We recently wrote about companies monitoring employees to reduce cybersecurity risks. Those insider threat risks do not end when employees leave the company. Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a former employee acting in good faith. Companies must therefore take steps to protect their data from walking out the door with exiting employees.

Employees who are leaving should be required to identify all the locations where they may have confidential company data, including old company computers and phones, personal computers where company data has been saved, and personal email accounts or messaging applications. Former employees may also mistakenly believe that work to which they contributed belongs to them and may use it to apply for new positions or at a new job. Departing employees should also be asked to identify all of their employment-related accounts, such as for Sharepoints, FTP sites, and Extranets, to make sure the accounts are properly closed. Other measures that reduce the risk of former employees leaking confidential company information include:

  • Prohibiting and disabling the use of portable electronic data storage devices, such as thumb drives, on work-issued electronic devices.
  • Collecting the employee’s work-issued electronic devices at the time of or prior to the employee’s departure.
  • Revoking access to information systems immediately after the employee departs.
  • Employing software that can isolate and remotely wipe work-related apps and data from the former employee’s personal devices.
  • Articulating to employees, through policies and training, the company’s ownership rights to data generated by the employees.
  • Monitoring the web, including sites like GitHub and LinkedIn, for sensitive company information.

Former IT employees or contractors may post code on public sites that they had written for a company without even realizing that it contains confidential data. In such cases, a simple call or email to the former employee may be enough to get the confidential content removed from the website and deleted from the former employee’s files. But in the event that the employee is not fully cooperative, companies should consider sending a cease and desist letter to the former employee and a takedown request to the website that is hosting the data. The Davis Polk Cyber Portal is available to our clients to help navigate these kinds of data issues, and includes a model Cease and Desist Letter, Personal Device Policy, and Tabletop Exercise on employee data theft, as well as dozens of other resources to help clients reduce the risk of unauthorized data access.

This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.