Protecting company data from ex-employees
by Eric J. Sinrod

While companies are relatively accustomed to requesting the return of building keys and ID cards from departing employees, they are less vigilant when it comes to electronic data. Can this lead to problems? Yes!

When employees are terminated involuntarily, emotions can run high on both sides of the table. The people in charge of the termination may feel quite uncomfortable. Their entire focus may be on calming the terminated employee and making sure the person leaves the building without incident. While building keys and ID cards likely will be requested for return, it is quite possible that company personnel will forget right away to disable the former employee's access rights to the company's information systems.

The danger

In a case like that, a terminated employee could sit down at an off-site computer and have remote access to the company's information system. But now there's an added factor: the terminated employee may harbor a grudge against the company or may want to take advantage of proprietary company information for career pursuits.

Terminated employees could seek revenge by attempting to delete or alter important data stored on the company's information systems. Or they could seek to steal the crown jewels of the company — its intellectual property stored on its information systems.

Once employees are terminated (or even when they depart voluntarily), companies immediately must disable their access rights to information systems. Even a lag of several days, which is not uncommon, can lead to serious consequences.

For companies of all sizes, it is important to maintain an organizational list or directory that documents the various levels of access employees have to the company's information systems. Once any of those employees departs the company, the company then should be in a position to disable all applicable access rights.

When it is known in advance that employees will be leaving on a certain date, the company can build in automatic stop dates, which ends access rights to information systems on that date.

Companies would be wise to have the manager who has supervised specific, departing employees to complete and sign off on a checklist which demonstrates that access rights to information systems have been disabled. This helps ensure that a live human being actually takes care of this before a problem occurs.

Burden vs. benefit

Of course, it is a burden to add yet another responsibility to managers when it comes to dealing with departing employees. However, the increased burden is slight when compared to the havoc that could be wreaked in its absence.

This article first appeared on Law.com.

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology disputes. His Web site is www.sinrodlaw.com, and he can be reached at [email protected]. To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to [email protected].

usatech