The start of a new year typically brings an increase in career movement as departing employees activity increase and people leave current employers for new opportunities. From a data, risk and litigation management perspective, that means it’s also time to be mindful of the potential impacts of such departures and take steps to protect the company and mitigate the associated risks.
The first step is to be certain you have a procedure in place to notify essential departments and team members as soon as it becomes known that an employee is departing (or even taking an extended leave of absence), whether voluntarily or not. While organizations differ, essential departments generally include human resources, information technology and legal, as well, of course, as the employee’s manager(s).
Notification though is just the first step. It’s important that those teams know what to do next. To that end, your teams should have specific, organizationally customized checklists of tasks that must be completed upon an employee’s exit. And again, while every organization is different, the primary high-level considerations are (1) legal and data preservation obligations and (2) system protection and information security.
With respect to legal and data preservation obligations, a departing employee should trigger a review of existing document retention policies, regulatory requirements and active legal hold obligations to determine if the exiting employee is subject to any such requirements. If so, there should be well-outlined steps that must then be taken to ensure the retention and preservation of both electronic and paper records.
With respect to system protection and information security, the IT department should immediately take steps to disable the exiting employee’s access to all systems (hopefully per policies in place long before the employee leaves). That includes not only the employee’s email and login credentials but also access to any corporate resources that might not be connected directly to the employee’s login credentials.
And don’t forget third-party systems like Salesforce, Netsuite and many, many more. While many of those solutions integrate with Microsoft’s Active Directory, which helps centralize access management (and the revocation thereof), many are not (or are not configured by the company to do so). Indeed, it’s critical that the IT team regularly review and update lists of both internal and external resources to ensure that all systems are part of the departing employee access revocation process.
Finally, those two general areas don’t exist in a vacuum. The IT department’s equipment destruction, recycling and/or repurposing of any individual resources – be that a laptop, tablet, cell phone, personal network storage location or other resources – must have consideration for preservation obligations. Often times that simply requires a sign-off by whoever is doing the data preservation review, but the step is an essential element and the one organizations most often struggle to successfully implement.
That said, the above is a very high-level review of some of the, more importantly, best practices in dealing with exiting employees. For a much more in-depth analysis of these issues, watch the recording of our Data Theft by Departing Employees webinar.