By Jorge Rey, CISA, CISM, CGEIT
Layoffs and let-gos are difficult enough for employers, but when a departing staffer takes things into his own hands, those difficulties can be compounded substantially. Jorge Rey discusses the consequences of failing to protect sensitive company data from the disgruntled, or simply opportunistic, outgoing employee.
In 2007, Lonnie Denison, a terminated employee from the California Independent System Operators (Cal-ISO) data center, the organization that manages California’s power, put the Western United States power grid at risk. When he found that his access to the network had been disabled, he went to the data center and shut down the power to the building simply by hitting the emergency “off” switch. In 2008, Terry Child, a disgruntled computer engineer from the city of San Francisco “hijacked” its multimillion dollar network by creating a password that granted him exclusive access. In 2009 and 2010, due to the current economic climate, we will be seeing more disgruntled employees, as corporations restructure and reduce personnel. This will likely increase the incidents that put companies at severe risk.
According to a Ponemon Institute survey released in 2009, 59 percent of employees who leave or are asked to leave steal data from their former employers. Companies that are restructuring should be aware that disgruntled employees may be leaving with sensitive and confidential data, destroying critical data, or conspiring against them. These acts can impact a company’s financial stability due to a potential data breach, and can create a competitive disadvantage through intellectual property loss. They can also increase the risk of litigation due to a failure to preserve electronically stored evidence.
The economic crisis has many employers busy with layoffs, restructuring departments, shifting priorities, reassigning workloads, processing departures, and collecting critical documents, computers, and electronic devices from their employees. However, most employers don’t anticipate a Lonnie Denison or Terry Child. If a disgruntled employee is on your termination list, it could severely impact your organization.
In today’s business environment, what can you do to protect your organization?
1. Plan your terminations. Planning for terminations will minimize the risks. Preparation, documentation, and coordination between information technology, human resources, information security, and legal staff is required for an incident-free and successful termination.
2. Review the employment contract, law, and current litigation. A number of legal considerations surrounding the termination must be considered. Check with counsel to understand the employment contract, provisions, and different laws to minimize lawsuits against your organization. For existing lawsuits, identify departing employees who might have data that may be subject to a legal hold. Compare names of departing employees with employees subject to investigations, depositions, active litigation, and/or subject to legal holds. If an employee is flagged, advise information technology staff and others so the necessary actions are taken into consideration.
3. Check and follow policies and procedures. Once the organization has resolved to terminate, make sure to follow the human resources policies and procedures. Pay special attention to your information security and legal hold policies.
The termination procedure should be designed to prevent and detect in a timely manner incidents or malicious intents that can compromise the organization’s security. Terminating a network engineer poses a different risk than terminating a director of operations. Therefore, procedures should be tailored to each situation to minimize risk. A well-thought-out termination procedure will provide guidelines to follow when an employee needs to be terminated.
Make sure that those involved in the termination procedures understand the organization’s responsibility to preserve documents and electronically stored information subject to existing legal holds or potential litigation. Coordinate with managers and information technology staff to preserve relevant data until the legal hold has been released. Failure to preserve data that is subject to litigation hold can result in penalties, which include evidentiary sanctions, adverse rulings, fines, and additional costs. Large layoffs increase the risk that IT staff, as part of the redistribution of electronic devices, will inadvertently re-format and/or destroy hard drives, wipe PDAs, delete employees’ files and e-mail accounts that are subject to a legal hold. To minimize the probability of this event, remind everyone of the organization’s legal hold policies and procedures.
4. Terminate access. Before the exit meeting starts, obtain a list of the employee’s access points (buildings, computer, third party, etc.). While the employee is in the exit meeting, disable his or her security code, badge, computer password, e-mail account, remote access, third-party access, or any other access points identified on your list.
5. Exit meeting. During the exit meeting, secure all physical and electronic devices. Collect all keys, badge access cards, credit cards, cell phones, personal digital assistants, laptops, thumb drives, disks, manuals, documents, and other company property. Identify any documents or data relevant to legal holds and to minimize the risk of a sabotage or data loss. If needed, escort the employee off the premises as soon as all items have been collected.
6. Let the people know. Be sure to communicate to relevant vendors or employees that the employee has been terminated so as to prevent him or her from trying to access the organization. Update contact lists and/or relevant internal and public material (e.g. Web site, phone directory). When data relevant to a litigation hold has been inherited, notify the new records custodians of their duty to preserve it.
Businesses that have experienced a significant breach by a former employee have formalized and implemented employee-termination procedures, after the fact. These procedures typically include detailed checklists and yearly audits to verify that procedures for disabling employee access are effective. In today’s business climate, planning ahead, rather than amending policy after the fact, will help you protect your organization against unnecessary risks from a disgruntled or former employee.
This eJorge Rey is a manager at Florida-based Kaufman, Rossin & Co., one of the top accounting firms in the Southeast region. He provides consulting services in IT Security, Information Management, and e-Discovery. He can be reached at firstname.lastname@example.org.