By Brian Schrader, Esq.
We recently hosted a webinar with our partners at ACEDS on how to detect and prevent exiting employees from taking valuable company data, as well as how to respond if data has already been taken. Thanks to everyone who joined us and made it a very informative discussion! We received some great questions from participants, so here is a wrap-up of everything that was covered:
How common is data theft by departing employees?
It’s more common than you think. A survey published by Biscom in late 2015 found that 87 percent of employees who leave a job take with them data that they created in that job and 28 percent take data that others had created. Among the majority who took company data with them, 88 percent took corporate presentations and/or strategy documents, 31 percent took customer lists, and 25 percent took intellectual property.
Why do they take data with them?
Some do so inadvertently – they simply forgot they had the data in their possession. Others don’t feel or don’t realize it’s wrong because they figure anything they create while at the company is theirs to keep and do with it what they want. Then there are the few that take it with malicious intent, such as to compete with or hurt the former employer. A survey of 1,000 employees in the United States and Europe found that one in five had uploaded sensitive and confidential corporate data to an external cloud service specifically for the purpose of sharing it with others.
So what should the IT department do when an employee is leaving?
First and foremost, they need to take all the employee’s devices, including computers, tablets, external hard drives, thumb drives, backup discs, etc., as well as company credit cards, security access cards, parking codes, etc.
This is something that most companies typically do already. However, those devices should not be deployed to a new employee until forensic images of the devices have been made, especially for those employees who had access to important information, such as intellectual property, trade secrets and other things of that nature. Unless you have copies of this data on hand – ones that have been forensically copied to maintain the same metadata – how would you know that the former employee is, for example, using that information to benefit a competing company? If the device has already been deployed to a new employee without the necessary imaging, it’s very hard to prove that data was taken.
Also, it’s important to keep track of the chain of custody of any devices the employee used. You need to know who took possession of each device from the employee and where it was put. Was it locked up? Did anybody lose it? Did anybody get into that device, and if so, why? When did it go to the forensic company? Is there a common server or other device that may mean that data could be overwritten before you analyze it? Set a procedure for how you will handle devices and data when an employee leaves so you are prepared if a problem leads to litigation. You don’t want potentially vital evidence to be thrown out because of sloppy handling.
Once the employee has left, disable his or her access to computer systems, phone and voicemail systems, email, cloud providers, CRM platforms, etc. Also pay attention to social media accounts, and disable the employee’s access to accounts owned by the company.
Conversely, what should the IT department NOT do when an employee is leaving?
In addition to not re-deploying the devices until a forensic image has been made, the IT department should not, for any reason, go poking around on the computer just to “see what’s there” like in web search histories, document folders, etc. Often, we’ll encounter an IT person who thinks he or she is being helpful by doing this, but keep in mind that this may end up in court under the scrutiny of lawyers, a judge and the jury. All poking around does is trample all over the important data that we need to make our case. Once a forensic image has been made, though, they can look at whatever they want.
Why can’t I just do a back-up of the device?
A back-up is usually not sufficient to capture the full image of the data. An IT backup usually copies only active files – not deleted files or unallocated space. However, forensic imaging copies every bit of the data, including active files, deleted files, file slack (fragments) and unallocated space.
How can I prevent employees from taking data with them?
Companies should establish policies to limit employee access to sensitive and confidential data by role, function, need to know, etc. Employment contracts and agreements should also include clear language about ownership of sensitive, confidential and trade secret data while employees are working for a company. And all personnel need to be frequently reminded about this agreement, especially of management’s intent and right to monitor and audit employee behavior when using any corporate resource, such as a computer, mobile device or network.
Additionally, sensitive and confidential data should be encrypted in transit, at rest and in use, regardless of its location. Because of the significant amount of data stored on smartphones and laptops, it is vital that every mobile device can be remotely wiped by the company. However, doing so may destroy valuable evidence, so only do that when it is absolutely necessary.
Another way to protect data is to require two-factor authentication for sensitive content. Finally, managers need to be trained properly and on an ongoing basis so they are aware of the various issues involved when employees leave and are able to prevent exfiltration of data.
Let’s say a company doesn’t have the data theft clause in the employee contract, and it finds that a former employee has taken company property. What recourse does the company have at that point to go after that employee if it was never in his or her contract?
The bottom line is: It’s still theft. For example, just because you may not have a policy posted in the office that says, “Don’t steal office supplies,” stealing office supplies is still theft. Agreements like non-disclosures and others that limit what employees can take and share make things easier because the rules are defined, and it puts those rules proactively at the forefront of the conversation. But if you don’t have the agreement, you can still go after that former employee and ask them to return or destroy the data or face the consequences. It’s no different than if the employee walked out with the entire computer. Common law would apply here.
What is your advice for establishing policies and best practices around which data to keep and how to keep it?
It’s so dependent on the type of company you’re talking about. Generally speaking, a corporation needs to do a self-evaluation. What does the company see as critical information that it doesn’t want others to have, and how does it go about protecting that information through both policies and procedures? It’s important that you have both. Again, you shouldn’t have to tell people not to steal stuff, but if you do tell them in your policies, it makes the recovery after a theft that much easier. Check out our departing employees checklist for specific items and procedures to consider when an employee is leaving and returning their devices.
Would you advise more extreme measures to prevent data theft, such as locking down USB ports?
If there is absolutely no reason for employees to ever use USB ports in day-to-day functioning – where the only way they’d use it is to take data and put it on a flash drive to take with them when they leave – then it might be a good idea. Similarly, if they don’t need access to certain websites, you can block those as well. That helps increase protection, but you have to be very careful that you don’t hamper the ability of your employees to be able to serve your customers. It’s definitely on a company-to-company basis. Of course, just because you lock one door, it doesn’t mean they won’t find another way in, especially with so many sophisticated technologies available now. It’s smart to keep monitoring even after the employee walks out the door.
Do you advise that a company should image every computer and device for each and every exiting employee?
Not at all, and every company will be different. In implementing these policies, protocols and protections, a company needs to do a self-evaluation of their employee roles to determine general rules that should apply to each role – from what they can access to whether it’s beneficial to collect and preserve or even collect and investigate their data upon exit. And, of course, the manner of exit should always be a consideration too.
For example, for any software developers, or those developers at a certain level at least, who have access to the most sensitive company assets, from corporate information to patented technologies and other intellectual property, you might decide to collect and investigate as a default upon each such exit. Same for high-level sales people. But for lower-level salespeople, maybe you just collect and preserve their data for a period in case you later learn of potential issues. And of course, for those with little or no access to such data, then no such preservation and/or investigation protocols would be appropriate.
In the end, it comes down to a classic thought exercise where you must think about all the different roles within your organization, to what sensitive information those various roles have access, and the overall ROI on what it would cost to collect and preserve or to collect and investigate each such exited employee versus the cost to the organization of losing that data. When you think in those terms, the potential concerns should become very clear.
Thanks again to those who joined us for our recent webinar (which you can still listen to here). Keep checking our blog regularly for more insights into eDiscovery!