Employee turnover is not just a human resources issue at most corporations. Using today’s technology, many employees create, produce and store communications and work product not just electronically, but in virtual environments. The gadgets and communication methods at our disposal result in corporate proprietary information ? even confidential data ? routing through e-mails, voice mails, and instant messages. And all of this data is no longer stored on corporate networks, rather, it is found on laptops and cell phones that may or may not belong to the employer. But all of this data belongs to the organization for which the individual is employed, so what does this mean for corporate IT departments when employees leave the company?
This article will discuss the different ways in which data that rightfully belongs to an employer is taken outside the company, and will offer some solutions to help reduce the risk of losing proprietary data as a result of employee departures.
The Revolving Door of Employees
Every organization faces losing key executive talent and other employees, whether through recruiting by other organizations, terminations, or people simply looking for new opportunities. These departures create gaps in continuity and potential liability for actions undertaken during their employment. These individuals also may leave behind information that can be critical in addressing current or future legal matters, or worse, they may take proprietary company information with them when they leave.
All organizations lose employees; this is a fact of life and reality in business. However, legal threats often exist when people leave organizations or are terminated. Some of the legal issues stemming from employee departure include violation of non-compete clauses, theft of intellectual property, compliance issues, as well as lawsuits from disgruntled employees. In today’s volatile economic climate, organizations are continually downsizing and restructuring their workforce. The proverbial revolving door of labor is spinning at a dizzying rate, leaving organizations vulnerable to information loss, theft of proprietary information, and gaps in continuity that can lead to legal liability.
Practical and Legal Concerns Stemming from Departing Employees
Most organizations require new employees to sign some form of nondisclosure and/or noncompetition agreement when taking a new job. This is designed to protect the investment that organizations make in training new workers and imparting knowledge about the specialized processes, tools, and strategies that help these organizations to operate and prosper in what are often intensely competitive markets. As employees leave organizations for a variety of reasons, (voluntary resignation, involuntary termination, downsizing of organization, acquisition by another entity, etc?) departing employees often challenge or refuse to abide by noncompetition agreements. Sometimes these claims are based on specialized skills within a particular niche industry that only offers a few viable places of employment, or in other cases an employee may have a long history of working in a particular geographic region even before accepting employment with the current organization. Whatever the reason, non-compete agreements are some of the most contentious issues facing organizations and their departing employees. States differ in their willingness to enforce these often standard contract clauses, but the fact remains that most workers do not want to strictly abide by the terms of non-compete clauses. How do organizations ensure that the information passed on to its employees including proprietary processes, strategies, customer lists, and the like avoid ending up in the hand of industry competitors?
As a general rule, organizations risk potential litigation anytime they terminate employees. Being fired or laid off can impact eligibility for unemployment benefits as well as future employment opportunities. Additionally, compliance issues may be implicated whenever an employee is a member of a protected group. How can organizations take advantage of the information they have on hand when terminating employees to ensure they avoid the legal snares of post-termination lawsuits and compliance challenges?
One of the key elements in determining an employee’s eligibility for unemployment benefits is whether the employee was terminated for cause. This could mean anything from poor performance, to inappropriate conduct in the workplace, to outright disciplinary issues such as tardiness or violation of organizational rules. Naturally, departing employees will want to demonstrate that a termination was NOT for cause, so organizations then face the burden of producing evidence to substantiate a termination for cause. This could mean e-mail records showing a former employee was using company e-mail to send threatening letters to an ex paramour, or was using company resources to make money for himself or herself on the side. Perhaps the former employee was viewing illicit materials on the Internet using a company computer or using the intellectual property of others without permission. All of these instances would support a termination for cause, and are the types of information that can easily be collected through analysis of a departed employee’s computer hard drive, electronic mailbox, desk phone, or personal digital assistant (PDA). Having the ability to produce this sort of information has a material impact on a former employee’s ability to receive unemployment benefits, and ultimately whether or not a departing employee would be motivated to file suit against an employer for damages to offset lost income.
