skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Mar 27, 2017

Data Security & Employee Turnover: How to Protect Your Data When Employees Leave

By Amy Marcen-Gaudaur and Aaron Baer

Employee turnover is an unavoidable reality for nearly all businesses. In addition to creating a number of financial and logistical difficulties, employee turnover also raises a number of data security issues. Chief among these issues is data protection upon employee departure. Unfortunately, it has become common practice for employees to take sensitive and confidential corporate data with them when leaving an employer. A recent white paper published by Osterman Research (the "Paper") highlights this problem and presents solutions for employers seeking to mitigate the risks of data security when employees leave.

According to the Paper, 87% of employees surveyed by Biscom in late 2015 admitted that when they left a company, they took with them data they created during the course of their employment. A further 28% of those employees admitted to taking data created by others upon departure.

Data theft can damage an organization in a number of ways. It can harm the company's competitive position and, as a result, have a direct negative impact on revenue. Further, data theft can place a company at risk of regulatory violation. Failing to protect sensitive customer information, for example, can put a company in breach of applicable privacy laws. Ultimately, the company may decide to pursue legal action against the former employee, a costly and unwanted exercise for everyone involved.

Employees Leave (It's a Fact)

According to the Paper, the typical organization in the United States can expect up to 24% of its employees to leave each year. As of January 2016, the average term of employment for U.S.-based employees was a mere 4.2 years, down from 4.6 years as reported in 2014. This trend will likely be exacerbated as Millennials, who change jobs approximately every two years, continue to occupy a greater proportion of the workforce.

In order to keep up with these trends and the data security challenges they present, companies need to understand employee behaviours and formulate proactive data protection strategies.

Why Are Employees Taking Data When They Leave?

In many cases, employees inadvertently take corporate information with them when they leave a company. In offices that allow employees to work remotely, many use their own devices and routinely store corporate data on portable devices such as USBs, laptops and smartphones. Cloud storage platforms are also commonly used, many with automatic back-up capabilities that operate in the background. Upon departure, unless proper corporate policies and procedures are in place, the employee (and the company) may not even be aware that sensitive and confidential data remains in his or her possession.

In other cases, the employee may be under the false impression that the data belongs to him or her. Employees may therefore feel justified in taking the data with them when they leave. There are also circumstances in which employees take corporate data with more malicious intentions. The employee may be motivated by revenge or seeking to gain an advantage with a new employer. Regardless of motive, this behaviour puts a substantial amount of valuable corporate data at risk.

Best Practices

Management and anyone else charged with the company's data security mandate should be sensitive to employee behaviours in order to prevent data theft before it occurs. The Paper identifies a number of warning signs, including:

  • Spikes in data transfers (i.e. to the cloud, a USB, etc.)
  • Fluctuations in email activity
  • Unusual timing for accessing documents or files (i.e. after normal business hours)

Staying alert to these behaviours can prevent potentially damaging results. Companies should consider adopting policies to monitor and audit certain employee behavior, such as the usage of company computers. Further, the Paper suggests that the most effective policies and procedures will:

  • Ensure ongoing visibility of sensitive corporate data
  • Limit employee access to certain content (determined by their role)
  • Encrypt data in-transit, at-rest and in-use
  • Require sufficient authentication for access to sensitive content
  • Properly manage and monitor mobile devices (with remote access capabilities)
  • Adopt an effective data back-up policy

Implementing an employee departure checklist can also help protect vulnerable data during the departure process. The Paper provides a checklist addressing the employee's physical and account-related activities, as well as backup, archiving and content management strategies.

Proper training will ensure that all employees, including management, have a thorough understanding of company policies and procedures and are aware of how sensitive data and information should be dealt with at all stages of the employment relationship.

For new hires, companies might consider including standard confidentiality provisions in employment contracts. Such provisions should use clear and unambiguous language, and should be properly explained to new employees upon hiring. Obtaining expert legal advice in drafting such agreements will ensure their efficacy.

Aird & Berlis LLP's privacy and data security experts and employment lawyers can provide support and legal guidance to help your organization implement these best practices to protect your organization's data.

Related Categories

Related Blogs

Posted in: Data Security/Privacy

Insights TheSpotlight
Embracing Artificial Intelligence at Your Law Firm 3 Keys to Successfully Introducing AI By Aaron Baer Jan 05, 2018 Advances in technology are transforming entire industries: Airbnb and Uber have wreaked havoc on the hotel and taxi industries; Netflix and online-streaming have turned the media industry on its head; self-driving cars are set to revolutionize the automotive industry.

Posted in: Privacy | Court Decision | Data Security/Privacy

Insights TheSpotlight
Texting and the Expectation of Privacy By Donald B. Johnston Dec 11, 2017 The Supreme Court of Canada published an important judgment on December 8, 2017, concerning whether or not Canadians have the right to expect that their texting conversations will remain private. Interestingly, the judgment of the court was split – which shows that even the cleverest lawyers can ...

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Equifax Breach - The Breach That Will Keep on Giving By Paige Backman and Meghan A. Cowan Sep 14, 2017 At this point, if you haven’t heard of the Equifax data breach, it could only be because you have rightfully been glued to the coverage of (or living through) Hurricane Irma, Harvey or Jose. On September 7, 2017, Equifax revealed that it was the subject of a cybersecurity breach over the s...