How to Handle Passwords When Key Employees Leave
Many companies worry about external threats to the business, installing alarm systems and cameras. However, one of the biggest threats doesn’t come from the outside, but from the inside. Consider for a moment all of the data you store that is vital to the running of your business, from financial records to customer contact information, and you’ll see why protecting this information is just as important as any burglar alarm you could install and one of the best ways to protect this information is to change passwords and IP access when employees leave your company.
According to a report by the data protection research company Ponemon Institute, about 67% of employees who leave a company or are fired steal company information.
Non-Disclosure Agreements Are a Good Start
Before you worry over passwords or changing information, you should already have a non-disclosure agreement in place and keep it updated regularly, according to David Christopher Baker, attorney and partner at Hart King Law in Santa Ana, CA.
“Employees must know that companies are serious about protecting their trade secrets, as well as other intellectual property, and that there are ramifications when those protections are violated,” says Baker.
He points out that if a company “suspects that a key employee has left and taken with them confidential information, such as client or customer lists, proprietary formulas, pricing guidelines, and the like, they should contact legal counsel who is likely to generate a “cease and desist” letter to the employee requesting that they (a) return any company property (even if it is in the form of electronic data), (b) refrain from using the company property or transferring it to someone else, such as a competitor or new employer, and (c) be advised that the company will take action of it discovers that company property has been misused.”
In fact, this is exactly how Terry Callihan, owner of C & H Heating and A/C in Flatwoods, KY, handles this issue. His “no compete contract” is signed by employees and states that they can’t “contact any customer C&H is doing business with or has been doing business with.”
Change Those Passwords STAT!
While it would be nice to have the opportunity to conduct an exit interview with every employee who leaves and remind them of the non-disclosure contract, some employees disappear with no warning whatsoever. If you know an employee is leaving, you have time to change passwords and update systems. However, when an employee leaves suddenly, or you have to let him go, you must change passwords at the first available opportunity
Micha “Mitch” Danzig is an attorney at Mintz Levin in San Diego, CA, where he specializes in Employment, Israel Business, and Intellection Property sections. In addition to suggesting companies conduct that exit interview whenever possible, some other steps include: “Eliminate the employee’s access to company accounts/email/computer system; change passcodes on all company systems, including access to the physical location and facility (if applicable); collect or disable access cards and/or change locks if former employee still has keys; and collect all company provided computers, smart phones, portable electronic storage devices from the employee and then have the devices forensically imaged by a professional before they are accessed by any other company employee (this will preserve any evidence that the company may need later in the event of disputes related to the employee’s employment or use of company IP).”
Callihan says, “It’s key to change passwords weekly. When you change the password, you help eliminate identity theft. It’s a major problem nowadays.”
You Have a Legal Obligation
Both attorneys referenced in this article mentioned that companies have a legal obligation to protect customers’ information when an employee leaves.
“The Uniform Trade Secrets Act (UTSA) mandates that in order for the court to find that the subject IP deserves trade secret protection that it be subject to reasonable efforts to ensure the continued confidentiality of the alleged trade secret. Failing to limit IP access to a former employee may lead a court to conclude that this element of the UTSA has not been met,” said Danzig.
Checklist of Passwords to Change
- Network passwords should be changed, so that the company network cannot be accessed remotely.
- Change workstation passwords as well.
- Change the passwords to every company e-mail account and deactivate that employee’s account.
- Deactivate the employee’s remote access account, if he has one, and collect devices as mentioned above.
- Remember to delete or reprogram voicemail and change the passwords to access that voicemail.
- If your company uses badge access, have your security company change access codes and remove the person from the system.
- Change passwords and PIN numbers to company credit cards and other accounts.
You must change every password the employee could possibly know, even that of a close co-worker. You should also notify clients the key employee worked with, let them know about the change and who the new person is they will be working with during the interim. The best thing to do is to have a plan in place before you even hire the employee. As Baker said, “The challenge is always that it may be too late to effectively protect trade secrets if a company waits until after a key employee leaves.”
BECOME AN ACCA MEMBER