Every employer should be worried about cybersecurity and protecting data. For most workplaces today, the company’s digital data is at least as valuable as any physical asset in workplace. You can replace that aging depreciating laptop with a trip to BestBuy, but good luck replacing the lists of customer contacts or recreating a year of production deadlines out of your managers’ heads.
Protecting data involves a number of key protocols:
- Robust password programs and restricted access to confidential information;
- Frequent backups and security updates;
- Clear policies on data security to ensure employees know what is expected.
But even diligent employers cannot fully protect the business from employee sabotage.
Data security breach triggers
Data security breaches are ultimately triggered by humans. Often the bad actor is on the other side of the globe looking for a ransom payment, but sometimes it’s your own employee.
Most of the employee-triggered data breaches I’ve seen are human errors by a non-tech-savvy employee who just messed up. We can’t expect the full workplace to be as knowledgeable or current as our IT vendors, which is the purpose for good policies and protocols to support this ongoing learning journey. A policy and protocol refresher is typically more appropriate than discipline in those cases.
Occasionally, however, we do see employees who want to blow up the server out of anger for being terminated, harassed or generally treated unfairly. It looks so satisfying in the movies, after all.
Protecting company data
Here are some tips on how employers can protect their company data from agitated exiting employees:
- Develop clear policies and procedures: Establish clear and comprehensive data protection and access control policies that outline the procedures for managing employee departures. Get your HR, IT and frontline managers all informed on what must be done when an employee exits so that they’re ready to go in an unexpected or urgent termination. Ensure that all employees are aware of these policies and understand their responsibilities regarding data confidentiality and security.
- Before termination: Work with IT to identify, chrystalize and save all data and access points to which the employee has access. Talk to your frontline manager to understand what critical access information, passwords or data the employee may have access to – and lock it down prior to the termination meeting. This will protect the company from any post-termination misconduct, and provide a peace of mind knowing that whatever happens on termination day, there will be no retroactive data you can’t get access to.
- Immediate action upon termination:
- Disable access: Promptly revoke the terminated employee’s access to all company systems, applications, email accounts, and physical facilities. This includes deactivating user accounts, changing passwords, and retrieving company-owned devices.
- Collect company property: Retrieve all company-owned devices, such as laptops, smartphones, tablets, USB drives, access cards, and any other equipment or assets issued to the employee. Ensure that all data stored on these devices is securely erased or transferred to appropriate personnel.
- Backup and secure data: Of course, regularly backup critical company data and sensitive information stored in on-premises servers, cloud services, and other storage repositories. Implement encryption, access controls, and multi-factor authentication (MFA) to protect data from unauthorized access and breaches.
- Employee exit interviews: If you didn’t already do so in the course of the termination meeting, conduct exit interviews with departing employees to discuss data protection obligations, return of company property, and confidentiality agreements. Use this opportunity to remind employees of their responsibilities and the consequences of unauthorized data access or disclosure.
More than anything, when news arises that an employee has gone rogue with data, pause and consider what backup may already exist, whether this was intentional or just dumb human error, and what is the overall monetary loss you need to address. If it’s an error and is fixable, focus on a more cost-effective amicable exit to help the parties go their separate ways more calmly, rather than fighting over the mistake.
However, sometimes it’s indeed an intentional act to harm the employer. In those cases, call your employment lawyer early and capture all the evidence you can about the sabotage as soon as possible. Employees will usually have a duty of loyalty in their contract, as well as the usual common law obligations to act in good faith and not intentionally harm their employer or steal data for personal reasons. Data is valuable and this is often an important asset worth fighting for if the employee has caused extensive harm. It may impact termination payments or general settlement discussions, and it will be important to have a good legal position to rely on for any such adjustments.
By Lisa Stam
Leave a Reply