When is a business most susceptible to losing data, intellectual property and important records? No, not during a cyber attack or a break-in, but during lay-offs.
With employees maybe feeling disgruntled after being let go, it’s common for some of them to pocket important company data – usually client lists, old e-mails, vendor contacts and even intellectual property that is essential to the company’s competitive advantage.
During lay-offs or termination, you need to take steps to protect your data and intellectual property, but there are legal implications as well for how far you can go. Consider the following:
Non solicitation agreements – These protect from a departing employee taking with them proprietary, confidential information like client and vendor lists. A non-solicitation agreement bars an ex-employee from going to a competitor and contacting your clients for business.
These are not legal in all states, so check your state laws and consult with your attorneys. In California, for example, non-solicitation agreements are not enforceable.
Non-disclosure agreements – These are different than the above and no states bar them. They focus instead on company data that a competitor can use to harm the business.
These agreements spell out the employee’s fiduciary obligations under the law by identifying protected company proprietary and confidential information. The agreement requires that the employee keep such information secret for a certain period of time.
Before huddling with your lawyer, your management team should identify all of your company’s protected data that you feel is worth protecting.
Return and inventory all company property – Before your employee leaves the premises, make sure they have returned all of your property that may contain company information.
That would include:
• Originals and copies of company documents the employee has made.
• Data on the worker’s personal phone or home computing devices (this may be difficult to enforce, but you should make them aware that they are required to delete it).
Passwords and access – On their last day, remember to delete from your database and systems their user names and passwords and access codes.
This could include:
• E-mail passwords
• Voicemail passwords
• Teleconference and intranet passwords
• VPN access and passwords
• Building or office coded lock-access codes.
Make sure to also collect any company ID cards. If you have concerns they may try to contact your current customers or vendors for any reason that could be detrimental to your firm, you can consider notifying them that the employee is no longer with you.
Conduct an exit interview – During this interview, you should go over boilerplate information like why they were let go and the importance of not taking with them any physical or intellectual property.
Ask questions to determine what, if any, company data they may have been privy to or had access to. Also, if you have non-disclosure or non-compete agreements in place, use this time to reiterate the consequences for violating those agreements.
What to look for
It’s more difficult to avoid data misappropriation by an employee that is planning on quitting, as they can make preparatory moves unbeknownst to you.
When employees are planning to take corporate data or are in the process of doing so, there are often one or more signs, which can be monitored with the right systems in place:
• A spike in an employee copying information to the cloud, USB drives, personal devices, e-mail accounts, and more. An increase in such activity could mean that an employee is planning to leave or has gotten wind of an impending dismissal and wants to copy useful information before they go.
• A surge in documents being deleted from an employee’s laptop or desktop computer. Files may also be deleted from corporate file shares.
• Sudden spikes or drops in e-mail activity.
• An employee accessing your customer relationship management system or financial accounts during late nights or very early mornings. This could mean they are scraping your files.
• The employee is sending and/or receiving e-mails from a competitor.