectual property theft each year.  The number one risk factor associated with theft of confidential information is people in a trust relationship with an organization, namely current and former employees.

Too few companies focus on creating and implementing controls before it's too late, risking substantial cost in lost information, the cost associated with detecting theft of proprietary information, and the cost of reactive measures to address any resulting damage.

PROTECTING CONFIDENTIAL INFORMATION

Four key areas have been identified as likely targets for loss of proprietary information:

1)      Research and development data

2)      Customer lists and related data

3)      Financial data

4)      Strategic plans and road maps

The average loss for different industries was estimated to be between $332K and $404K per incident* (*Sources:  U.S. Chamber of Commerce, ASIS & PWC Survey Runzheimer's Int'l Mobility Report 2007)

MOBILE EMPLOYEES

 

Increasing employee mobility has a significant adverse impact on a company's ability to protect confidential information.  It is estimated that as much as 45 percent of the U.S. workforce is considered mobile, meaning they spend more than 50 percent of the time working away from a branch or office of their organization.  Whether traveling for work, telecommuting, or even just performing typical activities of salespeople that work apart from an organization's fixed office locations, this trend towards increasing employee mobility means organizations and managers have less control over the activities of their workers. 

In addition, more people are working on laptops, meaning that workers are able to physically transport data outside the four walls of an organization, creating security challenges around the privacy of organizational information. So even employees not typically categorized as mobile often engage in the same behaviors as those who are.

Organization cannot monitor activity outside the office or when employees' computers and devices are not connected to the company network.  This creates a number of security challenges, including questions about what Web sites people are visiting and what data is being transferred to a flash drive or home computer, as well as whether people are engaging in illegal activity or downloads.   All of these issues create monitoring and oversight challenges for the IT department as well as the overall integrity of organizational data.

Some of the issues that organizations are facing around mobile employees are the need for additional security protocols, password protections, and virtual private networks (VPN) for people to access proprietary company information to limit potential loss of valuable information. By requiring additional password protection or VPN connections when working remotely, organizations can more closely monitor who is accessing company information, when they access it, and if confidential or proprietary information is traveling outside of company protected channels.   If an employee has to use a VPN to access company lists, he/she will be much less likely to copy these lists to portable USB drives or - send the information to third party e-mail accounts because an IT administrator can track the data trail back to that individual's password-encrypted log-in via VPN. 

WHAT LEADING COMPANIES ARE DOING

One of the easiest steps for organizations to ensure the protection of proprietary information is to create an internal committee to specify policies for managing confidential data and information.  Many organizations are developing policies specifically addressing the challenges of having mobile employees in the organization.  Companies are developing policies mandating secured connections (aka VPN) that allow the organizations to capture all activity mobile employees engage in.  Other measures include limiting access to certain systems for mobile employees, requiring special passwords, as well as e-mail monitoring to control the flow of information in and out of the organization.

A second activity organizations use is the exit interview process to reiterate noncompete agreements in contracts and remind departing employees of their confidentiality obligations that extend even beyond their term of employment with the host organization.  This provides individuals with legal notice of their obligations and establishes the basis for pursuing individuals who may intentionally or unintentionally retain proprietary information that could be used outside of the organization after employment. General counsel working with human resources can develop a standard approach to ensuring this important step is not neglected during employee departures.

Another key step organizations are engaging in is preserving the contents of computer hard drives, as well as laptops for mobile employees and high risk departures.  By doing this, organizations are able to capture information on what Web sites employees have visited, what information they have created, any transfer of information outside the company (flash drives, external hard drives, private Web-based e-mail accounts, etc…), and any covert steps employees may have taken to cover up their actions by encoding or deleting information.

One important key in the preservation of equipment and information is that these collections must preserve legal chain of custody to ensure that the information is potentially available in a legal proceeding.  The legal term "chain of custody" essentially provides assurance that information collected is authentic and unaltered from the time that it is captured to the point where it is presented in a court of law.  Chain of custody refers to both a process for capturing information as well as the means by which the captured information is stored and protected from outside influence.  Once information is collected from the drives or devices of departing employees, the equipment can be redeployed instead of being kept in a vault indefinitely. This makes for a more cost-effective and efficient use of company resources. 

REDUCE RISK AND IMPACT THE BOTTOM LINE- Activities that can be fleshed out

Several benefits are gained from developing specific programs around departing employees, and these programs can go a long way towards isolating specific information and activities that are risk factors when individuals separate from organizations.  Some of the key elements that can be discovered through formal departing employee programs include identifying any improper activity by departed employees such as: removing or deleting files, whether data was copied off of a computer, which Internet sites were visited and what content may have been downloaded, and the use of company resources for personal reasons. 

Additionally, a formal program of this nature will help organizations defend against compliance inquiries and wrongful termination suits by providing information that will demonstrate what activities did and did not take place.

Developing a formal policy to address departing employees can help organizations defend against a litany of compliance, civil litigation, and wrongful termination suits, as well as maintaining compliance, and protecting against termination-related lawsuits. 

SUMMARY

Organizations need to be proactive and develop policies to ensure that information does not leak outside of the company when employees leave or are terminated. Intellectual property theft causes businesses to lose huge amounts of money each year and departing employees are the number one risk factor associated with theft of confidential information.

More and more, employees are working remotely or traveling outside of the firm or office branches, with little to no checks in place on what information is passing through their laptops, PDAs, and thumb drives.  Corporate counsel, information technology and human resources departments within every company should collaborate to develop policies and security protocols to protect confidential information and monitor activities of mobile employees, whether through increased usage of password protection or even requiring VPN access for any workers not physically connecting to the organization's internal network.

Companies should use exit interviews for anyone leaving the organization and reiterate ongoing obligations around confidentiality, nondisclosure, and ownership of information created or used during the period of employment.  Taking proactive steps to create and archive forensic images of departing employees' drives and digital devices can also significantly reduce risk and save money.  As a whole, legal, IT, and human resources should consult together and maintain continued vigilance in order to reduce risk, limit exposure, ensure compliance, and avoid surprises through intelligent management of data from departing employees and executives.

 


About the author:

Brett Tarr serves as general counsel for eMag Solutions, based in Atlanta, GA.  Before joining eMag, Brett worked as a practicing attorney at King & Spalding LLP, and has held chief operating officer, legal counsel, and senior marketing executive positions for several corporations over the past 10 years.  Brett has published articles on multiple topics involving electronic discovery, legal preparedness, and data security, among others.  Brett graduated Phi Beta Kappa from University of California at Los Angeles; additionally he earned his law degree from Duke University School of Law and also holds an MBA in Marketing and Management from Georgia State University.  Mr. Tarr can be reached at btarr@emagsolutions.com.