Technical Support: 412-349-6678 | Incident Response

How to Avoid Data Theft When Employees Leave

Layoffs and terminations - how to avoid data theft when employees leave

Hard times can force hard decisions.

Many companies affected by the COVID-19 quarantine have been horribly affected, and over 40 million Americans are unemployed. With so many unemployed, we can anticipate a feeble economy throughout 2020 and more repercussions to come.

Maybe your company is fortunate and has not been forced to lay off any employees. Yet, perhaps your customer or your supplier has been forced to cut staff or reduce payroll in some other fashion – such as reducing hours or cutting pay.

These changes to employment status can lead to repercussions that can strongly affect our businesses, so we must take steps to mitigate data theft and security breaches – both now and for the future.

Data Theft

Data leaks, both intentional and unintentional, pose a huge problem for any organization.

For companies that recently laid off employees, the issue becomes more critical and more sensitive.

An estimated 69% of employees departing a company will take some data on the way out. Unfortunately, in the information age, as much as 70% of the value of a publicly traded company is estimated to be intellectual property, so the theft of that data can be enormously damaging.

Some of the damage will result from competitors obtaining the intellectual property. However, with the rise of data protection regulations, organizations also need to be concerned about the leak of health information, credit card data, and personally identifying information.

Intentional Damage

Some disgruntled employees will take data with the intention of harming the organization, or to use as a means to help improve his/her value to the next employer.

For the Arizona Endocrinology Center, they had to learn from patients that a former physician downloaded patient data and then contacted the patients to join the doctor at his new practice.

Many employees are properly authorized to access customer or patient data, so it can be difficult to detect data theft. However, IT departments can try to detect large exports of data, the creation of large files associated with database exports (.csv, .xls, etc.), large file transfers to cloud repositories (,, etc.), and copying large files to USB drives.

If a company is planning layoffs, or recently announced layoffs, the IT department should be on high alert for data exports. When employees have given notice that they plan to resign, it can be useful to look for signs of data exfiltration from 30-90 days prior to their resignation.

For employees who have been laid off or fired, it’s a good idea to immediately restrict data access to protect the company. However, such restrictions should be done in coordination with the HR department so that the access restrictions and the termination are as simultaneous as possible.

Unintentional Damage

However, not all data thefts are intentional or with malicious intent.

Marketing folk want to take sample projects for their portfolios, sales reps want to take contacts they made, and IT staff members may want to take helpful scripts they wrote to automate processes.

The company must take the initiative to clearly outline what constitutes proprietary company property. For example, in the marketing department, data could be organized as “public” or “proprietary” to clearly mark what can be shared or used in portfolios.

Unfortunately, most companies do not police their data and often have no clear delineation or rules for that data. While categorizing data can be burdensome, at a minimum, it must be done for the most sensitive and critical information for the organization.

Credentials can be another form of unintentional damage. Before an employee leaves, the company must double-check and ensure that the employee is not walking out the door with the only working credentials to the company’s Facebook page or account!

After departure, the IT department will need to quickly reset user credentials or disable them to prevent access to cloud and local resources. Even if the employee has no malicious intent, their unchanged credentials remain a backdoor to the system that could be exposed in a third-party breach.

Remote Complications

The rush to work from home due to the COVID-19 quarantine has only intensified the data control issues.

Many employees loaded data on unauthorized devices to take them home, while others copied data onto personal PCs. Some even sent information to themselves using personal email or file sharing services (DropBox, OneDrive, Google Drive, etc.).

Given the urgency of the pandemic, who can blame the employee? They are trying to do their best to continue working with the best resources available to them. However, managers now need to worry about how to manage data that has left their control.

Of course, for regulated companies, the consequences are more complicated. PsyGenics discovered that one of their employees forwarded a spreadsheet containing patient names, appointment times and other information to a personal email address. While an investigation revealed no malicious intent and no data leak was detected, the company was still forced to announce a HIPPA violation.

To make matters worse, if your organization needs to lay off a remote employee, the company may find it difficult to have company property (laptops, phones, etc.) returned – let alone ensure the employee deleted all of the employer’s data from their personal devices.

Reducing Data Theft During Layoffs & Terminations

Employees will retaliate if they’re treated unfairly or treated as thieves.

To counter this basic human nature, HR departments need to clearly outline IP rules and regulations. This should already be in the employee handbook so that a copy can be presented to the employee as a reminder at termination.

Additionally, employees should sign an IP security clause in their employment contract that outlines the security regulations. Then, when the employee leaves the company, they can be provided with a separation contract that reminds them of IP data policies, confidentiality clauses, and other company-protecting clauses. While asking nicely will not prevent all data leaks, it will help ethical employees from inadvertent violations.

Many companies cannot deploy the resources to continuously monitor employees and all of the possible avenues for data exfiltration. To protect against future issues, the IT department should make an effort to forensically image the user’s computers and phones. This not only creates a backup of the user’s data, it also provides a repository for the log files for the user’s recent activity should future investigations become required.

Extension & Assistance

Although this column has focused on the internal employee, these risks extend to the employee who leaves your customer or your vendor. Any organization needs to extend their monitoring to any touch points for a third party.

Did your customer lay off the person in purchasing with access to your ordering systems?

Did the primary artist with remote access to your OneDrive marketing folders at your design agency just quit?

Keep tabs of the changes so that you can update and delete credentials as needed to protect your IP.

During periods of transition, all employees will be under stress. Survivor’s guilt, disgruntlement, and plain-old burnout will affect an organization’s ability to keep up with basic functions – let alone devote extra vigilance for company data, PC forensic copies, and credential monitoring.

Ideal Integrations and Blue Bastion can provide short-term assistance, long-term services, and strategic planning to help organizations successfully navigate changes or simply help overworked IT teams catch a breath. Complete the form below today to see how we can help!

Request Your Consultation Today!

  • This field is for validation purposes and should be left unchanged.