By Avi Gesser, Will Schildknecht, and Christine LiCalzi

We recently wrote about companies monitoring employees to reduce cybersecurity risks.  Those insider threat risks do not end when employees leave the company.  Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a former employee acting in good faith.  Companies must therefore take steps to protect their data from walking out the door with exiting employees.

Employees who are leaving should be required to identify all the locations where they may have confidential company data, including old company computers and phones, personal computers where company data has been saved, and personal email accounts or messaging applications.  A former employee may also mistakenly believe that work to which they contributed belongs to them and may use it to apply for new positions or at a new job.  Departing employees should also be asked to identify all of their employment-related accounts, such as for Sharepoints, FTP sites, and Extranets, to make sure the accounts are properly closed.  Other measures that reduce the risk of former employees leaking confidential company information include:

• Prohibiting and disabling the use of portable electronic data storage devices, such as thumb drives, on work-issued electronic devices.
• Collecting the employee’s work-issued electronic devices at the time of or prior to the employee’s departure.
• Revoking access to information systems immediately after the employee departs.
• Employing software that can isolate and remotely wipe work-related apps and data from the former employee’s personal devices.
• Articulating to employees, though policies and training, the company’s ownership rights to data generated by the employees.
• Monitoring the web, including sites like GitHub and LinkedIn, for sensitive company information. 

Former IT employees or contractors may post code on public sites that they had written for a company without even realizing that it contains confidential data.  In such cases, a simple call or email to the former employee may be enough to get the confidential content removed from the website and deleted from the former employee’s files.  But in the event that the employee is not fully cooperative, companies should consider sending a cease and desist letter to the former employee and a take-down request to the website that is hosting the data.  The Davis Polk Cyber Portal is available to our clients to help navigate these kinds of data issues, and includes a model Cease and Desist Letter, Personal Device Policy, and Tabletop Exercise on employee data theft, as well as dozens of other resources to help clients reduce the risk of unauthorized data access.  

Avi Gesser is a partner, and Will Schildknecht and Christine LiCalzi are associates at Davis Polk & Wardwell LLP. This piece was originally published on DavisPolk’s Cyber Blog.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.