Trade secrets and confidential information often form the lifeblood of a company. Despite considerable efforts a company might take to protect this vital information, it can be difficult to prevent a departing employee from taking this information with them—potentially to a competitor.
Twenty years ago, an employee trying to steal confidential information would have raised eyebrows as they packed and removed boxes of documents. Today, however, the same information can be exfiltrated on a memory card or flash drive that easily fits into a pocket, or by sending it out using email or a cloud storage service.
Unfortunately, companies frequently do not realize that confidential information was taken until weeks or even months after the employee departed. And by then, the evidence necessary to obtain a preliminary injunction to protect the information is often gone.
Below are some recommended steps that your company can take, as well as pitfalls to avoid, to prevent employees from walking out with your company’s trade secrets and confidential information, as well as to preserve evidence of any theft or misappropriation.
- Conduct an Exit Interview.
Use an exit interview as an opportunity to remind the departing employee of the employee’s continuing obligations to the company, including to keep certain company information confidential. Also remind the departing employee to return all confidential information (including copies), such as information residing on the employee’s personal computer, cell phone, email account, or digital storage device. You can request and attempt to watch the employee delete any company email account from the employee’s personal devices.
- Disable Employee Access.
You should disable employee access to company computer equipment and confidential information as soon as practicable after an employee informs the company that they are planning to depart. Do not forget to have your IT administrator disable remote server and email access. If you terminate an employee, you may want to be extra vigilant in disabling the employee’s access.
- Collect and Preserve the Employee’s Computer and Other Electronic Devices.
A former employee’s computer and electronic devices may contain evidence in the event of litigation. For example, if there becomes reason to believe that the employee may have taken trade secrets or confidential information, logs of file access, USB activity, email activity, and cloud storage access—which forensic examiners can frequently recover—can be invaluable to proving that the files were taken. However, this evidence can be destroyed or compromised when your company wipes the computer or reissues it to another employee.
To preserve this evidence, you can adopt as a standard practice unplugging and setting aside an employee’s computer and other electronic devices for a reasonable period of time following their departure before wiping or reissuing them.
- Collect, Preserve, and Review Server or Cloud Storage Log Files. Servers and cloud hosting services often keep logs of user activity, such as file access and download activity. For instance, users of Google’s G Suite are able to use the Drive Audit log to view a wide range of user actions. This log information, like the data on the former employee’s computer, can be vital evidence should litigation become necessary.Unfortunately, many systems only retain these log files for a short period of time so you can have your company’s IT administrator generate and save a copy of the server access logs whenever an employee departs. And you can review these logs to see if the departing employee had been engaging in any unusual activity—such as performing mass downloads—around the time of his or her departure.
- Preserve and Review the Employee’s Business Email Account.
As a precaution, it is prudent to make a backup of the departing employee’s business email account. You can also review the departing employee’s email activity from around the time of his or her departure to see whether they have emailed themselves any confidential information.
- Do NOT access personal email or social networking accounts.
Employers should never access an employee’s personal email, Facebook, or LinkedIn account—even if the employee’s computer is still logged in to the account, without first consulting an attorney. The Stored Communications Act, 17 U.S.C. § 2701 et seq., is aimed at preventing illegal access to hosted email, webmail, or messaging accounts (such as Facebook and LinkedIn) without the account holder’s authorization. While the Stored Communications Act has an exemption for authorized access, companies should first consult with an attorney before accessing any personal accounts. This is because the Stored Communications Act imposes civil and criminal liability on individuals and entities for exceeding the scope of an authorization.
- Consult with an attorney if you have reason to believe that the employee has retained any confidential information.