4 steps to prevent data & IP theft by departing employees

Noel Kersh, Halen Phan
4 steps to prevent data & IP theft by departing employees

Theft of company data and intellectual property by departing employees can cost companies both money and time. Our team offers four steps to help stop IP theft before it starts.

Company data and intellectual property (IP) theft can be a major problem for companies – and unfortunately, it’s a problem that many companies respond to only after the theft has happened. If former employees are suspected, internal investigations into their computer activities before their last day will reveal the extent of the data theft. Should litigation be necessary to remedy the theft, one of the first questions the court will ask helps define IP: “How sensitive is the information you’re arguing about?” A company involved in litigation is required to show that the data taken is information known only to the company and that the company would be at a disadvantage in the marketplace if the information got out.

While threats like ransomware and phishing tend to be a larger focus for companies, one of the greatest threats for IP theft is departing employees. According to the Verizon 2023 Data Breach Investigations report, external actors, including former employees, were responsible for 83% of data breaches between Nov. 1, 2021, and Oct. 31, 2022. When a market shift like the one currently happening leads to increased layoffs and downsizing across companies, the risk of company data and IP theft increases as well. But the threat of data theft is always present, which is why it’s important for companies to be proactive in protecting their data and IP. If a company does seek relief through litigation, the court will require it to demonstrate that it took appropriate steps to protect its data. These four steps can help companies understand how to help prevent company data and IP theft by departing employees, no matter the industry or size.

Looking for more legal advisory services?
Our team can work as an extension of your practice to enhance your advice.

1. Know what the company’s intellectual property is, where it lives, and who should have access.

For most companies, not every piece of data is considered intellectual property – so identifying which data is most sensitive helps in prioritizing what to protect. Companies should look at every piece of data and consider what might happen if it ended up in the hands of a competitor. If such a breach would be detrimental to the company, that data is worth protecting. Much of the company data that needs to be protected, including financial statements, client lists, and customer data, is easily identified. But companies also must consider who should have access to this data. For example, employees should not have access to data that is not part of their duties – even if the information is sales reports, client lists, or other data that seems like basic company information.

2. Determine the scope of protection that’s appropriate for the company.

For most businesses, every single piece of data is not created equal, and data protection is not a one-size-fits-all endeavor. Depending on the size of the company, the industry, and any applicable regulations, one organization’s data protection plan might look very different from another’s. For a smaller company, security measures that require a large outlay of time or monetary resources might not be the right fit. Or it might be important to selectively implement more stringent security measures on specific data. Our team tells clients, “If you’re going to purchase an alarm for only one car, you’re going to protect the more expensive model.”

3. Determine the types of protections needed.

These are some of the most common data protection options:

  • Data security/companywide password policies. Every organization, regardless of size, industry, or amount of IP, should have rigorous password policies in place. Best practices include requiring regular password resets, setting parameters so that passwords are complex or not easily determined, and prohibiting shared passwords so that the company can identify exactly who is accessing data at any given time.
  • Email phishing protections/training. Having both internal phishing protections and required training to teach employees not to click on links in email is vital – it takes only one person to expose the entire company. Training should be part of the onboarding process and occur again during regularly required updates.
  • Multifactor authentication (MFA). With the evolution of technology over the past few years, MFA has moved from a fringe option to commonplace – in fact, it’s part of most online platforms (including social media and email). A good measuring stick for any security technology is that if online platforms are already using it, other organizations should follow suit (if they haven’t already).
  • USB restriction. This option is used most often in larger companies, as a policy restricting USB use can be difficult to implement. However, it can go a long way in preventing theft of company data and IP and works well alongside other security measures.
  • Data loss prevention (DLP) software platform. DLP software allows IT administrators to monitor what information is sent in and out of the company (including through USB devices). In addition to being highly effective at protecting IP, a DLP platform can help piece the puzzle together if a company does experience data theft. That said, it’s an extensive protection, so it’s usually sustainable only for larger organizations.
  • Access controls. Access controls allow IT administrators to restrict access to certain drives, devices, and data to identified individuals or teams. This simple step can protect IP and locate any issues.
  • Alerts. Along with access controls, IT administrators should set up alerts to notify them if anyone tries to access a restricted server or drive. Because of the time investment involved, alerts are most useful for larger companies, companies with significant investments in research and development, or companies with proprietary technology or products.
  • Exit interview strategy. When an employee leaves the company, human resources should conduct an exit interview that includes asking about data access – specifically PINs and passcodes on company cell phones, external storage devices used, and any hard copies that should be returned. Additionally, the human resources representative should remind the employee not to reset company phones or computers, identify any and all assets that were signed out and make sure they were returned, and coordinate with IT to restrict the employee’s access to company files and systems.

4. Have a trusted resource ready before things go sideways.

Companies don’t want to be looking for digital forensics specialists after an IP theft incident occurs. It is worthwhile to establish a relationship with a trusted team that knows the business before an issue arises. But it’s important to remember that not all firms are created equal. Companies should find a specialist that can review and consult on current procedures and policies as well as suggest ways to fortify the protections already in place. Because technology and the markets are constantly evolving, this should be a continual conversation, not a one-and-done event.

While this is not an exhaustive list of ways to protect data, it’s a great starting point for creating a comprehensive data protection plan. And the best time for an organization to start implementing these steps and policies is now – before an incident occurs.

Experiencing a company data or IP theft incident? 

Our team is here to help with immediate recovery support and more.

Contact us

If you're looking to create a data and IP theft protection plan for your business, our team can help you. See how we can create a custom data and IP theft protection plan for your business.
Noel Kersh
Noel Kersh
Principal, Digital Forensics Leader
Halen Phan
Halen Phan
Office Managing Principal, The Woodlands