By Christine Day
EverFi Legal Editor
We’ve written before about how a company’s data security can be compromised by employees, whether through insider negligence or through unauthorized sharing of files. But an ex-employee who is fired, or who leaves under less than favorable circumstances, can also wreak havoc with your data on the way out the door.
One case in May 2017 illustrates how damaging a theft of data by an ex-employee can be. A patrol officer at a security company resigned after being caught falsifying timekeeping records. He had illegally obtained a username and password and discovered that he could access the company’s payroll system remotely from his patrol car, and he started racking up many overtime hours by logging four hours of time for every one-hour lunch period.
After he left, he hacked the security company’s website, stole proprietary software to use in a security company that he was developing, and used the company’s files to poach clients away from his former employer.
A court found him guilty and awarded the security company over $318,600 worth of damages relating to overpayments to the ex-employee, the cost of other employees’ time to rebuild databases and files, lost income from customers who were poached away, and the cost of replacing hardware, among other costs.
Data Security Precautions for Current Employees
Employers should remember to take precautions to protect their data even from current employees. Not only can failure to protect data be an unfair practice under the Federal Trade Commission Act, but employees will have a harder time stealing information that they don’t have access to before they leave. Employees’ access to data should be limited so that they have access only to the information that they legitimately need to perform their jobs. Remote access should be limited when possible.
Termination Process
Employers should have a termination process that includes monitoring their systems when an employee’s termination is negative. Even when a separation is mutually agreeable, employers should change passwords and deactivate accounts. Although employees sometimes do steal confidential information to start a competing business, that’s not the general rule. It’s not unheard of for employees to break away amicably and start their own companies. Instead of assuming that an ex-employee is out to steal something, employers can do themselves a favor by emulating the attitude of Fortune’s David Galloreese, who writes that “There’s no such thing as an ex-employee.”
Galloreese reminds employers that an ex-employee “can be an ambassador (much like a customer) that sings your good praises and refers you job candidates; they could become an actual customer, or they might even come back to work for you someday.” Employers who take actions like supporting their current employees, and conducting serious and respectful exit interviews when employees leave, are creating “a framework for a permanent change in how employees are treated by your company as they move on.”