Don’t Let Data Walk Out the Front Door: 7 Security Measures for Preventing Data Loss When Employees Leave
By Jim Gill
With all the news surrounding data breaches and information leaks, it’s easy to overlook the fact that the number one path sensitive/confidential information illegally enters the public domain is when employees leave their organization, according to Osterman Research’s, “Best Practices for Protecting Your Data When Employees Leave Your Company" (Dec. 2016). In fact, 69% of organizations have experienced data loss from employee movements (departure, changing roles, re-location), and 50% of employees who left their jobs in the last 12 months kept confidential corporate data.
Here are seven security measures which can help you and your organization prevent data from walking out the front door.
Security Measure #1: Limit Access to Data
Even though employees may be inconvenienced by more stringent access to certain data repositories, limiting the number of repositories where data is stored streamlines the tracking of data when legal proceedings are at issue.
- Understand Who has Access to What: Implement policies to track employee data and put procedures in place to create alerts when certain data may have been accessed inappropriately.
- Consider VPN Policies: This technology empowers organizations to limit access to specific data repositories when employees are working remote, diminishing the risk that important data is not transferred to personal data sources.
- Consult IT & End Users: Before limiting access to any data, have a frank conversation with business and IT leaders about the tradeoffs between security and efficiency. Depending on how organizations use data, limiting access to data may not be the best course of business.
Security Measure #2: Evaluate Over-Archiving Policies
There’s too much data within a business to ensure all of it is archived, which is why it’s important to evaluate data archiving policies to safely secure information.
- Identify the Must Haves: Start by first asking these questions – Is the organization under regulatory requirements to store data? Are there document retention policies that enable the organization to know exactly the types of data will be archived? What technology is available to support these archiving activities? Once these questions are answered, then organizations can reasonably enforce their archiving policies.
- Get Rid of the Junk: To streamline the process for identifying data, take measures to de-duplicate data within archives and repositories, only keeping one copy of a given document at a time.
Security Measure #3: Clearly Communicate Policies
Creating the right data management policies is only half the battle. Just as important, organizations must find ways to effectively communicate these policies to their employees or else risk data loss.
- Understanding the Why: One of the primary reasons data is lost when employees leave is that employees don’t understand the importance of ensuring all corporate data is handed over, making it essential that employees are continually briefed on the importance of these data management policies.
- Train Third Parties: Clear communication of policies extend to external entities (vendors, law firms, etc.) as well. Typically, during legal proceedings, third parties will need to access corporate data. Ensure your data management policies address third parties and how they access data, which may include training so third parties clearly understand them.
Security Measure #4: Leverage Technology to Track Employee Status Changes
Some companies track employee movements (i.e. departures, new hires, role changes) using manual processes (i.e. assigning individuals to review spreadsheets). But as with any manual process, human error is inevitable. Use technology to automate, cutting time, errors, and stress.
- HR System Integration: Using technology which integrates with HR systems allows legal teams to track and monitor changes not only when somebody leaves the organization, but when they change departments, locations, or job titles. Based on these results, the appropriate actions regarding employee data can be taken.
- Develop Customized Workflows: Look for technology that can automatically task employees to take a corrective action, which may include collecting data from a departing custodian data source, suspending document retention policies for a recently departed custodian under legal hold, etc.
- Keep an Audit Trail: Ensure all actions taken with the technology are time-stamped and recorded, just in case this process is ever questioned by opposing counsel and/or the courts.
Security Measure #5: Utilize Robust Employee Agreements
It is vital that employees are aware of exactly what is at stake regarding their use of company data (both for the company and the individual), and avoiding boilerplate employment agreements is an effective way to ensure clarity.
- Consider State Employment Laws: Non-compete, non-solicitation, nondisclosure agreements vary significantly between states. Some, like California, are much stricter on allowing companies to impose restrictions on employees, making it imperative to stay up on state employment laws. Include specific terms showing the scope and restrictions in the agreement are reasonable, which can help get a temporary restraining order or an injunction to protect corporate data.
- Confirm Employees Understand this Agreement: From both a deterrent and legal remedy perspective, employees should sign employee agreements regarding data separate from other employee forms. HR should walk through the policies with them to certify their understanding, then memorialize it in the HR file, so it’s clear that this agreement is not just another signature on a page.
Security Measure #6: Implement Coordinated Security Measures
It's important to balance physical security with network security, while keeping things convenient for users, yet effective.
- Manage All Data Sources: Implementing strong passwords and using keycards to access company property is a no brainer. But remember to consider other less-obvious protection measures like locking down USB storage devices. Simply put, make sure all data sources are managed and under the purview of IT.
- Use DLP Software to Monitor Data on the Cloud: Whether using managed cloud storage solutions, like Office 365 or box.com, or more standard platforms, like Dropbox or a personal Google Drive, data leak protection (DLP) software provides added security by alerting and logging when files are moved or accessed. This will limit the damage when employees attempt to remove secure data from the network (maybe by downloading it to a USB).
Security Measure #7: Conduct Exit Interviews
Exit interviews accomplish two aims: first, to determine if the employee might potentially go to work for a competitor; and second, it’s an opportunity to remind the employee of any policies or agreements, and certify that they understand their obligations when leaving the company.
- Interviews Can Evaluate Risk Potential: The exit interview can be a good opportunity to learn if risk is heightened (e.g. an employee who might be disgruntled or going to work for a competitor). If that's the case, the company may take steps, such as sending a letter to the new employer of this employee's obligations. An exit interview can also provide evidence if the employee happens to lie about what he or she is going to do, and legal remedy is pursued.
- Exit Interviews are Easy to Skip (So Don’t!): Often, the exit interview is a step that companies skip, but the interview can be valuable in determining if action needs to be taken, whether that means monitoring an employee’s computer or automatically preserving its data rather than immediately wiping it.
We all lose things: keys, phones, remotes. And sometimes, when we can’t find them, there are consequences—some bigger than others. Corporate legal teams are no different when it comes to company data – except the stakes are much higher and the consequences are far reaching and costly. Following these best practices can go a long way toward keeping everything secure and safe.