Problem solve Get help with specific problems with your technologies, process and projects.

How to create a policy to avoid disgruntled employee data leaks

When crafting a data security policy, take into account that disgruntled employees may leak data. Learn how to prevent employee data leakage, and how to handle data loss if it occurs.

We recently found out that a former employee has been leaking sensitive company data during the last few weeks. What's the best way to handle such a breach, and what legal recourse can we take against this person?

First and foremost, talk to the company's lawyers, because the rules are different from state to state.

Ideally, the former employee signed non-disclosure agreements, because those help demonstrate knowledge and intent. If not, the process is more or less the same, but the chances of winning a court case (if it comes to that) are not nearly as good.

That being said, litigation is expensive, so decide what the goals are in applying legal pressure to the former employee. Do the executives only want the employee to stop leaking data, or do they want to pursue civil or criminal charges?

If you are planning on going the litigation route, it is important to gather the data as systematically as possible. The rules for admissible evidence are both complex and arcane, so it's important to talk to the lawyers to ensure that the processes will hold up in court. When analyzing data of a potential leak, always work with a copy as opposed to the original. As soon as a leak has been isolated, stop the analysis and let the lawyers know. Then start tracking every step: If you hand off any portion of the data to anyone, track the chain of evidence so you can demonstrate as best as possible that the data has not been altered.

In my experience most companies just want the person to be quiet. If so, then it may only take a nasty formal letter from the legal department reminding him or her of the obligation to keep company secrets confidential along with a threat of civil and/or criminal charges. This is also an appropriate precursor should the final goal be civil suit. The company can generally charge him or her for contract violations around the non-disclosure agreement and any applicable non-compete agreements. Depending on where the company is located you may also be able to sue under the Uniform Trade Secrets Act.

If the goal is criminal charges, it will be a difficult process, but the company may have recourse under legislation such as the Economic Espionage Act of 1996. However, prosecution under that law requires that the company convince the U.S. Attorney's Office to pursue this course of action, which generally requires the ability to prove a large financial loss. Similar legislation may exist in the company's state, so talk to the lawyers to determine whether involving law enforcement is reasonable.

More information:

This was last published in November 2008

Dig Deeper on Information security laws, investigations and ethics