Data Protection: Five Challenges Facing the Enterprise HR Department
Given that a lot of IT professionals have far greater access to confidential company information than most other employees do, it can be especially disconcerting when one of those professionals leaves the company. According to James Pooley, an information security consultant and former Silicon Valley trial lawyer who represented clients in patent, trade secret and technology litigation, the potential loss of information assets is increasingly critical.
"For employers whose main capital base is intangibles like goodwill or know-how, the thought of losing employees who have access to information assets is an absolute nightmare," Pooley says. "After all, HR can get back a departing employee's keys and laptop—but they can do nothing to remove the valuable knowledge in his or her head.”
Pooley is also the author of the new book, “Secrets: Managing Information Assets in the Age of Cyberespionage,” and he’s come up with a list of nine tips that can help employers minimize the inherent risk associated with a departing employee. I felt they were well worth sharing here:
- Realize that no one––not even your protégés––will stay forever. One mistake leaders often make is assuming that, because of either loyalty or gratitude, the employees they've trained and closely mentored will stick around indefinitely. But the truth is that all employees—even protégés—come and go. And if care isn't taken to prevent it, they can leave with sensitive information.
- Know what the law does—and doesn't––protect. The law protects only trade secrets, not employee skill or general knowledge. But what's the difference? The skill a worker acquires practicing her craft over time is hers to keep. The same thing may also apply to techniques and information she has learned over the course of her employment. However, if any of those techniques or pieces of information give her employer a competitive advantage, are not generally known, and are safeguarded to a reasonable degree by the company, they are likely to be considered trade secrets.
- Clearly convey your expectations to job seekers. Applicants probably aren't thinking much about trade secrets, but it's still a good idea to be clear about your expectation that they will not bring with them information that could get you in trouble. A pre-employment interview agreement that spells out what prospective employees can and can't use or disclose from their previous jobs is an indispensable precaution against inadvertent information theft.
- Proactively re-recruit your best knowledge workers. Of course, the best information retention strategy is also an employee retention strategy: Hold on to your key people whenever possible. Proactively incentivize them to stay with your company by ensuring that they remain happy, appreciated, and well compensated. Yet also keep in mind that money usually isn't the primary driver for loyalty.
- Take advantage of nondisclosure agreements. As their name suggests, these documents legally bind employees to not share certain information assets, often trade secrets. Employees are less likely to compromise confidential information when they know it's of such importance that the company has tied it to a document. Likewise, competitors are less likely to encourage new employees to divulge information acquired from previous employers if a nondisclosure agreement exists.
- Use noncompete agreements with care. Increasingly unpopular with judges, not to mention employees, noncompete agreements can be expensive to enforce, and sometimes backfire. The terms of this kind of agreement can range from compensating workers for not seeking employment with any competitor, to simply prohibiting competing for a certain period of time within a particular geographical area. This is in contrast to nondisclosure agreements, which allow ex-employees to continue working in the field so long as the confidentiality of their former employer's trade secrets is respected.
- Be sure to directly address the digital risk. While departing employees have always been able to take secrets with them, the chances of this happening have increased dramatically for many companies in the digital age. It's critical for employers to be aware of the particular risks posed by employee-owned devices, the cloud, file sharing, and more. Technical controls like MDM (mobile device management) and NBA (network behavior analysis) software help, but aren't sufficient on their own. The best way to mitigate the digital risk is good old-fashioned people management. In addition to the other tactics listed here, technology-specific training and messaging, as well as enforcement that's visible, will reduce problems.
- Take potential security breaches seriously. If you think one of your staff may have violated your confidence, don't hesitate to determine what trade secret information he regularly had access to, and whether there is any evidence of unauthorized access. Investigate whether the employee has exhibited any unusual behavior such as excessive copying, downloading, emailing, or erasing of records. If permitted by company policy and law, make a copy of the employee's hard drive. Review his files, emails, and telephone records to determine what, if any, company information has been disclosed outside and, if so, to whom. Only after gathering this information and consulting with legal counsel should you confront the employee.
- Never skip the exit interview. Even with voluntary departures, it's important to share your concerns and learn about the employee's plans. The potential for harm isn't limited to "stolen" data—simple misunderstandings can also lead to distracting, expensive litigation. If there is no reason to believe that the departing employee has any intent to breach company confidentiality, simply arrange a meeting to learn more about her decision to leave, and to reinforce your concerns and determination to protect the organization's interests.
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.