When Key Employees Quit: 5 Things You Must Do to Keep Control of Critical Data

These technologies have increased productivity and reduced friction in employees' lives. However, this new way of working can considerably increase the risk of employees walking away with sensitive data, even inadvertently. Without proper procedures, it is remarkably simple for staff to remove critical company data without immediate detection. Multiple devices, both personal and business, make this more difficult: It can be harder to prove access, thus making it harder to take remedial, disciplinary or legal action.

It may seem paranoid, but securing data when employees leave, even amicably, is one of the best things an organization can do to protect its data. The stakes are high: Many organizations' greatest assets are their employees, and their knowledge is incredibly valuable. And, most employees have access to a veritable mountain of competitive information — company assets that exiting staff could be tempted to remove prior to moving on to, say, start their own businesses or work for competitors.

This information could include client lists and contact information, proprietary pricing information, strategic plans or proprietary product roadmaps: All assets no company wants to share with its competitors. Yet because of the ease of storing, transferring and finding this information, it is now potentially more accessible than ever to a wider circle of employees and future ex-employees. To reduce the risk of misuse, savvy organizations must adopt a strategic approach to safeguarding confidential information.

Reducing Exiting Employee Data Theft: Top Five Tips

1. Assess the risk: No company can evaluate risk if it doesn't understand the location and use cases for the tools and technology its staff uses. Ensure that you understand:

• What the tools and technology can do;
• How much information they can retain;
• How and where this information is stored;
• Who has access to what categories of information, and why;
• How the information can be transferred to other devices; and
• What safeguards are currently in place, and available but not being fully or properly utilized.

2. Collaborate with the internal IT team and external providers: IT and compliance teams will have much of the information required to make this assessment. They may even have a data map listing company asset assignments, information storage structures, role-based access controls, and more. An external specialist may be helpful to evaluate the information landscape and implement a security strategy.

3. Devise a policy: After completing a thorough risk assessment, formulate and distribute to all staff a clearly-worded company policy on the use of technology, information and tools. This policy should include, at a minimum:

• A list of the technology available to staff, setting out which employee categories are authorized to use which tools, and detailing those employees empowered to authorize upgrades/modifications to company-owned devices.
• A list of the types of instances in which transferring company or confidential information from organizational servers and portable devices to personal/third-party devices is permitted and listing chain-of-command for approving such transactions.
• Details about the company's policy on appropriate use of confidential information and outlines of what actions employees may be subject to should they violate that policy, up to and including disciplinary action, termination, and civil or criminal prosecution.
• Explanation of the company's monitoring strategy as a deterrent against wrongdoing.
• Access restrictions around certain activities. Common prohibitions include blocking Web-based email like Gmail, Hotmail, Yahoo, etc.

4. Policy Administration: A policy is nothing if not well-enforced. Appoint a team whose task it will be to:

• Administer the policy;
• Monitor abuse;
• Keep abreast of technological developments and their implications for the policy; and
• Implement change as technology evolves.

5. Defend Against IP and Data Theft with a Departing Employee Program: Implement a consistent, thorough departing employee program designed to investigate departing employees and defend against data theft:

• Preservation: Preserve and collect the departing employee's data assets (phone, computer, flash drives, etc.) using forensically sound methodologies to protect the state of the data.
• Investigation: There are common means for an employee to exfiltrate data prior to their departure. An effective departing employee program will unmask these exit points.
• Email Analysis: The most common method for data exfiltration is through email. An employee may email files to their new employer or to their personal email account then cover their tracks by deleting those email communications. An effective email analysis should thoroughly review both deleted and non-deleted emails.
• USB Analysis: When an employee steals large amounts of data, they will often use an external flash or hard drive. A USB Analysis will reveal USB mass storage devices and often uncover mass exfiltration.
• Deletion Analysis: Employees may destroy data upon their departure by deleting files and folders. Through the use of specialized digital forensic software, these may be recovered.
• File Activity Reports: The best way to learn what the departing employee was doing is to evaluate file activity through LNK File, JumpList and other hidden system databases located on their recovered computer or mobile device. This analysis can reveal access to sensitive IP.
• Internet History Analysis: Analysis of internet usage may reveal proof of evidence spoliation, data tampering, or even nefarious behavior. Internet history can show Google searches such as, “How to copy contacts from Outlook,” or “How to permanently delete an email from Outlook.”
• Anti-Forensic Analysis: When someone has stolen IP they may try to cover their tracks by using anti-forensic software like BleachBit or CCleaner. These tools always leave traces behind which can be uncovered and used to show intent.

Post-Mortem: Getting Smart After the Event

The best-laid plans may still not guarantee 100% compliance, and ne'er-do-well ex-employees may still succeed in removing confidential information. If a breach is discovered, companies with may resort to legal action.

However, it can be difficult to take action against former employees if the company failed to retain the exiting employee's data. Without careful, professional preservation and management of the data, it will not remain useful for long. Data is volatile, especially metadata (the invisible record of who has created, amended, and read a document), and can be damaged by being copied or backed up in the wrong way, permanently eroding its evidentiary value.

Without a comprehensive set of policies and procedures for handling exiting employees, it may not become apparent that confidential data has been stolen or misused until days, weeks or months after an employee has left. If the data the employee stole is wiped, reassigned or otherwise lost due to incorrect or incomplete data and equipment policies, the evidence may be lost, making it much harder to even assess the extent of the damage, let alone seek compensation, remedial action, or pursue litigation.

Technology has both made our lives easier and far more complex — no one would wish for data to be harder to transfer or share. However, sensitive data should be protected from potential bad actors.

With careful planning and vigilantly enforced policies and procedures, organizations can manage the risks, ensure that their confidential information is protected, and competitive advantages are not lost when key employees depart.

*****

Michael Ciaramitaro has 16 years of experience in digital forensic collections and computer investigations helping law firms and corporations navigate through tough, complex data infrastructure, including in matters involving trade secret, intellectual property theft, exiting employee investigations and other employee-related legal matters. Ciaramitaro is the director of US digital forensics for Inventus. He can be reached at [email protected].

Sarah Brown is a legal technology thought leader with more than a decade of experience in the e-discovery and information management fields. She is an expert on the intersection of technology and the law, with a specific focus on electronic discovery, document review, forensics and investigations, technology-assisted review, and e-discovery managed services. She has a deep journalism background and holds a bachelor's degree in journalism and a master's degree from Columbia University. Brown is the director of marketing for Inventus. She can be reached at [email protected] or follow her on Twitter @eDiscoverySarah.