Protecting against data threats posed by departing employees
Countless formal and informal studies show that most employees retain at least some company data when they leave a job. The reasons vary from the benign, such as when an employee inadvertently retains a flash drive used at work, to the more malicious, as in the case of an employee’s deliberate theft of company trade secrets for use at a new job. Motivation only matters so much, though, because even the innocent retention of data can have far-reaching consequences.
This article is the first of a two-part series and will identify the various threats departing employees pose from a data security standpoint and the significant consequences of failing to address these threats. The second article in this series will address five important strategies to mitigate these risks.
Unintentional Threats from the Departed
Much like an ocean seal swimming through shark-infested waters, threats can come from any direction. There are the obvious ones, such as those involved when a competitor hires your company’s best employee and encourages them to bring “their work with them.”
The threats can also be more indirect. For example, an employee who copies large swaths of data for use as evidence to support a good faith wrongful termination claim against the company can still, under the right circumstances, trigger a reportable data breach or a breach of the company’s contractual obligations to a third party.
The threats can even arise from third parties who come into contact with your data. A departing employee may back up his/her work computer to a personal cloud storage account and accidently change the parent folder’s permissions to “public.”
Not only can this lead to the loss of valuable intellectual property, in the unfortunate event the publicly-shared data included protected data, a state or federal agency may also use the company’s inability to detect or prevent the exfiltration of sensitive data as a basis to issue fines.
Threats from Bad Actors
Threats can also be opportunistic. An employee with access rights to payroll and benefits databases who is working out the final weeks of a reduction in force notice period may decide to save her coworkers’ personal information for later use in the event she cannot find subsequent employment, becomes financially desperate, and determines that “borrowing” her former coworkers’ tax refunds is a financial cure-all.
Perhaps this employee also works in IT and knows where to go on the internet to sell her coworkers’ identities. Whether arising in the context of a private lawsuit brought by the affected persons, a government investigation or a shareholder derivative lawsuit, a fact finder may determine that the offending employee should not have had access to the data in the first place.
Risk Caused by Ignoring Risks
The threats can even come from inaction. For example, when reviewing the computer of a technical employee recently terminated for performance, a company may discover that the employee often backed up work data to a flash drive to work on weekends. In the event the employee does not respond to requests to return or delete data retained in that fashion, the company may reasonably determine that the employee does not pose a significant enough “threat” to justify the costs of litigation.
While certainly understandable from a cost-benefit perspective, failing to act could undermine the protected trade secret status of an entire category of data in other scenarios and, in the right context, even undermine the enforceability of other employees’ non-compete agreements.
Regardless of how robust a company’s security program is, there are always employees who will find vulnerabilities and exploit them. Clearly, employees must be able to collect, access and use company data in the ordinary course of business. Convenience is the enemy of security, however, and that is especially true in the digital domain. Companies must therefore implement policies, procedures and safeguards that strike an appropriate balance between security and convenience and, more importantly, reflect a company-wide commitment to security.
The next article in this series will address strategies that help companies accomplish this balance.