Similarly, organizations will need to have demonstrable evidence to support a termination for cause, when the former employee is a member of a protected class or group. Classifications based on race, gender, ethnicity, age, religion, or national origin are prohibited under state and federal law, and employment law claims based on improper dismissal under the Civil Rights Act of 1964 and subsequent amendments represent an obstacle for organizations anytime they lay off or terminate an employee belonging to such a protected class. In order to overcome prima facie presumptions of disparate treatment by terminated employees, organizations will need to have records of these employees’ performance to document legitimate, nondiscriminatory reasons for their termination. This means supervisors will need to produce concrete evidence that the employee in question was producing substandard work product, failing to meet deadlines, unable to interact properly with others in the workplace, consistently tardy or absent from work, or violating some workplace rule in order to overcome a legal presumption of any unconstitutional purpose in dismissing the employee. Many organizations are fearful of terminating employees who fall into protected classes and end up keeping such personnel at extra cost to the organization simply out of fear of potential legal action if they were to let these people go.
Challenges of Mobile Employees
It is estimated that as much as 45 percent of the U.S. workforce is considered mobile, meaning those employees spend more than 50 percent of their time working away from a branch or office of their organization. Whether traveling for work, telecommuting, or even just typical sales activities that are performed away from an organization’s fixed office locations, this trend towards increasing employee mobility means organizations and managers have less control over the activities of their workers.
More people are working on laptops, meaning that workers are able to physically transport data outside the four walls of an organization, creating security challenges around the privacy of organizational information.
Organizations cannot monitor activity outside the office or when employees’ computers and devices are not connected to the company network. This creates a number of security challenges, including questions about what Web sites people are visiting and what data is being transferred to a flash drive or home computer. These issues create monitoring and oversight challenges for the IT department as well as the overall integrity of organizational data.
Some of the issues that organizations are facing around mobile employees are the need for additional security protocols, password protections, and virtual private networks (VPN) for people to access proprietary company information to limit potential loss of valuable information. By requiring additional password protection or VPN connections when working remotely, organizations can more closely monitor who is accessing company information, when they access it, and if confidential or proprietary information is traveling outside of company-protected channels. If an employee has to use a VPN to access company lists, he/she will be much less likely to copy these lists to portable USB drives or forward the information to third party e-mail accounts because an IT administrator can track the data trail back to that individual’s password-encrypted log-in via VPN.
Another challenge presented by mobile employees is the use of home computers for business purposes. In a time when work hours are extended for many employees as organizations focus more work in the hands of fewer employees, even individuals who would not be considered mobile employees are taking work home with them to do in the evenings. For many, it is easier to simply work on their personal home computers rather than transporting a company laptop back and forth each night. While this sort of work ethic is commendable, it does raise data security issues by allowing one’s personal computer to house and even store proprietary company information. If someone in marketing or accounting tries to get additional work done at home in the evenings, suddenly information on key clients, strategic initiatives, and even billing figures are now at risk. Perhaps the person’s home computer is not adequately protected by security measures such as a firewall or anti-spyware. Another risk is home users working off of a shared public Wi-Fi (wireless internet) connection that allows others to view the contents of data transmitted online. Whatever good intentions are behind this type of after-hours work, the results can be unplanned exposure of an organization’s confidential intellectual property to untold watchers. Much like the issue with mobile employees, the use of security protocols, VPN access, and additional password protections can help organizations track and monitor what information is flowing out from the organization, at what times of day, and even whether the connection being used for such transmissions is secure or vulnerable. Additionally, organizations concerned with the porting of data from the company to an individual’s private records can add clauses into employment contracts that either prohibit use of personal home computers that are outside of a company’s protected network, limit such use to VPN access, or provide for an organization to take a forensic image of the employee’s home computer when that person departs the organization. The latter measure creeps ever closer to infringing upon individual rights, but can become a matter for negotiation when new employees join the organization to limit the use of non-company resources to access and work with important company data outside of normal office hours or physical proximity to the company’s offices.
