How to Protect Corporate Data When Employees Leave

A key part of employment – particularly in a good economy – is that employees leave employers on a regular basis. According to data from the US Department of Labor, mean turnover among US-based employees in 2016 was 23.8 percent. That means in an organization of 1,000 people, nearly one-quarter of them will quit or otherwise be terminated during a year’s time, or about 20 people per month.

How do employers ensure that departing employees don’t take important data assets with them when they leave? The answer, it turns out, is that they don’t protect against this eventuality. Our research found that for many organizations, information governance policies, practices and technologies focused on data protection are not well implemented, if they are implemented at all. This puts these organizations at significant risk from employees who either quit or are terminated involuntarily and take with them key data assets, such as customer lists, trade secrets, financial projections, or various types of intellectual property.

Here’s what we found in a recent survey:

  • In only 48 percent of organizations can HR data be relied upon to determine when someone is going to leave a company.
  • Only 33 percent of organizations are sure they can detect if an employee that has left the company is still using their access to corporate data.
  • In only 16 percent of organizations does HR take the lead in ensuring that access to data sources, devices, accounts, etc. is disabled for departing employees.
  • Only 24 percent of organizations know when third parties stop working on their systems and data, and only 12 percent know if employees or third parties are sharing access to data through the same account, bypassing any terminations processes.

There are several processes and technologies that organizations can implement that will enable them to gain visibility and retain control over their sensitive and confidential data assets, while assuring that employees are not leaving with these assets. There are a number of technologies that can be implemented to protect corporate data from exfiltration by departing employees, but a governance-based model for user lifecycle management and access management can provide organizations with a high degree of assurance that only the right employees have the right access to corporate data at the right time.

For more information about these issues, please feel free to download our white paper, Protecting Corporate Data When Employees Leave Your Company.

Should You Be Paid Overtime for Checking Email?

In March 2014, the president directed the US Department of Labor to update key regulations for white-collar workers who are covered by the overtime and minimum wage standards under the Fair Labor Standards Act (FLSA) Act. In July 2015, a Notice of Proposed Rulemaking was published in the Federal Register for the purpose of soliciting public comments on the rule. The 98-page (!) document is available for review here.

The result of the proposed rule change will be to require employers to pay workers for after-hours activities that they are required to perform, such as checking email, being available to deal with company emergencies, or responding to a manager’s inquiries. Currently, employees who earn more than $23,660 per year (about $11.38 per hour) are exempt from these rules and can be required to work after-hours for no additional overtime pay. The current rule, last updated in 2004, would raise the exemption level to $47,892, or the 40th percentile of earnings for a full-time, salaried employee in 2013. The new rule will add approximately five million additional employees to those already covered.

Here is my two cents on the proposed rule:

  • From a technology perspective, there will be a need to block employee access to a variety of corporate systems for employees whose salaries are below the FLSA threshold. These systems include most notably email, but also SharePoint, CRM systems, corporate social media, corporate instant messaging, VoIP, and any other communication or collaboration system that can possibly be used to respond to a manager’s inquiry, a customer request, a server alert, or that can be used for any type of work activity.
  • The alternative, of course, is to simply pay employees for an additional 10-15 or more hours per week, but that creates problems that many organizations may not want to address, and it could add dramatically to labor costs.
  • Today, approximately zero email systems have the ability to block access to specific users or roles (that’s going to change very soon), but this will be an essential capability once the rule goes into effect, as it will be for all corporate systems.
  • Access control will have to be appropriately linked between HR and IT so that employees who are below the FLSA-mandated threshold will be denied access to corporate systems during certain hours. When an employee’s salary reaches the government-mandated level, however, then access can be turned on for these individuals.
  • Moreover, there will be instances in which an employee whose salary is below the threshold will temporarily be required to work after-hours (such as an administrative assistant covering for his or her manager when he or she is out sick) and so access management capabilities will have to be in place to turn these capabilities on and off quickly to ensure that the employee can fulfill their job requirements. This will necessitate a tie-in to HR systems to guarantee that the employee is compensated appropriately for his or her after-hours work.
  • Larger companies will have to maintain even tighter controls to prevent violations of the law for the same employee roles if compensation for these roles differs. For example, according to a customer service representative in New York City makes $60,000 per year and so will have permission to access email and other corporate systems after-hours without the need to be paid extra, while the same job title in Wichita, Kansas makes $40,000 and so will not be allowed to do so without receiving overtime. While this would apply based on geography, this could also mean that a more experienced individual whose salary is above the government-mandated level would be entitled to after-hours access to email and other corporate systems, while his or her less experienced and lower paid counterpart would not.

Philosophically, I am opposed to this type of rule. While I fully realize that some employers abuse their employees’ time and expect them to work after-hours for no additional pay or other compensation, there are employees who actually want to work after-hours: some might want to catch up on email before bed simply to get a jump on the next day, some might want to respond as quickly as possible to a customer’s inquiry to gain some sort of a competitive advantage for their employer, or some might just want to impress their boss. Employees should have the right to do all of these things – and employees in Wichita should have the same options as their counterparts in New York, as should less experienced/lower paid employees who work alongside their more experienced/better paid co-workers.

All of that said, it will be essential for employers to be able to turn email and other corporate systems on and off based on this ruling. Not to do so could end up being very expensive.