Employee Exit Data Protection Program (EEDPP)

Electronic equipment is an afterthought for most HR professionals. It is easy to see why when you look at all the human aspects to these human resources events. It’s easy and natural to let something as seemingly trivial as a laptop or desktop decommissioning process fall on the shoulders of your IT department or managed service provider. But in the modern age of wrongful termination lawsuits, intellectual property theft, and improper data destruction, it is up to human resources professionals to define their company’s Employee Exit Data Protection Program (EEDPP).

What is an Employee Exit Data Protection Program (EEDPP)?

t’s hard to anticipate a disgruntled employee destroying all the data on their company owned equipment. It’s hard to anticipate a lawsuit from a former employee that feels they were terminated improperly. And it’s impossible to anticipate a former executive, sitting on a ton of your company stock options, talking trash about your company in the final days of their short tenure. But these things happen. According to a Biscom study, over 80% of those surveyed reported that they had taken company documents and information with them when they left. Overall, insider threats comprise 43% of all data breaches, about half of which are intentional.

When dealing with digital forensics cases, Gillware commonly investigates these situations after they happen. Sometimes we get lucky, and the storage equipment hasn’t been molested or altered since the moments of those events. But more commonly, there is significant lag between the relevant dates of activity and Gillware receiving the equipment. In this period of time, it is not uncommon for IT professionals to have re-purposed the storage equipment in question. Even worse is when IT professionals play the role of amateur sleuth themselves, altering the data on the critical storage equipment during their crude investigations.

An employee exit data protection program (EEDP) is a company policy that defines what will happen with their electronic storage equipment during and after an employee exit. If any of these above things happen to your company, an employee exit data protection program can help mitigate their harmful effects on your organization.

Forensic Cloning and Archival of Storage Equipment

The cornerstone of an effective employee exit data protection program is forensic preservation—not just forensic preservation of an employee’s files and emails, but of an employee’s entire storage volume. Being able to inspect file system and operating system journals is critical for forensic analysis. If you have reason to believe that an employee made off with important company files on a USB thumb drive before leaving, for example, the employee’s hard drive could have a record of it. Skilled forensic analysts, such as our experts at Gillware, could find that record for you by looking in the O/S journals.

Set the Duration of Archival Persistence

So it makes sense that we should keep the forensic artifacts of a former employee around. But for how long? For some industries, precedents set in laws are a good guideline for email retention. The Securities and Exchange Commission (SEC) requires email archival for no less than five years, for example. Another idea would be to look at your state’s statute of limitations on wrongful termination lawsuits. Most states allow wrongful termination lawsuits up to 2 to 3 years after termination.

Another consideration when trying to set the duration of forensic archival is to have different rules for different departments within your organization. If you have computer scientists generating your companies products and you are worried about them taking part or all of the code-base with them, you may want to archive those for a decade or more. If the employee was a commission salesperson and you are worried about them stealing clients or violating their non-compete agreement, you may want to set the archival for at least the duration of their non-compete.

Should your Company Be Proactively Investigating Every Employee Exit?

This is a matter that depends on your industry. Very cutthroat industries, such as the financial and insurance industries, are rife with former employees stealing client lists or trade secrets, luring their former employer’s customers away, etc. If you work at financial firm “A” and financial firm “B” offers you the same job for double the salary, you might want to bring them a little bit of your current firm’s “secret recipe” to sweeten the deal, or help them lure away your current firm’s best clients. The more competitive and cutthroat your industry is, the more you might want to consider proactively investigating every employee exit.

When Should You Acquire the Storage Equipment?

Most companies, even when an employee has decided to quit and put in their two weeks’ notice, will wait until the employee is out the door for the final time before securing their storage equipment. This leaves open the possibility that the employee will perform ‘clean up’ to try and cover up any unscrupulous electronic activities. It is for the best if you archive an employee’s storage equipment as soon as they put in their two weeks’ notice.

Why Does Your Company Need an Employee Exit Data Protection Program?

What would you do if a competitor of yours pops up with an extremely similar product offering out of the blue, only months after acquiring one of your former employees? What would we do if our R&D director suddenly left and started working for a different data recovery lab, and six months later they put out a software data recovery tool eerily similar to our in-house data recovery software? We’d look through his computer workstation and work email account and see if we could find any evidence that he’d been schmoozing with our competitor. And then we’d get our lawyers on the phone.

