Multiple media outlets (see here and here, for example) have been covering an alarming report jointly issued recently by the Ponemon Institute, an Arizona-based research group, and Symantec Corp., that data theft is common among departing employees. As reported in the Washington Post, the most significant finding of a joint survey of employees who left a job in 2008 was that almost 60% of ex-employees admitted to taking company data of one sort or another. The most commonly identified kinds of records taken were “email lists,” personnel records, customer information (including contact lists), and “non-financial business information” (which presumably can encompass technical information, strategic information etc.).
Approximately two-thirds of those who admitted taking company information said they did so in order assist with a new job. The report indicates that employees are stealing data in multiple ways. Most common (61%) is old-fashioned theft of paper documents or hard files, followed by downloading information onto a disc (53%), onto a USB memory stick (42%), and sending documents as attachments to personal emails (38%). Interestingly, comparatively few employees ]were taking information by stealing BlackBerrys and laptops. Another quite alarming finding is that approximately 25% of the employees indicated that they were able to access data on a company’s network even after they had departed.
If these findings are an accurate gauge of employees across a range of industries, they have far-reaching implications. I will put aside the obvious privacy and identify theft issues raised by such security lapses. (See this new blog for a comprehensive discussion of information security issues.) Companies are losing important, competitive information to employees who are taking such information because it may be valuable to a competitor. Yet, it is precisely in order to protect against such unfair competition that states have developed laws prohibiting theft of trade secrets and confidential information. For the same reason, most states permit enforcement of contractual covenants restricting certain post-employment conduct by departed employees.
So, what’s going on? As is surmised in the Washington Post article — and I can confirm seeing this repeatedly in my own practice — employees increasingly have a sense of personal “ownership” in the information they work with while employed. Many feel entitled to keep that information — particularly if it involves their own work product — after they leave. Coupled with the rapid evolution of technology in the workplace and employee mobility, the taking of valuable information as employees depart has become increasingly prevalent.
The response from employers worried about these trends should be better planning and increased vigilance. Many companies have a haphazard approach to protecting their IP, particularly as employees depart. They may do a good job of requiring new hires to sign standard agreements, but then fail to remind employees of their obligations as they leave or even to recover company data and equipment. And many companies fail to take even rudimentary steps to protect against theft of information by departing (and often disgruntled employees). An employer that wishes to protect against the phenomena described in the Ponemon report would do well to develop an approach to protecting information and an exit process that lays the groundwork for the possibility of later enforcement of existing agreements and policies. If the company has suspicions about the outgoing employee’s conduct or intentions, immediate consideration should be given to investigating the employee’s computer-related activities prior to his or her departure. The fact is that most of the conduct described in the Ponemon report would have been detected by an employer that actually was looking for it.