The Disgruntled Former Employee
In today’s highly litigious society, companies must be able to defend against potential lawsuits by former employees, particularly those leaving involuntarily. The determination that an employee is being terminated for cause can affect whether that individual is ultimately eligible for unemployment benefits. For someone facing the loss of regular income without a backup plan in place, this can represent a major life disruption. With such high stakes, it should come as no surprise that involuntarily terminated employees frequently seek retribution against their former employers, whether their claims are real, imagined, or simply a desperate grab for any additional compensation to counter-balance the loss of a regular paycheck. Regardless of the drivers behind them, these legal threats are real and require a response. The time and cost of internal investigations to address these legal threats can drain organizational resources and detract from the day-to-day business of the organization. Additionally, any information gathered must be available as potential evidence in a court of law, creating additional technical challenges and cost hurdles. Not only must organizations be able to produce data to defend against a former employee’s claims of wrongful termination, they must be able to document the authenticity of the information; in legal terms they must demonstrate an unbroken chain of custody.
While most organizations have IT departments that can capture information such as Web sites visited by employees on a company computer or phone calls made from one’s desk phone, the methodology for capturing this information does not necessarily comport with the legal requirements needed to introduce evidence in a court of law. IT departments need to recognize these challenges and consult with legal advisors, either within the organization’s corporate counsel department or an outside expert, to ensure that the process of capturing and storing information needed to address potential lawsuits by disgruntled former employees is accomplished in a legally sound manner that allows the information to be introduced as evidence in a courtroom if and when the time comes.
What Organizations Are Doing to Address These Concerns
One of the easiest steps for organizations to ensure the protection of proprietary information is to develop policies specifically addressing the challenges of having mobile employees in the organization. Companies are developing policies mandating secured connections (aka VPN) that allow the organizations to capture all activity in which mobile employees engage. Other measures include limiting access to certain systems for mobile employees, requiring special passwords, as well as e-mail monitoring to control the flow of information in and out of the organization.
A second methodology used by organizations is to use the exit interview process to reiterate non-compete agreements in contracts and remind departing employees of their confidentiality obligations that extend even beyond their term of employment with the host organization. This provides individuals with legal notice of their obligations and establishes the basis for pursuing individuals who may intentionally or unintentionally retain proprietary information that could be used outside of the organization after employment.
Another key step organizations are taking is preserving the contents of computer hard drives, as well as laptops for mobile employees and high risk departures. By doing this, companies are able to capture the data employees have created, any transfer of information outside the company (flash drives, external hard drives, private Web-based e-mail accounts, etc.), the Web sites they have visited, and any covert steps employees may have taken to cover up their actions by encoding or deleting information.
One important key in the preservation of equipment and information is that these collections must have legal chain of custody to ensure the information is admissible in a legal proceeding. Chain of custody is a legal term that essentially provides assurance that information is authentic and unaltered from the time it was captured to the point where it is presented in a court of law. Chain of custody refers to both a process for capturing information as well as the means by which the captured information is stored and protected from outside influence. Once information is collected from the drives or devices of departing employees, the equipment can be redeployed instead of being kept in a vault indefinitely. This makes for a more cost-effective and efficient use of company resources.
Value of Departing Employee Programs
Several benefits are gained from developing programs around departing employees, and these programs can go a long way towards isolating specific information and activities that are risk factors when individuals separate from organizations. Some of the key elements that can be discovered through formal departing employee programs include identifying any improper activity by departed employees such as: removing or deleting of files, whether data was copied off of a computer, which Internet sites were visited and what content may have been downloaded, and the use of company resources for personal reasons.
Additionally, a formal program of this sort will help organizations defend against compliance inquiries and wrongful termination suits by providing information that will demonstrate what activities did and did not take place.
Considerations in Imaging of Devices and Drives
IT departments within organizations can collect (aka “bag & tag”) computers, laptops, and hard drives and create an image of the contents, which allows the original device to be redeployed within the organization, saving money. The key in these collections is for companies to use forensic methodologies for capture and analysis of information to ensure they maintain the chain of custody. Forensics is the practice of using legally sound techniques for capture, storage, and analysis of information in a manner that is recognized by courts and legal authorities.
