Protecting against data threats posed by departing employees
Most employees retain some organizational information when they leave a job, but even the innocent retention of data can have far-reaching consequences.
Countless formal and informal studies show that most employees retain at least some organizational data when they leave a job. The reasons vary from the benign, such as when an employee inadvertently retains a flash drive used at work, to the more malicious, as in the case of an employee’s deliberate theft of trade secrets for use at a new job.
Motivation only matters so much, though, because even the innocent retention of data can have far-reaching consequences.
Much like an ocean seal swimming through shark-infested waters, threats can come from any direction. There are the obvious ones, such as those involved when a competitor hires your organization’s best employee and encourages them to bring “their work with them.”
The threats also can be more indirect. For example, an employee who copies large swaths of data for use as evidence to support a good faith wrongful termination claim against the organization can still, under the right circumstances, trigger a reportable data breach or a breach of the provider’s contractual obligations to a third party.
The threats can even arise from third parties who come into contact with the data. A departing employee may back up his or her work computer to a personal cloud storage account and accidentally change the parent folder’s permissions to “public.”
Not only can this lead to the loss of valuable intellectual property, in the unfortunate event the publicly shared data included protected data, a state or federal agency may also use the provider organization’s inability to detect or prevent the exfiltration of sensitive data as a basis to issue fines.
Threats also can be opportunistic. An employee with access rights to payroll and benefits databases who is working out the final weeks of a reduction-in-force notice period may decide to save her coworkers’ personal information for later use in the event she cannot find subsequent employment, becomes financially desperate, and determines that “borrowing” her former coworkers’ tax refunds is a financial cure-all.
Perhaps this employee also works in IT and knows where to go on the internet to sell her coworkers’ identities. Whether arising in the context of a private lawsuit brought by the affected persons, a government investigation or a shareholder derivative lawsuit, a fact finder may determine that the offending employee should not have had access to the data in the first place.
The threats can even come from inaction. For example, when reviewing the computer of a technical employee recently terminated for performance, a company may discover that the employee often backed up work data to a flash drive to work on weekends. In the event the employee does not respond to requests to return or delete data retained in that fashion, the company may reasonably determine that the employee does not pose a significant enough “threat” to justify the costs of litigation.
While certainly understandable from a cost-benefit perspective, failing to act could undermine the protected trade secret status of an entire category of data in other scenarios and, in the right context, even undermine the enforceability of other employees’ non-compete agreements.
Regardless of how robust an organization’s security program is, there are always employees who will find vulnerabilities and exploit them. Clearly, employees must be able to collect, access and use company data in the ordinary course of business. Convenience is the enemy of security, however, and that is especially true in the digital domain. Organizations must therefore implement policies, procedures and safeguards that strike an appropriate balance between security and convenience and, more importantly, reflect a complete commitment to security.
Motivation only matters so much, though, because even the innocent retention of data can have far-reaching consequences.
Much like an ocean seal swimming through shark-infested waters, threats can come from any direction. There are the obvious ones, such as those involved when a competitor hires your organization’s best employee and encourages them to bring “their work with them.”
The threats also can be more indirect. For example, an employee who copies large swaths of data for use as evidence to support a good faith wrongful termination claim against the organization can still, under the right circumstances, trigger a reportable data breach or a breach of the provider’s contractual obligations to a third party.
The threats can even arise from third parties who come into contact with the data. A departing employee may back up his or her work computer to a personal cloud storage account and accidentally change the parent folder’s permissions to “public.”
Not only can this lead to the loss of valuable intellectual property, in the unfortunate event the publicly shared data included protected data, a state or federal agency may also use the provider organization’s inability to detect or prevent the exfiltration of sensitive data as a basis to issue fines.
Threats also can be opportunistic. An employee with access rights to payroll and benefits databases who is working out the final weeks of a reduction-in-force notice period may decide to save her coworkers’ personal information for later use in the event she cannot find subsequent employment, becomes financially desperate, and determines that “borrowing” her former coworkers’ tax refunds is a financial cure-all.
Perhaps this employee also works in IT and knows where to go on the internet to sell her coworkers’ identities. Whether arising in the context of a private lawsuit brought by the affected persons, a government investigation or a shareholder derivative lawsuit, a fact finder may determine that the offending employee should not have had access to the data in the first place.
The threats can even come from inaction. For example, when reviewing the computer of a technical employee recently terminated for performance, a company may discover that the employee often backed up work data to a flash drive to work on weekends. In the event the employee does not respond to requests to return or delete data retained in that fashion, the company may reasonably determine that the employee does not pose a significant enough “threat” to justify the costs of litigation.
While certainly understandable from a cost-benefit perspective, failing to act could undermine the protected trade secret status of an entire category of data in other scenarios and, in the right context, even undermine the enforceability of other employees’ non-compete agreements.
Regardless of how robust an organization’s security program is, there are always employees who will find vulnerabilities and exploit them. Clearly, employees must be able to collect, access and use company data in the ordinary course of business. Convenience is the enemy of security, however, and that is especially true in the digital domain. Organizations must therefore implement policies, procedures and safeguards that strike an appropriate balance between security and convenience and, more importantly, reflect a complete commitment to security.
More for you
Loading data for hdm_tax_topic #better-outcomes...