By Mitzi Hill, Taylor English
Planning for information security is now a routine part of any company’s normal operations. Although much of the counsel regarding cyber and information preparedness focuses on compliance objectives and on minimizing third-party liability, the plain truth is securing the confidential information held by your company is a big part of preserving your bottom line. For third-party service entities such as software or SaaS and managed service providers (MSPs), the incentive to protect confidential information may come both from self-interest and from the need to keep customer material secured.
Many articles focus on nuts and bolts of security in IT, but this article discusses an element of planning and security that is not commonly part of an IT-driven strategy: Making sure departing employees do not take sensitive information with them when they leave. Achieving peace of mind in this regard takes a combination of resources including legal, management/executive, HR, and IT. IT measures are of course a vital part of the process and there are many tools available to enforce and monitor compliance with the below suggestions.
There are several low-tech steps any service provider can and should take when considering departing employees, whether those departures are voluntary or involuntary on the employee’s part. In each case, having these measures (1) be enshrined in company policy and (2) audited for compliance is key to successful implementation. Onboarding and exit procedures are the ideal time to introduce, and follow up on, such policies with individual employees.
Helpful Policies And Agreements (“Policies”)
Below is a sample list of potential policies any company could put in place, singly or together, to help alert employees to their responsibilities regarding confidential information, whether it belongs to the company or the company’s customers, and to provide mechanisms for enforcement. In each case, state in writing that violation of the policy is punishable under company HR processes.
A policy or agreement stating all information to which the employee may have access during her employment (1) belongs to the company or the company’s customers, (2) is confidential, and (3) is only to be used as authorized in the performance of the employee’s duties while employed with the company. For MSPs, consider stating explicitly that the company prohibits use of third-party confidential information except as permitted by signed agreements between the company and the third party.
Computer Usage/Acceptable Use Policy
A policy stating all equipment provided to the employee belongs to the company, all activities conducted on that equipment are subject to monitoring by the company, and all use of company equipment must be in compliance with applicable law, company policies, and/or the confidentiality clauses of the company’s customer contracts. For companies that provide employees with credentials to company accounts such as suppliers, portals, and others, the policy should state such access and credentials are subject to the policy and the credentials may be used only during the course of employment, for authorized uses, by that employee. If any particular customer confidentiality terms are more robust than industry norms, they can and should be incorporated into this policy, as well.
Personal Information Protection
A policy outlining the company’s commitment to data privacy principles and setting forth protocols for use and protection of employee, customer, and other personal information. Such a policy is particularly relevant to an MSP that handles personal information for its customers and may be required by local data protection law in international – and, increasingly, domestic – jurisdictions. Such a policy may also be part of an overall written information security program promulgated chiefly by the IT team.
A policy allocating responsibility for maintenance and oversight of an employee’s personal device (phone, tablet) used to connect to the company’s network. This policy should give the company the right to examine the device, to remove data from it, to wipe company data remotely if the device is lost, and to require that the employee use password or other protection.
Assignment of Intellectual Property/Work Made for Hire Agreement
A policy or agreement stating that all material and information generated by the employee in the course of employment is work made for hire and that the company is the author of such information and the holder of all rights in and to it.
A policy setting forth procedures for routine elimination of information that is not needed by the business and not subject to any legal requirement of retention.
Taken together, the above Policies create norms regarding sensitive and confidential information – including customer information – as well as set forth behavioral expectations. They also announce that the company will take action for infractions. The framework the Policies creates gives the company recourse if an employee misappropriates any information. By creating a “culture of confidentiality,” the Policies may also help deter casual misappropriation of information, or even theft by only-marginally-motivated bad actors. Finally, the Policies give the company a written record to point to with customer who may inquire about training, policies, and procedures regarding confidentiality and information security.
Connecting Policies To Employment Milestones
All incoming employees should be required to review and acknowledge the company’s Policies in writing. The fact that the Policies are binding on every employee (including executives) should be made clear, as should the fact that violation of the Policies is punishable by company actions up to and including termination of employment. As employees are issued devices, or their personal devices are connected to the network, the company can ensure that set-up contains appropriate IT protocols to enforce rules and policies, and that such devices are tracked as part of an enterprise inventory of outstanding devices.
The above Policies create a handy checklist of items to go over when an employee leaves: has she turned in all her devices and keys/keycards? Have all accounts been disabled and credentials revoked? Are there any IP assignments she should sign before leaving? In addition, the employer can ask for a signed acknowledgement that the employee has not taken company or customer information electronically and that she has returned all physical media including paper, hard drives, thumb drives, etc. Finally, the company can remind the employee that she remains bound by confidentiality requirements.
There is no foolproof way to prevent employee information theft. A smart plan will incorporate suggestions from above, along with IT measures that prevent downloads or unencrypted transfer of information (for example), or that automatically impose password requirements on certain material if it passes outside the company firewalls. But having the framework of rules and policies to govern expectations and behavior, along with IT tools that force accountability, can go a long way to preventing or minimizing incidents with employee information theft.
About The Author
Mitzi Hill is a partner at Taylor English based in Atlanta where she focuses her practice on data security and privacy, entertainment and media matters, and technology licensing and development.