IT departments within an organization may have the capability to make a forensic image, which creates a legally admissible form of evidence; however, it may be harder to establish legal chain of custody and preservation of evidence when done internally. The challenge is that not all IT professionals are trained in the use of forensic imaging tools, and since companies only have one shot to collect original data, organizations may wish to bring in outside vendors or forensic investigators to handle the imaging of these devices.
Lawsuits require hard evidence to convince a judge or jury, and this information must conform to the rules of evidence. A forensically sound imaging process ensures preservation of evidence and proper chain of custody for use in a court of law, and organizations can then use forensic technology to establish cause for employee termination, and to prepare for potential future legal matters.
Conclusion
With a struggling global economy, the job market is becoming increasingly volatile, and employee departures are accelerating. How can organizations control increased employee turnover while still protecting information assets and preventing intellectual property theft? Even in the best of circumstances, losing key personnel within an organization leads to gaps in continuity that can come back to haunt. Just as an employer is responsible for the actions undertaken by now-former executives on behalf of the company, for example, so too are they bound by the obligations entered into (whether contractual or otherwise) of other departing employees. When litigation, regulatory, or compliance issues arise, company leaders must be aware of what obligations a now-departed executive may have committed the organization to, as the law recognizes that the entity is in fact liable for the actions of an individual acting within his/her role as a company representative. This means a company had better know or be able to know what it has gotten itself into, and be able to respond appropriately, even if the party who established the obligation is no longer associated with the organization.
Additionally, the increased mobility of contemporary workforces creates data security concerns, allowing for a wider flow of information outside the confines of an organization’s protected internal data network. Security protocols need to be established to limit access the proprietary organizational data and strategic plans to protect them from being exposed to the public or other unintended audiences. Creation of additional security protocols, password protection, and increased vigilance and monitoring of mobile employees can help protect organizations against the loss of critical data or intellectual property, while the use of network access rights and VPN log-in access allows organizations to more effectively track and isolate the flow of company data both internal and external to the company’s typical communication channels.
Employees who are released or otherwise terminated from organizations create a unique set of problems for their former employers, both from the standpoint of having to potentially justify denial of unemployment benefits as well as potential litigation by angry former employees who are desperate to recover lost income by claiming improper grounds for termination. In some cases, disgruntled former employees may even use their membership in a protected class to institute a civil-rights based claim to try and obtain additional monetary judgments against these organizations. An organization’s ability to defend itself from such claims is predicated on its ability to back up its valid reasons for cutting ties with an employee, and in some cases must present clear, tangible evidence to refute a prima facie showing of disparate treatment based on impermissible factors/characteristics.
In such cases, employers must be prepared to present legally admissible evidence of proper, nondiscriminatory reasons for a termination, which implicates the computer and other equipment of a potential claimant. Not only must organizations be prepared with such information, but they must be able to show a legally unaltered chain of custody to demonstrate authenticity of such evidence. The most effective means of accomplishing this is through the forensic imaging of the computers and other portable digital devices of departing employees. The forensic process allows expert technicians to preserve evidence in a manner legally acceptable under the Federal Rules of Civil Procedure as well as the Federal Rules of Evidence. Authentication and establishing an unbroken chain of custody for the data and devices of departing employee are an organization’s best weapons against lawsuits filed by disgruntled former employees.
Finally, having a formal program in place to address potential concerns around departing employees is simply smart business practice. Besides providing a solid defense against lawsuits from former employees, it is an excellent way for companies to proactively protect their information assets from accidental or intentional loss of confidential data and intellectual property. An organization’s ability to understand what data has flowed, from whom to whom, and when, will enable that organization to better capture and limit the escape of strategic plans, confidential information, trade secrets, and other forms of intellectual property. In this new digital age, the companies who are able to best control their own information, are the one most likely to distance themselves from the pack in their chosen industry.
Recent Comments