Advertisement

Management

Departing Employee Technology Checklist: Keeping the Fox Out of the Henhouse

By Thomas W. Shumate IV

One of the best ways for employers-including law firms-to minimize the destruction and theft of data is to have a departing employee technology checklist and follow it religiously.

Timothy Lloyd was angry. Despite his years of service as the computer system administrator for Omega Engineering Corporation, he was demoted to a non-supervisory position after multiple verbal and physical altercations with his co-workers. Rather than learning his lesson, Lloyd decided to teach his employer one. He planted a computer “time bomb” on Omega’s server and used an extended fuse so that it did not “go off” until months after he had already been terminated for another altercation. The time bomb destroyed more than 1,200 of Omega’s programs, including some that were used to manufacture Omega’s products. The damage caused Omega a 9 percent decrease in growth and losses of approximately $10 million. Lloyd was ultimately convicted of computer sabotage, sentenced to 41 months in prison, and required to pay $2,043,394 in restitution. Of course, Lloyd’s punishment did not come close to making Omega whole.

These facts, taken from U.S. v. Lloyd (269 F.3d 228 (3rd Cir. 2001)), demonstrate the vast amount of damage that an employee can do to an employer’s computer system with the proper motivation, time and access. While most employees do not have the skill necessary to engage in such high-tech mischief, employees can still do a lot of damage using “old fashioned” techniques like manually deleting system data or intentionally entering defective or erroneous information.

In addition to altering or destroying data, employers are also at risk of data theft. According to a study by the Ponemon Institute and Symantec Corp., 59 percent of employees who left their jobs the previous year admitted to stealing (they would call it “borrowing”) confidential information from their employers. Sixty-seven percent of those employees also admitted to using that information at their new jobs. With each technological advance, the magnitude of the risk of data theft increases as well. For example, last year a company introduced the first 256GB flash drive. To put that in perspective, assuming 1GB can hold an average of 64,782 pages of Word documents, then 256GB equates to approximately 16,584,192 pages, or 6,634 banker’s boxes worth of documents. This means that an employee could easily walk out of an employer’s office with the equivalent of multiple truck loads of information in his or her pocket.

One of the best ways for employers—including law firms—to minimize the destruction and theft of data is to create a departing employee technology checklist and to follow it religiously. Generally, any such checklist should include the following: (1) physical removal of the employee from the premises as soon as possible; (2) implementation of steps to prevent the employee from re-accessing the employer’s premises and computer system; (3) minimization of any incentive for the employee to attempt to re-access the employer’s computer system; and (4) continuous monitoring of the employer’s computer system for security breaches.

1. Remove the Employee from the Premises

In the 48 Laws of Power, by Robert Greene and Joost Elffers, the authors recommend that those seeking power conceal their intentions in order to keep their opponents off balance and incapable of preparing a defense. That rule applies to the termination of employees as well. While the thought of terminating an employee with little or no notice sounds harsh and insensitive, the reality is that the more notice the employer gives an employee of an impending termination, the more opportunity the employee has to engage in electronic mischief that could cripple or destroy the company.

Once a decision has been made to terminate an employee, the decision should not be communicated to the employee until the employer is prepared to escort him or her from the premises for the last time. It is better to pay the employee some severance benefits with no expectation of receiving anything in return than to give a bitter or vindictive employee an opportunity to settle the score or to obtain information that will likely end up in the hands of a competitor.

2. Limit the Employee’s Physical and Electronic Access

Once the employee has been removed from the premises, the employer should take prompt action to prohibit the employee from re-accessing the employer’s premises or obtaining access to its computer or communications systems. In doing so, the employer should be sure to address the following areas:

Premises

• Obtain all security access cards.
• Obtain custody of all parking cards.
• Change access and security codes.

Network

• Remove the employee’s network rights.
• Disable the employee’s remote access to the network via a Web site or dial-in.
• Change passwords for all applications to which the employee had access via the server.

