By Brian Schrader, Esq.
The coronavirus has caused a substantial increase in remote work. Employers should be proactive in protecting their data when letting go of remote employees.
Recent events have changed just about every facet of our lives, including how we report to work every day. Gallup found that 62% of employed adults were working remotely during the April peak of the pandemic – an increase from the 43% of U.S. employees working remotely at least some of the time prior to spring 2020.
Fortunately, the abundance of and accessibility to technology allows companies to stay connected and continue business as (somewhat) usual, but not without challenges. For example, there has been an increase in phishing attempts, which can result in major business interruptions. Companies also have had to provide laptops for every employee at home and clearly lay out company policies regarding data privacy, ownership and other issues.
One procedure businesses should clearly communicate and carefully practice is the handling of a remote employee’s departure. Eighty seven percent of employees take data with them when leaving a company. Some think it belongs to them while others may be stealing it for future use. Regardless of the scenario, it’s important to monitor employees’ actions leading up to their departure, which is even more difficult to do from a completely different location. Here are five steps to keep your data protected when letting go of a remote employee:
Disable the remote employee’s digital and physical access to company property: Conduct an exit interview to determine all the types of data he or she has access to and passwords to each, including email, software, hard drives, third-party systems and the cloud. Be sure to determine whether the employee used a personal device to access sensitive company information and have the IT department disable access to all platforms (including building codes and passes). If it’s not possible to conduct an exit interview in person, schedule a video meeting and send a prepaid packing label so the remote employee can mail in all company property, such as laptops, phones, hard drives, keys, parking passes and key fobs.
Preserve any essential data: Legally, companies must preserve any data that may be needed in a legal, investigative or regulatory matter, so don’t rush to wipe exiting employees’ devices before determining whether or not they hold important information. In fact, companies that deal with sensitive customer data may benefit from establishing an organization-wide policy stating that devices won’t be wiped or re-issued for 90 days after an employee’s departure. If you decide the employee’s data needs to be preserved, it may make sense to also forensically copy their device(s). Forensic imaging goes beyond just copying the files. It also captures metadata, deleted files, USB device usage, file access history and more. Not only are forensic images defensible in court, but they offer insight into the employee’s activity and can be used to determine innocence or guilt during litigation.
Carry out data remediation: Data remediation (the process of cleaning, organizing and migrating data) can be completed after the device has been forensically imaged, if imaging is deemed necessary. This step includes clearing all data from the remote employee’s company-owned devices and any personal devices containing company data, which you would have discovered during the exit interview. While company devices shouldn’t be wiped until any necessary data has been copied or imaged, it’s important to clear personal devices as soon as possible to avoid mistreatment of any company data remaining after those devices are repurposed. Prior to the employee’s last day, ask the employee to remove any personal information from company-owned devices, and be sure to communicate that any data left on the device belongs to the organization.
Check for suspicious activity: If you suspect that the employee may have stolen data, it’s a good idea to retain a forensic expert who can defensibly review the employee’s devices and search for unusual activity, including:
- The use of a USB drive or the cloud to transfer or delete large amounts of data
- Data transfers during non-business hours, including nights, weekends and holidays
- Increased data usage leading up to the employee’s departure
- Software that was recently added to or deleted from the device
- Access to files that either violate company policies or don’t relate to the employee’s role
Consult a forensic professional: If you’ve discovered any of these or other suspicious behaviors, bring in a licensed forensic expert to perform a full digital investigation. This process involves analyzing not just the items above, but the employee’s behaviors, including their email and USB usage, access of sensitive networks and files, use of file-sharing websites, internet browsing history and much more. The professional can also recover altered or deleted files and review system or log files for unusual or suspicious activities.
COVID-19 has forced many employers to let go of staff to keep their businesses afloat, leading to 20.5 million unemployed Americans. While some are returning to work and while it may seem like the virus is leveling off, at least in some areas, we have not seen the last of its effects on businesses. It’s wise to have organizational policies in place to protect your company data in case you must let go of remote employees.
About Brian Schrader
Brian Schrader, Esq., is president & CEO of BIA (www.biaprotect.com), a leader in reliable, innovative and cost-effective eDiscovery services and digital forensics. With early career experience in information management, computer technology and the law, Brian co-founded BIA in 2002 and has since developed the firm’s reputation as an industry pioneer and a trusted partner for corporations and law firms around the world. He can be reached at firstname.lastname@example.org.