If your departing employees are on legal hold, our updated Exiting Employee Checklist will be your new best friend.
Many savvy employers (and their HR or IT departments) already wield an exiting employee checklist of sorts when preparing for an employee’s departure and handling sensitive company data in that employee’s hands. With the recent eruption of remote work, massive layoffs, and crippling unemployment induced by COVID-19, a comprehensive exiting employee checklist is a must for businesses, particularly if the employees resigning or being terminated happen to be on legal hold.
Nearly 60 million Americans have filed for unemployment in the past six months. Even before COVID, organizations saw an average turnover rate of 18% (source: Society for Human Resource Management) and the average employee tenure at most organizations is around 4 years, according to the U.S. Department of Labor. This degree of turnover underlines the need for organizations to be proactive about meeting legal obligations and protecting their sensitive data when team members leave the company. Compiling a comprehensive exiting employee checklist is the most reliable way to prepare for a wide range of possible scenarios.
Why HR’s Standard Checklist is Not Enough
Most companies have a checklist in place for exiting employees, usually covering things like benefits, the status of projects, and the return of company property. While beneficial from an HR standpoint, these checklists don’t always consider the needs of the IT or Legal departments. A thorough exiting employee checklist fills in gaps that the HR department may not readily think about. The extra step is small, but the benefits are significant:
- Minimizes the risk of data theft by departing employees
- Protects confidential data
- Ensures that data under legal holds is identified and preserved
- Improves data hygiene
- Prepares you for a potential digital investigation
- Prevents the fire drill that occurs when an employee leaves and your organization doesn’t have a checklist in place
What Your Exiting Employee Checklist Should Cover
Make sure that your checklist focuses on:
- Informing all key leaders — in HR, legal, IT and other applicable areas — as soon as a triggering event happens, i.e. when an employee turns in their resignation or is terminated.
- Conducting an exit interview
- Reminding the employee of previously signed company policies regarding confidentiality and ownership of company data
- Collecting the employee’s company-supplied devices
- Analyzing the employee’s personal devices to remove confidential data
- Disabling employee access to all company networks and systems
- Having a data forensics expert collect and preserve all employee data, if necessary
Data Theft by Departing Employees
In our digital world and litigious society, it’s important for leaders across the enterprise to act in unison to protect company data. An Exiting Employee Checklist that covers everyone’s bases is your most reliable defense against one department’s efforts hampering or derailing another’s.
For example, there are important reasons not to instantly wipe an exiting employee’s devices, as has been customary in the past. Certainly, the inclination to delete everything in order to prevent your employee from taking data to their new employer is understandable. After all, regardless of the employee’s intentions, your spreadsheets with proprietary calculations, documents with detailed product plans, or other trade secrets could end up in the hands of a competitor.
That data leak or theft may go undetected for months or years, but at some point you will notice your carefully planned strategies and work product being used elsewhere. If you’ve already wiped the former employee’s devices or otherwise gotten rid of that person’s data, you may not have the legal grounds to fight the piracy successfully.
There is a similar problem if the departing employee is under a legal hold. If the data gets deleted because no one knew to continue holding it, the results could be disastrous, as the company would fail to comply with its preservation obligations. Even stored data, if not managed correctly, presents the risk of violation in the court’s eyes, which could lead to spoliation, sanctions, additional fees, and possibly a negative outcome in the legal matter.
(For an in-depth discussion of employee data theft, check out our webinar: Data Theft By Departing Employees: A Bigger Threat Than Hackers.)
Timing is Everything, Especially in Two Scenarios
Unfortunately, most data-related issues like the above examples come to light after an employee has left the building. That’s too late; before employees leave, you need to understand what data they have, where they have it, and what their intentions may be. In addition to any traditional existing checklists for departing employees, make sure to add a comprehensive Exiting Employee Checklist when you encounter the following two scenarios:
Scenario #1: When the exiting employee is under legal hold
Exiting employees who are on active or pending litigation holds should be walked through the process to ensure the necessary information is identified and preserved under the hold. It is not as simple as the standard exiting process: IT cannot just recycle the laptop and hand it back out. If certain legal-based procedures are not in place, the risk to the company is much higher.
Important To-Dos for Employers:
- Your exiting employee checklist should take litigation holds into account.
- The litigation hold process should go beyond understanding where the data lives—it should actively and properly preserve the data as well.
- Because HR’s involvement comes very early in the exiting employee process, two of HR’s first questions should be: “Is this person on legal hold?” and “Does this person have data that we need to process?” If the answer to either question is yes, this should kick off a new process that loops in IT, Legal and eDiscovery Project Management.
Scenario #2: When a key member of the organization leaves
Key members of the organization — such as C-level executives, senior engineers and department heads/leaders — have access to sensitive company data. When these team members leave the company, determine where their electronic and otherwise-pertinent data assets might reside, so you can proactively guard against leaked or lost data.
Important To-Dos for Employers:
- Include data security measures in your exiting employee checklist.
- Define the key people and their titles, and confirm there is a trigger to use this checklist if one of them leaves.
- If the departing employee’s data needs to be preserved, make a forensically sound copy, which captures metadata, USB device usage, file access history, deleted files and more. Forensic images are defensible in court, and they provide insight into activity that could determine innocence or guilt during litigation.
- Ask questions about future plans and employment to assess the likelihood of the employee walking away with company data. Remind employees about the detrimental effects on the company if data is taken and used elsewhere, e.g. the costs to remediate it from another company’s devices, the expense of an investigation or lawsuit, and the damage to the reputation of the employee and the new company.
Prevent the Problem Before it Occurs
Avoid the nightmare scenario of finding out too late that—accidentally or not—sensitive data left your organization along with a former employee. When an employee resigns or is terminated, your procedures should take into account more than the human resources department; they should include the IT team charged with protecting your data and the legal team responsible for preserving data for potential future legal matters.
BIA’s experts have seen firsthand what works and what doesn’t, and we understand what actions can prevent unnecessary time, expense, and frustration. Enlist our experts’ well-curated collection of tips to help you prepare for legal holds and avoid data theft by downloading our Exiting Employee Checklist and/or reaching out today.
Fill out the form below to receive our Exiting Employee Checklist in your inbox today, and enjoy peace of mind knowing that you’re doing your part to keep your company’s data safe.