IAPP-GDPR Web Banners-300x250-FINAL
DPI16_Banner_300x250 WITH COPY


Layoffs and let-gos are difficult enough for employers, but when a departing staffer takes things into his own hands, those difficulties can be compounded substantially. Jorge Rey discusses the consequences of failing to protect sensitive company data from the disgruntled, or simply opportunistic, outgoing employee.

In 2007, Lonnie Denison, a terminated employee from the California Independent System Operators (Cal-ISO) data center, the organization that manages California’s power, put the Western United States power grid at risk. When he found that his access to the network had been disabled, he went to the data center and shut down the power to the building simply by hitting the emergency “off” switch. In 2008, Terry Child, a disgruntled computer engineer from the city of San Francisco “hijacked” its multimillion dollar network by creating a password that granted him exclusive access. In 2009 and 2010, due to the current economic climate, we will be seeing more disgruntled employees, as corporations restructure and reduce personnel. This will likely increase the incidents that put companies at severe risk.

According to a Ponemon Institute survey released in 2009, 59 percent of employees who leave or are asked to leave steal data from their former employers. Companies that are restructuring should be aware that disgruntled employees may be leaving with sensitive and confidential data, destroying critical data, or conspiring against them. These acts can impact a company’s financial stability due to a potential data breach, and can create a competitive disadvantage through intellectual property loss. They can also increase the risk of litigation due to a failure to preserve electronically stored evidence.

The economic crisis has many employers busy with layoffs, restructuring departments, shifting priorities, reassigning workloads, processing departures, and collecting critical documents, computers, and electronic devices from their employees. However, most employers don’t anticipate a Lonnie Denison or Terry Child. If a disgruntled employee is on your termination list, it could severely impact your organization.

In today’s business environment, what can you do to protect your organization?

   1. Plan your terminations. Planning for terminations will minimize the risks. Preparation, documentation, and coordination between information technology, human resources, information security, and legal staff is required for an incident-free and successful termination.

   2. Review the employment contract, law, and current litigation. A number of legal considerations surrounding the termination must be considered. Check with counsel to understand the employment contract, provisions, and different laws to minimize lawsuits against your organization. For existing lawsuits, identify departing employees who might have data that may be subject to a legal hold. Compare names of departing employees with employees subject to investigations, depositions, active litigation, and/or subject to legal holds. If an employee is flagged, advise information technology staff and others so the necessary actions are taken into consideration.

   3. Check and follow policies and procedures. Once the organization has resolved to terminate, make sure to follow the human resources policies and procedures. Pay special attention to your information security and legal hold policies.

      The termination procedure should be designed to prevent and detect in a timely manner incidents or malicious intents that can compromise the organization’s security. Terminating a network engineer poses a different risk than terminating a director of operations. Therefore, procedures should be tailored to each situation to minimize risk. A well-thought-out termination procedure will provide guidelines to follow when an employee needs to be terminated.

      Make sure that those involved in the termination procedures understand the organization’s responsibility to preserve documents and electronically stored information subject to existing legal holds or potential litigation. Coordinate with managers and information technology staff to preserve relevant data until the legal hold has been released. Failure to preserve data that is subject to litigation hold can result in penalties, which include evidentiary sanctions, adverse rulings, fines, and additional costs. Large layoffs increase the risk that IT staff, as part of the redistribution of electronic devices, will inadvertently re-format and/or destroy hard drives, wipe PDAs, delete employees’ files and e-mail accounts that are subject to a legal hold. To minimize the probability of this event, remind everyone of the organization’s legal hold policies and procedures.

   4. Terminate access. Before the exit meeting starts, obtain a list of the employee’s access points (buildings, computer, third party, etc.). While the employee is in the exit meeting, disable his or her security code, badge, computer password, e-mail account, remote access, third-party access, or any other access points identified on your list.

   5. Exit meeting. During the exit meeting, secure all physical and electronic devices. Collect all keys, badge access cards, credit cards, cell phones, personal digital assistants, laptops, thumb drives, disks, manuals, documents, and other company property. Identify any documents or data relevant to legal holds and to minimize the risk of a sabotage or data loss. If needed, escort the employee off the premises as soon as all items have been collected.

   6. Let the people know. Be sure to communicate to relevant vendors or employees that the employee has been terminated so as to prevent him or her from trying to access the organization. Update contact lists and/or relevant internal and public material (e.g. Web site, phone directory). When data relevant to a litigation hold has been inherited, notify the new records custodians of their duty to preserve it.

Plan Ahead

Businesses that have experienced a significant breach by a former employee have formalized and implemented employee-termination procedures, after the fact. These procedures typically include detailed checklists and yearly audits to verify that procedures for disabling employee access are effective. In today’s business climate, planning ahead, rather than amending policy after the fact, will help you protect your organization against unnecessary risks from a disgruntled or former employee.

This eJorge Rey is a manager at Florida-based Kaufman, Rossin & Co., one of the top accounting firms in the Southeast region. He provides consulting services in IT Security, Information Management, and e-Discovery. He can be reached at


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»