[Webcast Transcript] From the Enterprise to Individuals: Are You Mitigating Departing Employee Risk?

Editor’s Note: On December 3, 2020, HaystackID shared an educational webcast designed to inform and update legal and data discovery professionals on considerations and approaches that can help organizations proactively and reactively mitigate departing employee risk in six critical areas of risk. While the full recorded presentation is available for on-demand viewing via the HaystackID website, provided below is a transcript of the presentation as well as a PDF version of the accompanying slides for your review and use.

From the Enterprise to Individuals: Are You Mitigating Departing Employee Risk?

As harsh as it sounds, every departing employee poses a risk to your business if the transition is not correctly managed and documented. This risk ranges from inadvertent access to sensitive company information as basic as internal organizational charts to deliberate efforts to acquire and use economically essential customer lists and contracts for competitive advantage.

In this presentation, expert investigation and eDiscovery panelists will share considerations and highlight approaches that can help organizations proactively and reactively mitigate departing employee risk in six critical areas of risk.

Webcast Areas of Focus

+ Access to Regulated Data (PII)
+ Competitive Analysis Compromise
+ Intellectual Property Loss
+ Loss of Data Subject to Legal Hold
+ Proprietary Information Access
+ Trade Secret Misappropriation

Presenting Experts

+ John Wilson, ACE, AME, CBE – As CISO and President of Forensics at HaystackID, John is a certified forensic examiner, licensed private investigator, and IT veteran with more than two decades of experience.

+ Michael Sarlo, EnCE, CBE, CCLO, RCA, CCPA – Michael is a Partner and Senior EVP of eDiscovery and Digital Forensics for HaystackID.

+ Sergio Garcia Jr., RCA, NCE, NeDC, AME, CBE, CMO – As VP or Forensics at HaystackID, Sergio is an eDiscovery veteran with 19 years of experience in working directly with corporations and AmLaw 200 firms across the full EDRM spectrum.

Presentation Transcript


Hello and I hope you’re having a great eDiscovery Day. My name is Rob Robinson. On behalf of the entire team at HaystackID, I’d to thank you for attending today’s webcast titled From the Enterprise to Individuals: Are You Mitigating Departing Employee Risk?

Today’s webcast is part of HaystackID’s monthly series of educational presentations, and it’s also highlighted today as part of the industry eDiscovery Day events coordinated by Exterro. Our expert presenters for today’s webcast include three of the industry’s foremost subject matter experts and authorities on computer forensics, cybersecurity, investigations, and eDiscovery.

The first introduction I’d to make is that of Michael Sarlo, our presentation leader and moderator for today’s webcast. Michael is a Partner and Senior Executive Vice President of eDiscovery and Forensics at HaystackID, and in this role, Michael facilitates all operations related to electronic discovery, digital forensics, and litigation strategy, both in the US and abroad.

Our second presenter today is digital forensics and cybersecurity expert, John Wilson. As Chief Information Security Officer and President of Forensics at HaystackID, John is a certified forensic examiner, licensed private investigator, and information technology veteran with more than two decades of experience working with the US government and both public and private companies.

Last, but certainly not least, I’d to introduce Sergio Garcia. As Vice President of Forensics at HaystackID, Sergio is an eDiscovery veteran with 19 years of experience working directly with corporations and AMLAW 200 firms across the entire EDRM spectrum.

Today’s presentation will be recorded for future viewing and a copy of the presentation materials will be available for all attendees, and you can access these materials directly beneath the presentation viewing window on your screen by selecting the attachments tab on the far left of the toolbar beneath the viewing window. Also, the recorded webcast will be available for viewing directly from the HaystackID website and from the BrightTALK network after completion of today’s live presentation, and a full transcript will be available via the HaystackID blog beginning early next week.

And at this time, I’d to turn the mic over to our presenters for their comments, considerations, and expertise on mitigating departing employee risk.

Good afternoon, gentlemen.

Michael Sarlo

Thanks so much, Rob, and thanks everybody on the line for joining and I know people are trickling in. This is Mike Sarlo speaking from HaystackID. As Rob mentioned, today’s presentation is on departing employees and risks associated with these types of events, and we’re going to start off with the agenda here, which is really, we’re going to set the stage, right? So, in civil litigation, the majority of work we do in digital forensics on the investigation side oftentimes is fraud related, or there’s a theft of trade secrets issue, be it a client list, or some type of IP, some source code. We’re going to set the stage here as far as why this is important to understand what a trade secret is, and look at some stats. We’re then going to get in over to just what do you do when one of these pops up, because the way they pop up is usually pretty fast and moving. If a corporation is not well prepared for an employee leaving, if they’ve gone to a competitor, they’ve noticed that some files were accessed, things have been deleted, what are those first steps that you take?

The next piece here is going to be really more on purposeful investigation. We don’t just look at everything. We like to build an investigation plan and execute on that based on the issues at hand and what are the best outcomes that our clients are looking for that are reasonable, then we’ll get into the protective measures that an organization can take to mitigate these and other types of events that really revolve around exfiltration of data, talk a little bit about why you should use HaystackID for this work, and then we’ll just close it out at that point.

