Data Security & Employee Turnover: How to Protect Your Data When Employees Leave
Employee turnover is an unavoidable reality for nearly all businesses. In addition to creating a number of financial and logistical difficulties, employee turnover also raises a number of data security issues. Chief among these issues is data protection upon employee departure. Unfortunately, it has become common practice for employees to take sensitive and confidential corporate data with them when leaving an employer. A recent white paper published by Osterman Research (the "Paper") highlights this problem and presents solutions for employers seeking to mitigate the risks of data security when employees leave.
According to the Paper, 87% of employees surveyed by Biscom in late 2015 admitted that when they left a company, they took with them data they created during the course of their employment. A further 28% of those employees admitted to taking data created by others upon departure.
Data theft can damage an organization in a number of ways. It can harm the company's competitive position and, as a result, have a direct negative impact on revenue. Further, data theft can place a company at risk of regulatory violation. Failing to protect sensitive customer information, for example, can put a company in breach of applicable privacy laws. Ultimately, the company may decide to pursue legal action against the former employee, a costly and unwanted exercise for everyone involved.
Employees Leave (It's a Fact)
According to the Paper, the typical organization in the United States can expect up to 24% of its employees to leave each year. As of January 2016, the average term of employment for U.S.-based employees was a mere 4.2 years, down from 4.6 years as reported in 2014. This trend will likely be exacerbated as Millennials, who change jobs approximately every two years, continue to occupy a greater proportion of the workforce.
In order to keep up with these trends and the data security challenges they present, companies need to understand employee behaviours and formulate proactive data protection strategies.
Why Are Employees Taking Data When They Leave?
In many cases, employees inadvertently take corporate information with them when they leave a company. In offices that allow employees to work remotely, many use their own devices and routinely store corporate data on portable devices such as USBs, laptops and smartphones. Cloud storage platforms are also commonly used, many with automatic back-up capabilities that operate in the background. Upon departure, unless proper corporate policies and procedures are in place, the employee (and the company) may not even be aware that sensitive and confidential data remains in his or her possession.
In other cases, the employee may be under the false impression that the data belongs to him or her. Employees may therefore feel justified in taking the data with them when they leave. There are also circumstances in which employees take corporate data with more malicious intentions. The employee may be motivated by revenge or seeking to gain an advantage with a new employer. Regardless of motive, this behaviour puts a substantial amount of valuable corporate data at risk.
Best Practices
Management and anyone else charged with the company's data security mandate should be sensitive to employee behaviours in order to prevent data theft before it occurs. The Paper identifies a number of warning signs, including:
- Spikes in data transfers (i.e. to the cloud, a USB, etc.)
- Fluctuations in email activity
- Unusual timing for accessing documents or files (i.e. after normal business hours)
Staying alert to these behaviours can prevent potentially damaging results. Companies should consider adopting policies to monitor and audit certain employee behavior, such as the usage of company computers. Further, the Paper suggests that the most effective policies and procedures will:
- Ensure ongoing visibility of sensitive corporate data
- Limit employee access to certain content (determined by their role)
- Encrypt data in-transit, at-rest and in-use
- Require sufficient authentication for access to sensitive content
- Properly manage and monitor mobile devices (with remote access capabilities)
- Adopt an effective data back-up policy
Implementing an employee departure checklist can also help protect vulnerable data during the departure process. The Paper provides a checklist addressing the employee's physical and account-related activities, as well as backup, archiving and content management strategies.
Proper training will ensure that all employees, including management, have a thorough understanding of company policies and procedures and are aware of how sensitive data and information should be dealt with at all stages of the employment relationship.
For new hires, companies might consider including standard confidentiality provisions in employment contracts. Such provisions should use clear and unambiguous language, and should be properly explained to new employees upon hiring. Obtaining expert legal advice in drafting such agreements will ensure their efficacy.
Aird & Berlis LLP's privacy and data security experts and employment lawyers can provide support and legal guidance to help your organization implement these best practices to protect your organization's data.