Editor's note: This is a contributed piece by Brian Schrader, Esq., CEO and Adam Feinberg, CCFS, CEDS, executive vice president, professional services for BIA (www.biaprotect.com), an e-discovery services firm.
It’s common for companies to have onboarding documents and procedures to efficiently and effectively get new employees up to speed. That process usually includes having new hires meet with different department heads, undergo various trainings, review and acknowledge company policies, and sign important paperwork.
Yet that level of attention is rarely given by companies to departing employees, creating risks and breeding policy blind spots. From a business perspective, employee departures, regardless of impetus, pose significant risks to business data, which is one of the most valuable assets of any organization. To protect that data and other concerns, a company’s exiting employee process must be considered as important, if not more, than the onboarding process.
As we assist organizations with various aspects of data management and exited employee issues, we see example after example that illustrate why the exiting employee process is so important. From mundane accidental loss of important information to the more concerning deliberate destruction or outright theft of critical corporate intellectual property in order to give a competitive advantage to the former employee’s new employer, such actions pose significant risks to a company — both in terms of money and security.
The solution is to create a comprehensive series of steps, just like in the onboarding process, that must be performed as soon as you realize an employee is leaving. Such a process reduces the risk of exiting employees taking sensitive intellectual property with them or of your company being surprised by any negative consequences later. And that process should be boiled down to a clear checklist that must be followed every time. While each organization is different, your exiting employee checklist should include at least the following:
Notify essential departments and team members. As soon as an employee announces departure, whether it’s permanent or a leave of absence, voluntary or not, let relevant parties know. These departments typically include HR, IT and legal, as well as direct employee management. Those departments and individuals need to understand what’s required of them, so create customized task lists to be completed upon an employee’s exit (you may have critical items on your list that you perform at the time of notice) for each department or team member and review those with them regularly.
Disable log-ins and systems. Simultaneously with the employee’s exit, the IT department — as part of their individual checklist — should take steps to disable the employee’s login credentials and access to all company systems, including email and access to any corporate resources or third-party systems such as Salesforce or Box.com. Solutions such as Active Directory from Microsoft can help to centralize access management and make it easier to revoke privileges.
Check the employee’s legal hold status. Organizations have an obligation to proactively preserve an employee’s data when it might be used in litigation; failure to do so can result in severe sanctions. Yet, even companies that have clear legal hold solutions in place often have a blind spot when it comes to their exiting employees. The solution is somewhat simple, however: Build a quick check into IT’s existing asset handling process. Before your IT department recycles an exited employee’s computers, mobile devices and other digital assets, and before they delete any of that employee’s data, they must first determine whether he or she is subject to any legal hold requirements. Simply maintaining a look-up list is often sufficient. If they find the departing employee is subject to legal hold requirements, then the data must be collected and preserved pursuant to company policy or direction from counsel.
Analyze devices and perform data remediation. Even though you have already revoked the departing employee’s access to all company systems, it’s important to analyze his or her devices to ensure that data does not walk out the door with the former employee. If your organization allows employees to access company data from personal devices, your BYOD (Bring Your Own Device) policy should include information about data ownership and the company’s right to access and wipe company data from the devices at any time for any reason, including the employee’s exit. After you’ve collected the employee’s devices, and once the legal hold status has been reviewed, you can begin data remediation — the process of securely removing and destroying data from electronic devices, including from the employee’s personal devices if they may store sensitive company information.
Know when to hire a forensics expert. If during — or before — the exiting process you suspect an employee may have stolen company information or used company computer resources for any improper purpose, consider hiring a forensics expert to perform an exiting employee investigation. A forensics expert will analyze things like the employee’s webmail usage, access to documents, network resources and file shares, use of USB or other removable storage devices, access to file-sharing websites, internet browsing histories and other data, as well as any changes to the metadata of important documents. Usually, it only takes a few hours to determine whether there’s something worth further investigation. Indeed, we have clients who subject certain classes of employees, such as senior salespeople, to such exiting examinations as a matter of course to help ensure any potential issues are detected as soon as possible and not six months after their clients have moved on with that salesperson to their competitor.
Technology and regulations change frequently, so don’t forget to review your exiting employee checklist on a regular basis. We suggest at least twice a year and anytime there is a significant change in how the organization stores and uses data.