In-house Lawyers: How to Manage Cyber Risks During Layoffs

Cyber risks layoffs image
Layoffs are an unfortunate reality in the business world. Throughout 2022, a perfect storm of factors — from inflation to supply chain disruptions to global conflicts — have pushed businesses to reduce operating expenses, often resulting in dramatic reductions in headcount. 

In the U.S. tech sector alone, Crunchbase News reports that over 90,000 workers have been laid off through early December.[1] 

In addition to the negative effect on employees — both those laid off and those who remain — and on brand reputation, layoffs can expose  vulnerabilities, opening companies up to cybersecurity risks and data breaches. This is true for every type of employee separation, whether voluntary or involuntary; however, in the case of large-scale layoffs, the risks are significantly multiplied. 

An even greater challenge: In today’s post-COVID-19 largely remote or hybrid work environment, employees often have continued access to company hardware and software for days or weeks beyond their termination date. 

To mitigate these risks, in-house legal teams need to be proactive in their preparation and  management of the employee separation process. Here are four important steps every in house legal team can take to manage cybersecurity threats associated with separated employees and safeguard their company networks. 

1. Create, standardize and review your employee off-boarding processes

As companies engage in layoffs, regardless of the cause, their in-house legal teams need to be prepared to manage the execution of separation agreements and support the company in managing cyber risks that arise when employees separate from a company. 

It’s critical that in-house legal teams pay attention to separation agreements and  employment contracts and perform a comprehensive review of the employee off-boarding  process from start to finish. When reviewing the off-boarding process, be sure to identify  any gaps that put the company at risk. Doing this is the only way to ensure the company is  minimizing its cybersecurity threats. 

In fact, legal’s role in reducing risks during off-boarding can begin as early as the on boarding process. Organizations with comprehensive on-boarding procedures that are created with risk-reduction in mind will find it easier to reduce security risks throughout the  employee life cycle, including the off-boarding process. 

2. Have a comprehensive exit interview in place

Almost every company conducts exit interviews with departing employees. Often such exit interviews concentrate on collecting feedback and setting expectations around  compensation, health insurance and other fringe benefits. 

Exit interviews may or may not include discussions of expectations surrounding data security and properly ending access to internal systems. But, to leave these topics out of an exit interview would be an oversight that opens the company to cybersecurity risks. 

This is why it’s important for in-house legal teams to review the full process and give input on exit interview policies, ensuring each interview includes a review of company systems  and software the employee has access to, timelines for returning hardware and other  security considerations. 

Regardless of how well an organization documents and controls its employees’ access to information systems during the course of employment, the legal team should work with  their human resources and operations teams to ensure exit interviews address whether the  employee: 

  • Has access to applications, which ones and when access will end; 
  • Has access to or possession of any proprietary information such as customer lists,  code repositories or financial data; 
  • Must disclose passwords for any files or folders the employee may have encrypted; 
  • Must divulge whether any passwords or accounts were shared among multiple  employees or teams; 
  • Must document login credentials if they’re not controlled by an administrator; and 
  • Must review company policies on printing, emailing or retaining any company-owned  information and intellectual property. 

Knowing whether an employee exiting the organization has access to these assets is the  only way to keep your organization’s systems and networks from being compromised. By  not following up on such details during an exit interview, it’s possible to overlook something  important. 

3. Make sure your separation agreements cover data policies and intellectual  property ownership 

If you work in in-house legal, separation agreements come with the territory. Historically,  you may have been more concerned with terms related to severance packages, release of  claims by the employee, nondisclosure agreements, noncompete agreements and  non-solicitation agreements.

These days, it’s equally important to include terms about data privacy and security within  your separation agreements. This includes specifics on the separating employee’s  obligations to the organization’s information and systems security. This may include rules  about promptly returning company equipment, disclosing passwords for any protected files  or folders and no longer using any company assets. 

Employees need to understand the risks associated with company information they may  possess and how it affects data security and the safety of other employees and customers.  A former employee with unauthorized access to data and systems poses a major  cybersecurity risk — whether he has malicious intent or not. This is especially true in the  case of a recently laid-off, soon-to-be-separated employee. 

You can help reduce these risks by including your policies specifically within your separation  agreements and making sure each separated employee fully understands what they’ve  agreed to. 

4. Require and enable timely equipment returns and have a plan for noncompliance

A stray laptop or mobile device that’s still with a separated employee can be a major security risk, and not just for would-be bad actors. An employee who intends to return their  laptop eventually could wind up the victim of theft, potentially exposing the company’s  property and information to cybercriminals. 

This is why having a policy for the timely return of physical equipment is vital to reducing  security risks with off-boarded employees. But it’s not enough to just require devices to be returned as soon as possible. 

Your company can enable a prompt return of equipment by removing any barriers  employees face. Sending a prepaid return shipping box to an employee’s residence,  providing convenient drop-off hours and locations, and using a courier service to retrieve  the items are all ways companies can invest in reducing the risk of a former employee  holding on to company-owned property. 

These practices can help ensure the timely return of equipment, but if separated employees  still fail to return items — especially computers — the in-house legal team needs to be  prepared to support the recovery of the equipment. 

To do this, legal teams should: 

  • Understand who owns the equipment recovery process; 
  • Understand the timeline exited employees are given to return equipment; • Ensure coordination between teams so that legal is informed about past-due dates;  and 
  • Keep a current draft of a demand letter to be sent out, should it become necessary. 

This doesn’t mean organizations should rely on in-house legal teams as their first line of  defense for overdue equipment. The reality is that it’s always better to have a process in  place and be prepared to implement it when necessary. 

Legal teams play an important role in reducing cyber risk 

You might not think of cybersecurity as something that falls within the in-house legal team’s purview. The truth is, the legal team has a significant effect on managing the business’ risk  by helping to create and execute policies and procedures that safeguard against data  breaches. 

A 2020 report found that 30% of data breaches involved internal actors.[2] 

At a time when layoffs are increasing, the number of separated employees who could be  putting organizations at risk is also on the rise. Following these four steps is a great starting  point to make sure your business is less vulnerable to employee-initiated data security  incidents. 

Article originally posted December 2022 on Law360.


[2] report.pdf

Subscribe To Our Contract MVP Newsletter

Get exclusive event invites, peer best practices and the latest industry news right in your inbox!

More To Explore