Computer

• Obtain custody of the employee’s desktop or laptop computer.
• Disable the Windows login account on the employee’s computer.
• Change passwords for all applications on the employee’s computer.

Hard Drives or Memory Devices

• Obtain custody of all company external hard drives and jump drives (thumb drives or “memory sticks”).
• Obtain custody of all cameras.

E-mail

• Disable the employee’s e-mail account.
• Disable the employee’s remote e-mail access.

Telephones

• Obtain custody of the employee’s cell phone, smartphone, BlackBerry, and/or pager.
• Obtain custody of the employee’s calling cards.
• Delete the employee’s voice-mail account and/or change the voice-mail password.
• Update the company telephone directory (electronic and paper).

Web Site and Extranets

• Remove any rights the employee may have regarding the organization’s domain name(s).
• Remove any rights the employee may have as administrator of the organization’s Web site and extranets.
• While you are at it, remove the employee’s page or profile from the organization’s Web site.

Credit Cards/Bank Cards/ATM cards

• Obtain custody of company credit cards.

Accounting/Bank Access

• Change the passwords for any accounts to which the employee had access.

Data

• Move or take additional steps to restrict access to any highly confidential information such as client and pricing lists.

Files/Projects

• Take an inventory of all of the files or projects on which the employee was working, and make sure that all such materials have been returned. This is particularly important for employees who work remotely.
• If the employer suspects that the employee has already taken steps to destroy or steal data, it should retain a forensic computer examiner before taking the above steps. That way the examiner can make a “mirror image” of the employee’s computer hard drive or take other necessary steps to preserve data so that the employer does not inadvertently alter or destroy any relevant evidence while preventing the employee from re-accessing the employer’s system.

3. Remove Any Incentive for the Employee to Attempt to Regain Access

Once the employer has removed the employee from its premises and taken steps to protect the safety of its remaining employees and the integrity of its data, the employer should take reasonable steps to remove the employee’s personal data from its system and to return it to the employee. Most employers have policies and procedures prohibiting employees from storing personal information on the employer’s system or making it clear that the employee has no expectation of privacy or ownership interest in anything stored on the employer’s system. Here, however, the issue is less about what is legally required and more about deincentivizing the employee from attempting to regain access to the system. As such, employers should remove the former employee’s personal files from the network and company-issued computer, as well as any personal e-mail folders, and return them to the employee. As an added benefit, this may engender some goodwill for the employer.

Although not as common in law firms, if the employee signed a non-compete or confidentiality agreement, the employer should remind the employee of that and provide copies of the agreements to the employee. It would also be a good idea to remind the employee of the consequences of violating those agreements.

4. Regularly Monitor Sensitive Data

Even after the employer has completed these tasks, it should continually monitor its system to ensure that the former employee has not regained access and to make sure that its most critical information has not been compromised. For example, the employer can have its IT personnel determine whether its pricing information has been copied or downloaded recently. If it has, the employer should determine who copied the information and whether they have the authority to access the information and a legitimate business purpose for doing so.

The employer should also make it a company policy that any employee who assists a former employee with accessing the company’s premises or system will be terminated immediately. This is for their safety as much as the employer’s. The former employee’s co-workers should be reminded of that policy from time to time, particularly after terminations.

Conclusion

Today, more than at any other time in history, employees have the ability to quickly and inexpensively destroy and steal huge amounts of data. To protect against such behavior, employers must make sure that they have sealed all points of access to the system and be willing to monitor their systems for ongoing breaches. After all, it only takes one lapse to severely damage or destroy a customer relationship, company or firm. It is better to be vigilant than a statistic.

About the Author

Thomas W. Shumate IV is Of Counsel to Kay, Griffin, Enkema & Brothers, PLLC in Nashville. He practices business and employment litigation and is Chair of the Tennessee Bar Association’s Law Office Technology and Management Section. You can learn more about him at his blog, www.tennesseenoncompetelaw.typepad.com, on Tennessee non-compete law and business torts.