The Perils of Ignoring Employee ‘Leaver’ Data in Regulated Industries

Everyone leaves an employer at some point. Better opportunities, reduction in workforce actions, termination, or management issues can all result in an employee departure. No matter the reason, everyone eventually leaves the company they work for.

In Europe, these people are referred to as “leavers,” and depending on the circumstances, more colorful names. However, the way a company handles these departing employees can mean the difference between business as usual or major customer satisfaction issues, project delays, higher e-discovery costs, compliance risks, and lower productivity.

When an employee is terminated or leaves on their own, the company’s HR organization (if present) usually pulls out a checklist of things to do before the employee departs. In many cases, the checklist does not address the most valuable employee asset … information.

Is Leaver Data Valuable?

At its base level, companies employ people to create, process, and utilize information. What happens to the gigabytes of data the employees create and store over their time at the company? True, much of that valuable data is stored on the employee’s laptop and nowadays in their OneDrive cloud account. But how long do those laptops sit around before they are re-imaged and re-tasked and how long does an ex-employee’s OneDrive account stay available?

Last year, I received a call from a panicked ex-coworker at a company that I had left a couple of years prior. The person was looking for the pricing/ROI calculator that I had developed more than a year ago. A large deal was dependent on the company producing a believable return on investment proposal using the calculator. I told the ex-coworker that it and all my content should be on my laptop and in my OneDrive account. Later that day, the same person called back and told me that the company’s standard process for departing employees’ laptops was to re-image the hard disk after 30 days and distribute it to incoming employees and, to reassign Office 365 licenses to new employees—causing my email and OneDrive data to be lost. The ROI model I had spent more than a month developing was gone forever.

Why don’t companies capture and archive valuable departing employee data?

If not managed as a valuable company asset, much if not all that employee data is, if not lost, extremely difficult to locate or impossible to find when needed.

Chaotic Data Management Makes Companies a Target

Another problem associated with ex-employee data is e-discovery.

Imagine that you are a general counsel at a 5,000-person company, and you receive an e-discovery request asking for all responsive data about a specific vendor contract between Feb. 4, 2009, and last month. Several ex-employees are named as targets of the discovery.

This is a common situation many companies face. The issue is this: When responding to discovery, you must look for potentially responsive data in all possible locations, unless you can prove that data could not exist. The legal bottom line is this: If you don’t know for sure that data doesn’t exist somewhere, then you must search for it, no matter the cost. Legal teams have become very adept at finding the opposing parties’ weaknesses, especially around data handling, and exploiting it to force them to spend more money—in the hope that they will settle early.

Another legal situation occurs when an ex-employee sues the company for wrongful termination (a common occurrence) many years later but within the local statute of limitations. Many general counsels want to review the ex-employee’s data to look for information to support their defense. In some cases, judges have ruled that laid-off employees should be treated as potential legal threats and therefore under the Federal Rules of Civil Procedure (FRCP) “anticipated litigation” rule, it is necessary to keep the data for at least the statute of limitations.

Time is Not Your Friend

An e-discovery response carries with it a time constraint. The time required to respond has caused many companies to spend huge amounts of money to bring in high-priced discovery consultants to ensure discovery is finished correctly and on time. Ex-employee data can dramatically lengthen the e-discovery process.

The Departure Process Should Include Technology

Even worthless data can be extremely valuable when you cannot find it—as with the example of my ROI spreadsheet. Most companies I have worked at were very good about having standard employee exit processes. But so far, I have never had an HR (or other) employee ask me specifically for all the locations my data could be residing.

Laptop and cell phone content are turned in and quickly re-imaged (losing all data), file shares with work files and PSTs are eventually cleaned up destroying data, and Office 365 accounts are closed disposing of all email and OneDrive data. Very quickly, all employee data (intellectual property and know-how) is lost.

All it takes to solve the problem of lost employee data is to first develop an exit process that ensures the company knows where all data is and protects it before they leave—and second, migrates all data to a central repository for long-term archiving and management. Many companies are finding that a low-cost “cool” cloud archive is the best and lowest-cost answer.

Just because an employee has departed does not mean their intellectual property also has to leave. Therefore, keep ex-employee information available for business use, litigation, and regulatory compliance well into the future.

How to Manage Inactive Mailboxes When Moving to Office 365

As companies move from Microsoft Exchange on-premise to Office 365, a potential challenge Exchange admins face is how to manage the numerous inactive mailboxes. To speed the adoption of Office 365, Microsoft currently allows their customers to designate inactive mailboxes in Office 365 at “no charge” meaning they do not require a license. However, migrating and setting up inactive mailboxes is a convoluted process that involves migrating the inactive mailbox to an active Office 365 mailbox and then designating it as inactive. As a result, the Office 365 license can be reassigned.

Utilizing an Azure-Based “Leaver” Archive

Another more sophisticated option is to migrate inactive mailboxes to Azure and manage the data with a compliant data archiving platform such as Archive2Azure. Archive2Azure leverages low-cost Azure storage tiers to store inactive mailboxes, PSTs, files, documents, and all forms of unstructured data. The data is held securely and managed with automated retention and disposition. It can be easily searched, and results can be exported for further e-discovery processing. Best of all, administrators can keep terabytes of data secure while offloading the burden from on-premise network storage.

For more articles like this, check out the Cyber Security Sourcebook here.