How to prevent departing employees from taking your data with them Featured

8:01pm EDT April 30, 2011
How to prevent departing employees from taking your data with them

Here’s a sobering statistic: 70 percent of departing employees, whether they are leaving on their own or have been asked to leave, take confidential information from their employer with them. Not every one of those employees is acting with malicious intent, but that doesn’t reduce the danger to your company.

“Every company has unique ways of operating,” says Jonathan Theders, president of Clark-Theders Insurance Agency Inc. “When we think of trade secrets, we think of top-secret files, but it can just as easily be ways of doing business that are confidential.”

Smart Business spoke with Theders about how data theft can affect your company and how to prevent departing employees from taking your information with them.

What types of data are most commonly taken, and why?

Some of the most popular things that are taken are intellectual property, trade secrets and known company records. This includes prospect and customer contact lists. In studies, when they were asked why they took data, most believed they had a personal ownership of that data. They created it; it was their contact list, so they feel they have the right to it.

How can this harm a company?

Here’s an example. In 2009, The DuPont Co. filed a lawsuit for breach of contract for misappropriation of trade secrets. The company alleged a research scientist stole 600 files by copying them to a portable hard drive. More than 550 files were found on his home computer; DuPont valued that information at $400 million.

Think about the value your confidential documents and files would have to another company, for instance, if competitors knew how you do business, or came into possession of all of the data you keep on your clients, such as when their contracts are up for review and other things of that nature.

How do employees take data?

The nature of where data is today makes it easy. Employees can use CDs or DVDs, USB storage devices, or just e-mail information. The ease of access to and transmission of large documents is so easy.

One area that is being ignored is smart phones. More smart phones were sold in 2010 than PCs, the first time that has ever happened. If your iPhone has 32 GB of memory, that’s larger than many older computers and definitely large enough to store these confidential files.

Smart phones work as off-site computers; companies encouraging people to log in from home and working remotely is becoming more common. People don’t necessarily intend to be malicious, but 70 percent of home computers where people log in remotely have confidential information stored on them.

If you are working on something at home and you save it to your hard drive and upload the finished product, how often do you delete the document from your personal hard drive when you’re done? How many employers ask to see an employee’s personal computer to verify they don’t have confidential information stored there? It’s just not natural to ask those questions.

And it’s not only computer files; it can be paper documents too.

How else can employees unintentionally be sharing a company’s data?

LinkedIn and Facebook profiles can become virtual resumes, on which potential employers can seek out information to see if your employees are a fit for their company. Your employees may be unintentionally using proprietary information, such as department accomplishments, strategic plans, marketing strategies and results, to build their profiles. They are openly sharing these achievements, but at the same time, they could be disclosing to competitors how you do business.

This is tougher to avoid, because fewer companies have developed comprehensive procedures for how social media networks can and should be used by their employees.

How can companies protect themselves from theft of data by departing employees?

The main way is by developing and adhering to policy and through the use of technology. First, you have to realize this is a serious matter and that it really does pose a problem to the company. You have to be willing to devote resources to increasing your security and to outlining the critical issues in your business and focus on those first.

Tighten and/or limit access to data before a layoff or when someone is let go. As soon as people are let go, make sure there is a systematic way to shut down any access that those people had.

Then, look at separation agreements. When you hire people, do you have a statement of what the confidential information is? Do you have exit interviews? Employers should create a list of what employees can and can’t share: ‘Here is what we see as proprietary information. You signed this agreement, and here is a list of things we will and will not allow.’

If people want to commit a crime, whether or not you have a policy or procedure in place, they will find a way. But for the majority of people who take information without the intent of harming their former employer, reminding them of that agreement during the exit interview can stop them from taking your proprietary data.

You also have to have consequences in place. Management must understand the threat. If sharing information could be extremely detrimental to the company’s success, there have to be legitimate consequences. You have to be willing to step out there and tell the violators that they crossed the line, and either remove their access or let them go.

People have to know their violations will be enforced. If not, they will realize it is business as usual and no big deal.

Jonathan Theders, CRA, is president of Clark-Theders Insurance Agency Inc. Reach him at (513) 779-2800 or jtheders@ctia.com.