Guard Against Employee Data Theft and Non-Compete Violations

Over the past 25 years, the number of businesses requiring their employees to sign non-compete agreements has been rising. Lawsuits over non-compete agreements have also been increasing to match. In some cases, you are the defendant, and your former employee is suing you, arguing that their agreement is too restrictive and is preventing them from continuing their career. In other cases, the former employee is the defendant, and you have reason to believe they have violated their agreement. Most of these cases are ultimately settled out of court, so statistics on them are hard to find. Regardless of who is suing who, the archival backup you had made of your former employee’s hard drive as per your EEDPP make your case—or break your former employee’s.

Protect Your Company from Malicious Data Deletion

A disgruntled employee who just got the sack might try to hurt your business in a fit of rage. Or an employee who is doing some shady stuff on the clock might try to cover their tracks. At Gillware Data Recovery, our engineers get hard drives from businesses of all sizes in need of data recovery every day. Seeing businesses lose data due to the actions of an ex-employee who parted on less-than-amicable terms is sadly common for us.

What you need to protect yourself from malicious data deletion by an employee is some form of backup. It’s important for your backup and archival system to be offsite. Users should not have permission to modify or delete it—your archival system should be automated and on a different network. Gillware offers both file-level and full-volume cloud-based backup services. Our backup services can guard your business against malicious data loss.

Most of the time, when an employee who just got told to clean out his desk deletes data from a company computer or server, it is a crime of passion. The ex-employee isn’t thinking straight. And even if they were in full possession of their faculties, they have no way to cover their tracks. Most people are not aware of what a savvy forensic investigator can dig up with a simple hard drive.

In HR, you need to be proactive with your employee exit data protection program. The sooner you can catch these incidents, the easier it is to mitigate the damage done. And with evidence in hand, pursuing action against the culprit will be much more fruitful for you.

Defend Yourself in a Wrongful Termination Lawsuit

You might fire an employee, and a few months later, they come back and hit you with a wrongful termination lawsuit. According to the U.S. Equal Employment Opportunity Commission (EEOC), the year 2015 saw over 89,000 charges filed. Maybe the ex-employee is in the right, and they were fired over something petty or discriminatory. Or maybe you were in the right for firing them—maybe they were belligerent or unhelpful to their coworkers, spent their work hours looking at pornography, etc.

If you rightfully fired a former employee and need to defend yourself from a wrongful termination lawsuit, your EEDPP could come in handy. Being able to point to specific hard evidence of the ex-employee’s own actions which led to their termination will be immensely helpful for you.

Gillware Can Help You Build a Strong Employee Exit Data Protection Program

There are many tools and services that can help your HR department create a good EEDPP. For starters, you can take advantage of a file-based cloud backup service. Storagecraft’s file-based backup stores up to five revisions of each file. Restoring maliciously deleted data with our online file-based backup services is a cinch. If you have an in-house IT staff, they can utilize our software to archive and MD5 the storage from their laptops or desktops the day the employee exits your organization.

Employee Exit Data Protection as a Service

Simply submit a service request on our website, wrap up the appropriate equipment, and send it in to Gillware. It can be a company laptop or desktop hard drive, a company phone, or any other company-provided data storage device. Gillware will make forensic image copies of the equipment and archive them for you, optionally cleaning and returning them to you for reuse. We can hold onto the forensic image copies for up to 20 years, depending on your specific needs. If you have reasons to be especially proactive, our expert forensic analysts can perform a preliminary investigation.

What are the possible outcomes of a preliminary investigation?

Maybe our forensic investigator will determine that a large amount of company files were copied to a thumb drive, uploaded to a dropbox, or emailed to a gmail account. Perhaps we’ll find evidence that an employee was speaking ill of peers or the companies’ products or services, voiding their severance package. Or perhaps the investigator will find the employee was anonymously trashing the company in online reviews or on glassdoor.com. Perhaps the former employee was improperly utilizing company equipment to illegally torrent data. Or perhaps you’ll find they spent most of their work hours surfing the internet for pornography.

In most cases, the preliminary investigation won’t find any nefarious activity. And that’s a good thing! If the investigator does find suspicious activity, they’ll give you a recap of their findings and you’ll have an option to pursue a more detailed investigation. If any of your ex-employees end up suing the company for wrongful termination, you’ll be happy you archived their data, regardless.

A savvy HR director will ensure that you’ve protected your company from malicious ex-employee behavior, preventing massive settlements in lawsuits. For some organizations, it makes incredible sense to spend a thousand dollars on a comprehensive investigation on each and every employee departure/dismissal. Regardless of your company’s size or the type of industry you’re in, you need to make sure you’ve protected your company’s data. We here at Gillware can help you set up an employee exit data protection plan that works for you.