In “When Key Employees Quit: 5 Things You Must Do to Keep Control of Critical Data,” Michael Ciaramitaro and Sarah Brown, both of Inventus, point out the number one vulnerability for most companies: “Organizations today rely heavily upon technology and electronically stored information – and when employees leave, there’s always a risk that they’ll take some information or data with them when they go, either inadvertently or on purpose.”
Much of the information and data, may not be valuable. It’s just knowledge of the details of how things are done, the way the company operates, a few tricks of the trade. You can’t stop people from learning, and you can’t stop people from using what they’ve learned, absent a strong non-disclosure agreement or non-competition clause. In a legal environment confidential, sensitive, and proprietary information is another matter entirely.
In today’s world, as Ciaramitaro/Brown observe, “This poses organizational risks in terms of data privacy and security, intellectual property and competitive positioning, so it’s important for legal and compliance teams to identify risks associated with departing employees, and to adopt policies to safeguard valuable information.” And, we would add, this is especially true for unstructured, i.e., data contained in MS Word documents, and PDFs. And since all this information potentially resides in multiple online locations, the risks of non-containment are significant.
To deal with this unique and challenging modern day problem, Ciaramitaro/Brown offer five tips on how to reduce exiting employee data theft:
- “Assess the risk.” Or, stated differently, understand your data. Some tools and data are easily contained; while others are not. For legal professionals understanding the difference between unstructured and structured data is critical. Structured data typically resides in database environments and is easily categorized and protected, while unstructured data lives in disparate locations in documents and may not have an easily recognizable pattern.
- “Collaborate with the internal IT team and external providers.” Identifying trusted advisors and suppliers to support your internal IT team will help you make a complete assessment of risk, develop a strategy, and recommend viable protections.
- “Devise a policy.” Listing devices, giving examples of what “confidential information from servers and portable devices…is permitted and listing chain-of-command for approving such transactions” – is crucial.
- “Policy Administration.” We wholeheartedly agree, this is where the ‘rubber meets the road.’ It’s one thing to have a policy, and much tougher to enforce and administer that policy. One of the best tools for administration is to implement a system that protects unstructured data by managing access, monitoring opens, and controlling the sharing of unstructured data, cradle-to-grave. There is simply no better way to protect sensitive unstructured data.
- “Defend Against IP and Data Theft with a Departing Employee Program.” No one wants to think they’ve been singled out, so a “consistent, thorough departing employee program designed to investigate departing employees and defend against data theft…” makes total sense. From the moment attorneys or staff members are hired, they should know about it. No one can leave with confidential client information. Period. So, protecting that information from day one makes total sense.
“The best-laid plans may not guarantee 100% compliance,” as Ciaramitaro/Brown aptly conclude, “and ne’er-do-well ex-employees may still succeed in removing confidential information,” but there is much that can be done to prevent it. By combining good practices with state-of-the-art encryption software, specifically software that allows Administrators to remove permissions and access to information once an employee leaves with it, law firms and legal departments can operate knowing their sensitive and protected data is just that…protected.