How to Protect Corporate Data When Employees Leave

A key part of employment – particularly in a good economy – is that employees leave employers on a regular basis. According to data from the US Department of Labor, mean turnover among US-based employees in 2016 was 23.8 percent. That means in an organization of 1,000 people, nearly one-quarter of them will quit or otherwise be terminated during a year’s time, or about 20 people per month.

How do employers ensure that departing employees don’t take important data assets with them when they leave? The answer, it turns out, is that they don’t protect against this eventuality. Our research found that for many organizations, information governance policies, practices and technologies focused on data protection are not well implemented, if they are implemented at all. This puts these organizations at significant risk from employees who either quit or are terminated involuntarily and take with them key data assets, such as customer lists, trade secrets, financial projections, or various types of intellectual property.

Here’s what we found in a recent survey:

In only 48 percent of organizations can HR data be relied upon to determine when someone is going to leave a company.
Only 33 percent of organizations are sure they can detect if an employee that has left the company is still using their access to corporate data.
In only 16 percent of organizations does HR take the lead in ensuring that access to data sources, devices, accounts, etc. is disabled for departing employees.
Only 24 percent of organizations know when third parties stop working on their systems and data, and only 12 percent know if employees or third parties are sharing access to data through the same account, bypassing any terminations processes.

There are several processes and technologies that organizations can implement that will enable them to gain visibility and retain control over their sensitive and confidential data assets, while assuring that employees are not leaving with these assets. There are a number of technologies that can be implemented to protect corporate data from exfiltration by departing employees, but a governance-based model for user lifecycle management and access management can provide organizations with a high degree of assurance that only the right employees have the right access to corporate data at the right time.

For more information about these issues, please feel free to download our white paper, Protecting Corporate Data When Employees Leave Your Company.

What Can You Do With Archived Data?

Archiving as a defensive tool is well-trod ground: it’s an important best practice for eDiscovery, litigation hold, regulatory compliance, storage management, and end-user access to content. Every organization should archive their employees’ data to ensure they can meet these defensive uses of archiving – what we call Archiving 1.0.

But what about Archiving 2.0, or a more proactive use of archived data? Here are some things you can do with your archives:

Investigations: The ability to extract intelligence from the content within email archives can significantly reduce the amount of time spent on investigations, such as early case assessments in advance of an anticipated legal action, an investigation about inappropriate employee activity, or an investigation about why a key customer account was lost.
Sales support: Communications with customers independent of a CRM system can be used to determine how sales, support and other staff members’ emails correlate with customer retention and follow-on sales. Similarly, the speed and quality of responses to customer inquiries can be correlated to sales in order to determine how best to respond to inquiries in the future.
Risk mitigation: Archived data can be used to mitigate risks from data breaches, employee fraud and related types of threats. Senior managers can look for employees who are more likely to commit fraud by looking for managers who are treating their employees badly, they can find employees who are communicating with an organization’s competitors, transferring sensitive files to a personal email address, or running a personal business on company time.
Customer service: Archived data can be useful in determining who in an organization is talking with specific customers, to whom in the customer organization they are speaking, the content of their conversations, and other relevant information.
Supply chain management: Another application is analyzing messaging and relationship intelligence to visualize employee communication with unauthorized parties.
Litigation management: Legal can use messaging and relationship intelligence to zero in on individuals or domains to understand communication trends and which individual(s) or domain(s) needs to be investigated further, enabling useful pre-trial or pre-litigation discovery information.
IT support: Help desks can become more proactive by conducting ongoing investigations into what employees are saying about particular applications, the goal of which is to address problems as early as possible.
Human capital management: An archive can be used to determine when employees are going to leave an organization and thereby minimize the impact of an employee departure.

We have written a white paper that focuses on Archiving 2.0 – please feel free to download it here.

What About a Morals Clause for Social Media?

USLegal.com defines a “morals clause” as “a contract or official document that prohibits certain behavior in a person’s private life.” Should your company have something like this with regard to what your employees say on social media, even when they’re posting content on their personal, non-company accounts and doing so on their own time?

Consider the following tweets collected late in the afternoon of January 6, 2015:

“Clients are always especially stupid their first week back.”
“Feels good to give $50 to a small company for something that fits my needs instead of stealing from Adobe!”
“My boss is such an idiot. Why is she Fwd’ing me emails that I am copied on”
“I have a problem with stupid client. in fact, Clients are all stupid.”
“I am sleeping with my boss and I don’t know why.”
“My boss wasn’t impressed by my Don Draper impersonation, specifically the drinking and smoking at work and the sleeping with clients.”
“This sounds weird but I drive better when I’m drunk. For some reason when I drink I can see better”

There are a couple of risks to your business that you need to consider if even one of your employees is posting this kind of stuff. First, there’s the risk that an employee is revealing that they’re doing something illegal, offensive or inappropriate. Yes, they may not be telling the truth because they’re attempting to be funny or they are simply trying to elicit a reaction, but not everyone will see it that way. An offensive or vulgar tweet, Facebook post, Instagram photo or some other objectionable content could trigger an investigation, such as the just launched police inquiry into a and businesswoman who last week tweeted some offensive comments about Ebola patients.

Second, some of your clients and prospects are aware that these social media users are your employees. Whether these clients and prospects intend to or not, some will inextricably link your company with these employees, and the offensive content will reflect badly on your company. While few clients or prospects would make a decision about your company based solely on a rogue employee’s social media posts, it could be a factor that plays into their overall decision process, even if it’s simply a desire not to have to deal with an employee careless enough to post offensive content.

The bottom line is that you should at least pay attention to what your employees are saying on social media, even when it’s on their own time. Whether you can actually do anything about it through a moral clause in an employment contract or some other means is a matter for others to address.