First and foremost, talk to the company's lawyers, because the rules are different from state to state.
Ideally, the former employee signed non-disclosure agreements, because those help demonstrate knowledge and intent. If not, the process is more or less the same, but the chances of winning a court case (if it comes to that) are not nearly as good.
That being said, litigation is expensive, so decide what the goals are in applying legal pressure to the former employee. Do the executives only want the employee to stop leaking data, or do they want to pursue civil or criminal charges?
If you are planning on going the litigation route, it is important to gather the data as systematically as possible. The rules for admissible evidence are both complex and arcane, so it's important to talk to the lawyers to ensure that the processes will hold up in court. When analyzing data of a potential leak, always work with a copy as opposed to the original. As soon as a leak has been isolated, stop the analysis and let the lawyers know. Then start tracking every step: If you hand off any portion of the data to anyone, track the chain of evidence so you can demonstrate as best as possible that the data has not been altered.
In my experience most companies just want the person to be quiet. If so, then it may only take a nasty formal letter from the legal department reminding him or her of the obligation to keep company secrets confidential along with a threat of civil and/or criminal charges. This is also an appropriate precursor should the final goal be civil suit. The company can generally charge him or her for contract violations around the non-disclosure agreement and any applicable non-compete agreements. Depending on where the company is located you may also be able to sue under the Uniform Trade Secrets Act.
If the goal is criminal charges, it will be a difficult process, but the company may have recourse under legislation such as the Economic Espionage Act of 1996. However, prosecution under that law requires that the company convince the U.S. Attorney's Office to pursue this course of action, which generally requires the ability to prove a large financial loss. Similar legislation may exist in the company's state, so talk to the lawyers to determine whether involving law enforcement is reasonable.
Dig Deeper on Information security laws, investigations and ethics
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.