Employee terminations – whether voluntary or not – must be handled properly in order to ensure optimal risk management. Employment lawyers cannot leave the technology-related aspects of a termination to others.
- Ensure that your cybersecurity and Proactive Privacy policies are designed with the end-of-the employment relationship in mind. These include:
- Setting out clear statements of your company’s cybersecurity and privacy culture and rules. This includes creating a culture where accessing information by one employee on behalf of another is discouraged.
- Ensuring that mass storage devices, including personal cell phones and USB drives, cannot be attached to your network.
- Maintaining careful control of remote access and the privileges it grants employees.
- Maintaining careful logs of the equipment issued to employees.
- Ensuring that each employee only has access to the information and the access levels s/he need to do the job – and no more (principle of least privilege).
- Monitoring systems and keeping detailed audit logs – which are carefully reviewed.
- Creating an adequate backup facility and disaster recovery plan that ensures that no one employee, acting alone, can cause irreparable harm.
- Ensuring that all software and security patches are up-to-date and applied across all networks and systems.
- Maintaining clear password and account ownership policies to ensure that no one employee “holds the keys” to core systems, social media, etc.
- Creating end-of-employment standard operating procedures, notification protocols and checklists. Included in this should be an organized process for handling requests for exceptions to standard procedures and a procedure for handling emergency, adverse terminations.
- Creating a procedure for chain of custody of returned equipment (when it was returned, who handled it, who backed it up, who wiped it clean, and to whom it was reissued).
- Having sound physical security in place.
- Enshrine (and enforce) your security, social media and home technology-use expectations in an employment agreement and/or policy.
- Have policies and procedures in place to authorize and permit the remote monitoring, backing up and wiping of any equipment which may have corporate data. This should be a key part of your data governance plan.
Just prior to Termination (or at notice)
- Perform a risk analysis ascertaining the terminating employee’s ability to do harm:
- What is the employee’s means of physical access to the network? This includes both permitted access (keycards to server rooms) and non-permitted access (an empty office with a computer).
- What accounts, data and systems can the employee access?
- Does the employee have any passwords or administrative privileges?
- Does the employee possess a piece of knowledge that would constitute a “single point of failure” for your organization’s ability to use its accounts, data or systems?
- What access does the employee have from remote locations or through portable devices?
- What security controls (e.g., audits, monitoring) are in place to document network, account and data access?
- Who are the employee’s workplace friends, and do they have the same or similar access?
- Assess, on a motive-neutral basis, what harm the terminating employee might cause given the above and act to develop a mitigation plan. To be fair, my suggestion to be motive-neutral is based on what I perceive to be the inherent difficulty of successfully analyzing an individual’s motivations to do bad things, but this is not universally accepted
- Consider denying or limiting access while the above is considered. While immediate isolation (disabling of all accounts) from the network is a best practice, it is one that is not always practical. Accordingly, good monitoring software (the logs of which are reviewed according to a set procedure) should be used where terminating employees are permitted to stay active while working their notice period.
- Inventory remote devices and data stores which are non-enterprise-owned but which are used by the terminating employee during the course of their business.
- Preemptively and frequently back up data of terminating employees, especially if they are working during a notice period.
- After looking at the range of access the employee has to systems, data and accounts, consider limiting access (even severely) during the notice period.
- Review monitoring logs of all departing employees for their activities, including retroactively reviewing logs created prior to their giving notice.
- Promptly secure return of keys, access cards, IDs, passwords, and company property.
- Dis-incentivize retaliation and create goodwill (even during an adverse termination). Consider the following, taking into account your business’ needs:
- If you remotely erase data from a smartphone, even a company-owned one, consider strategies for making certain contacts available to the terminated employee. You may be faced with the reality that an employee cannot reach a spouse or a physician because the employee (even if impermissibly and wrongly) intertwined non-work information with yours.
- Ensure that personal files are recoverable and returnable. Unless there is true concern that an employee is stealing data through personal files, returning the employee’s wedding guest list file should be a low-cost proposition.
- When incentivizing a release of claims, include cooperation with technology-related matters as a part of the agreement.
- Provide an information retrieval contact who can help the employee recover what s/he personally needs.
- Provide a standard outgoing email message that, if appropriate, allows an employee to direct personal contacts to another email address.*
- Consider a procedure whereby a company cell number is either redirected or transferred to the former employee — or contains a standard outgoing voice mail message with directions for contacting the employee.
- Inform the employee of obligations under privacy rules, non-compete, protection of trade secrets and confidentiality agreements; intellectual property law; software and website licensing agreements; and various legal regimes, such as tort law and the Computer Fraud and Abuse Act.
*with social media, there is likely limited value in playing hardball in this area, but, again, there are many business needs to consider.
See this excellent piece: Avoiding Being Held Hostage: Terminating Key IT Employees.