First and foremost, talk to the company's lawyers, because the rules are different from state to state.
Ideally, the former employee signed non-disclosure agreements, because those help demonstrate knowledge and intent. If not, the process is more or less the same, but the chances of winning a court case (if it comes to that) are not nearly as good.
That being said, litigation is expensive, so decide what the goals are in applying legal pressure to the former employee. Do the executives only want the employee to stop leaking data, or do they want to pursue civil or criminal charges?
If you are planning on going the litigation route, it is important to gather the data as systematically as possible. The rules for admissible evidence are both complex and arcane, so it's important to talk to the lawyers to ensure that the processes will hold up in court. When analyzing data of a potential leak, always work with a copy as opposed to the original. As soon as a leak has been isolated, stop the analysis and let the lawyers know. Then start tracking every step: If you hand off any portion of the data to anyone, track the chain of evidence so you can demonstrate as best as possible that the data has not been altered.
In my experience most companies just want the person to be quiet. If so, then it may only take a nasty formal letter from the legal department reminding him or her of the obligation to keep company secrets confidential along with a threat of civil and/or criminal charges. This is also an appropriate precursor should the final goal be civil suit. The company can generally charge him or her for contract violations around the non-disclosure agreement and any applicable non-compete agreements. Depending on where the company is located you may also be able to sue under the Uniform Trade Secrets Act.
If the goal is criminal charges, it will be a difficult process, but the company may have recourse under legislation such as the Economic Espionage Act of 1996. However, prosecution under that law requires that the company convince the U.S. Attorney's Office to pursue this course of action, which generally requires the ability to prove a large financial loss. Similar legislation may exist in the company's state, so talk to the lawyers to determine whether involving law enforcement is reasonable.
- Learn how to avoid DLP implementation pitfalls.
- Worried that a former employee may be leaking data? Learn how to find out in this expert response.
Dig Deeper on Information security laws, investigations and ethics
Judge to give verdict on Julian Assange’s extradition after Christmas
Former UC Global staff confirm Embassy surveillance operation against Julian Assange
WikiLeaks founder Julian Assange cannot be legally extradited for ‘political offences’, say lawyers
Assange extradition is a politically motivated ‘abuse of power’, court hears
Related Q&A from David Mortman
Learn when Social Security numbers can be used for patient identification without violating HIPAA patient confidentiality requirements. Continue Reading
When disaster strikes, will your enterprise be ready? In this security management expert response, David Mortman explains what questions to ask ... Continue Reading
Do U.S. passport numbers count as personally identifiable information? Learn more about guidelines for PII in this security management expert ... Continue Reading