In the U.S. tech sector alone, Crunchbase News reports that over 90,000 workers have been laid off through early December.[1]
In addition to the negative effect on employees — both those laid off and those who remain — and on brand reputation, layoffs can expose vulnerabilities, opening companies up to cybersecurity risks and data breaches. This is true for every type of employee separation, whether voluntary or involuntary; however, in the case of large-scale layoffs, the risks are significantly multiplied.
An even greater challenge: In today’s post-COVID-19 largely remote or hybrid work environment, employees often have continued access to company hardware and software for days or weeks beyond their termination date.
To mitigate these risks, in-house legal teams need to be proactive in their preparation and management of the employee separation process. Here are four important steps every in house legal team can take to manage cybersecurity threats associated with separated employees and safeguard their company networks.
1. Create, standardize and review your employee off-boarding processes
As companies engage in layoffs, regardless of the cause, their in-house legal teams need to be prepared to manage the execution of separation agreements and support the company in managing cyber risks that arise when employees separate from a company.
It’s critical that in-house legal teams pay attention to separation agreements and employment contracts and perform a comprehensive review of the employee off-boarding process from start to finish. When reviewing the off-boarding process, be sure to identify any gaps that put the company at risk. Doing this is the only way to ensure the company is minimizing its cybersecurity threats.
In fact, legal’s role in reducing risks during off-boarding can begin as early as the on boarding process. Organizations with comprehensive on-boarding procedures that are created with risk-reduction in mind will find it easier to reduce security risks throughout the employee life cycle, including the off-boarding process.
2. Have a comprehensive exit interview in place
Almost every company conducts exit interviews with departing employees. Often such exit interviews concentrate on collecting feedback and setting expectations around compensation, health insurance and other fringe benefits.
Exit interviews may or may not include discussions of expectations surrounding data security and properly ending access to internal systems. But, to leave these topics out of an exit interview would be an oversight that opens the company to cybersecurity risks.
This is why it’s important for in-house legal teams to review the full process and give input on exit interview policies, ensuring each interview includes a review of company systems and software the employee has access to, timelines for returning hardware and other security considerations.
Regardless of how well an organization documents and controls its employees’ access to information systems during the course of employment, the legal team should work with their human resources and operations teams to ensure exit interviews address whether the employee:
- Has access to applications, which ones and when access will end;
- Has access to or possession of any proprietary information such as customer lists, code repositories or financial data;
- Must disclose passwords for any files or folders the employee may have encrypted;
- Must divulge whether any passwords or accounts were shared among multiple employees or teams;
- Must document login credentials if they’re not controlled by an administrator; and
- Must review company policies on printing, emailing or retaining any company-owned information and intellectual property.
Knowing whether an employee exiting the organization has access to these assets is the only way to keep your organization’s systems and networks from being compromised. By not following up on such details during an exit interview, it’s possible to overlook something important.
3. Make sure your separation agreements cover data policies and intellectual property ownership
If you work in in-house legal, separation agreements come with the territory. Historically, you may have been more concerned with terms related to severance packages, release of claims by the employee, nondisclosure agreements, noncompete agreements and non-solicitation agreements.
These days, it’s equally important to include terms about data privacy and security within your separation agreements. This includes specifics on the separating employee’s obligations to the organization’s information and systems security. This may include rules about promptly returning company equipment, disclosing passwords for any protected files or folders and no longer using any company assets.
Employees need to understand the risks associated with company information they may possess and how it affects data security and the safety of other employees and customers. A former employee with unauthorized access to data and systems poses a major cybersecurity risk — whether he has malicious intent or not. This is especially true in the case of a recently laid-off, soon-to-be-separated employee.
You can help reduce these risks by including your policies specifically within your separation agreements and making sure each separated employee fully understands what they’ve agreed to.
4. Require and enable timely equipment returns and have a plan for noncompliance
A stray laptop or mobile device that’s still with a separated employee can be a major security risk, and not just for would-be bad actors. An employee who intends to return their laptop eventually could wind up the victim of theft, potentially exposing the company’s property and information to cybercriminals.
This is why having a policy for the timely return of physical equipment is vital to reducing security risks with off-boarded employees. But it’s not enough to just require devices to be returned as soon as possible.
Your company can enable a prompt return of equipment by removing any barriers employees face. Sending a prepaid return shipping box to an employee’s residence, providing convenient drop-off hours and locations, and using a courier service to retrieve the items are all ways companies can invest in reducing the risk of a former employee holding on to company-owned property.
These practices can help ensure the timely return of equipment, but if separated employees still fail to return items — especially computers — the in-house legal team needs to be prepared to support the recovery of the equipment.
To do this, legal teams should:
- Understand who owns the equipment recovery process;
- Understand the timeline exited employees are given to return equipment; • Ensure coordination between teams so that legal is informed about past-due dates; and
- Keep a current draft of a demand letter to be sent out, should it become necessary.
This doesn’t mean organizations should rely on in-house legal teams as their first line of defense for overdue equipment. The reality is that it’s always better to have a process in place and be prepared to implement it when necessary.
Legal teams play an important role in reducing cyber risk
You might not think of cybersecurity as something that falls within the in-house legal team’s purview. The truth is, the legal team has a significant effect on managing the business’ risk by helping to create and execute policies and procedures that safeguard against data breaches.
A 2020 report found that 30% of data breaches involved internal actors.[2]
At a time when layoffs are increasing, the number of separated employees who could be putting organizations at risk is also on the rise. Following these four steps is a great starting point to make sure your business is less vulnerable to employee-initiated data security incidents.
Article originally posted December 2022 on Law360.
[1] https://news.crunchbase.com/startups/tech-layoffs-2022
[2] https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations report.pdf