Minimize The Risk of Data Loss From Departing Employees With These Simple Checklists
With the majority of employees currently working remotely, it is more important than ever that companies have controls and policies in place to ensure they control access to devices and eliminate the threat of data potentially being taken by employees leaving the company.
Whether it relates to possible future litigation, internal investigations, or complying with industry regulations, companies should have a plan or strategy to address the challenges of identifying, gathering, and accessing devices from a remote worker who decides to leave a company. This post focuses on several key points to bear in mind when creating policies or addressing data sources from a departing employee.
Here are a few best practices to follow when securing devices and data from departing employees:
- Review the asset registry/list for each departing employee to guarantee the transfer of all required devices (e.g., mobile devices, laptops, removable media, tablets, and loaner equipment).
- Match the serial number of each device against the company’s records to ensure the correct devices are returned.
- Inspect the condition of each device by powering them on.
- Avoid shipping devices to avoid the risk of an issue occurring in transit (e.g., damaged devices, lost packages).
- Store the devices in a secure location until they are ready for acquisition.
Mobile Device Checklist
Depending on your company’s policies and what is implemented, you may need to add these procedures to your separation protocols:
- Prior to their departure, remind employees not to factory reset a company-issued mobile device before it is returned.
- If an employee does not want to provide you with their passcode, request that they disable the “unlock screen” security feature or create a new default passcode to allow the company access.
- When the departing employee turns in their device, check immediately to ensure it was not factory reset to ensure that you have the required access.
- Review the account settings to determine the e-mail address (company or personal) used to register the device.
- Consider asking for the password or having the user reset it should you need to access mobile backups or cloud data.
- Where required (e.g., location governed by data privacy laws), have the user sign a consent form.
Depending on your company’s current policies, the following specific procedures may be helpful when departing employees return their computers:
- Ensure the device was not reformatted.
- Confirm encryption status and whether the company has the decryption key.
- For encryption enabled by the user, request a decryption key/password before departure.
- If you must recycle or circulate a computer back into rotation for company use, consider removing the hard drive of the employee of interest, correctly labeling the disc, and securely storing until the time of preservation.
- Take photos and note the computer serial number and other identifiers before recirculating.
Employee separations can be complex and sensitive at the best of times and the current virtual work environment has only increased the likelihood that you may encounter issues. The lists above are a good starting point for thinking about how data and device preservation intersect with your separation procedures. For a more thorough discussion of this topic, watch our webcast “How to minimize company risk during employee departures.”