So, this is a great first slide here, which is time going from 1975 to 2015, and this is an older stat, but I like this because it’s a stat, and you can’t find stats for this stuff that easily. But over time, many years ago, the assets and the tangible valuable assets that made up, really, the value that the companies on the S&P 500, and their intellectual property, and really what the means of production relate to, there are tangible assets, and as you can see, as the technology revolution began, the majority of companies that exist on the S&P 500, their assets are intangible. There’s things like source code, the proprietary formulas, there are a lot of things that can be easily taken from a computer system. You can’t go in and take out a big piece of equipment from a car manufacturer, but you can certainly go in and take the source code that basically will make their production go faster. So, these are the things that we’re focused on here, and why this is important.

Clicking forward here, and really, when we want to define a trade secret, this is very important. There’s really two key elements, and it’s really, a trade secret is something that an organization has taken reasonable efforts to keep secret, and has some type of economic value from not being generally known, and really, this is very important, actually, even that first point, is that – and this happens a lot in startups. Everybody has their own laptop, it’s bring your own device, but the source code, everybody is working on it, and we get involved in matters where somebody has left an organization and an engineer or scientist, they go to start a competing company, and a common argument we see on the defendant’s side in these cases is that the information wasn’t reasonably protected, and therefore it wasn’t a trade secret. I’ve seen this go different ways, in different venues, be it California, or the Boston area or Denver, these big tech hubs, Austin. The courts handle this differently. In some situations, it’s really a weak argument and in other situations, it’s been prime and center for some very large cases that we’ve done in this thing that really turned on this. So, really the extent the information is known outside the company, the extent the information is known inside the company, what measures have you taken to protect the secrecy, what’s the value of information to my competitors? I mean, that’s really what defines value in these cases. And then time, money, effort, and how difficult it would be to duplicate something, really are the measuring mechanisms for the strengths of calling something a trade secret, so to speak.

John Wilson

And this is John Wilson, and you also have the possibilities of… it applies to the specific organization, so the search algorithm as to how you find documents on an internal server may or may not be considered a trade secret, but if you’re talking about the search algorithm for Google, and how they drive all of their revenue, and that could be seen in a wholly different light. So, context is important as well to ensure that you have a valid trade secret.

Michael Sarlo

Thanks, John, I totally agree, and context is very important here, and also just how valuable that tech is in relation to competitors, unlike tech that could be on the open market. We’ve seen situations where private companies had some type of proprietary tech that they considered a trade secret, but out in the open marketplace, maybe an open-source world, there were other technologies that had incorporated similar types of features, but had delivered at scale much more, and in that situation, not so much of a trade secret. So, things are valuable for a certain amount of time, typically, when it just comes to technology and innovation.

What’s really interesting here, too, and this is from the Ponemon Institute. It’s crazy, right? So, A, there’s usually two culprits of data, of any type of exfiltration of data or a theft of trade secrets. There’s data breaches, which are becoming more and more and more common. They say all companies have got a 30% chance of having a data breach if you’re above a certain size and scale in the next two years. That’s frightening. And then there’s also people who leave your company, be it if they’re terminated. We’ll go over all those reasons. But these are some really striking stats. 50% of departing employees keep confidential company data when they leave an organization. 40% of those departing employees plan to use confidential information in their new job. And 44% of employees believe a software developer who develops source code has some ownership in the work. So, there’s really a lot of misalignment here when you have key players and even sometimes non-key players leaving a company with what they think they can take, usually you shouldn’t be taking anything. So, really important to just keep things in context here. This type of exfiltration can happen at any size company.

And so, when this pops up, and usually there’s various ways that this comes into play where we get engaged. Oftentimes, it can be a panic situation, depending on the enterprise and we’re usually – to get kind of ahead of it, we want to know how did the employees leave. That’s kind of the first question. Were they terminated? Did they know it was coming? Did they do something where they were harassing employees? Have they resigned? That can be a red flag if it’s early. What are the circumstances? Did they resign and tell you they’re going to a competitor? Did you find out they’re going to a competitor for some other reason. These are always red flags in some situations. Sometimes they are benign, and we have methods to figure out if smoke is actually fire. That’s kind of what we’ll start talking about next.

And then, certainly, just to be aware of, in general, employees changing roles. These are, really, something that a lot of organizations don’t capture properly. they maintain access to old network shares or IP, it’s no longer a function of their job role, or client data that’s no longer a function of their job role. They may be under a legal hold in a certain piece of an organization, in a business unit, maybe the whole business unit and they get moved over to a new business unit and they fall out of a legal hold. Really important to think about this when employees move within an organization.

Likewise, employees who retire, especially if they’re a key player. They’re a scientist, they’ve been there for many, many years. there’s just so much to consider prior legal hold, ongoing legal hold. And just all the data that they could have, especially when you have an employee that transcended doing their work in their job role from the paper world into the digital world. We often see notebooks from the 90s and things like that that are mission critical in some of these theft of trade secrets cases as well. And so, really important there to get a good track and handle on how you’re going to manage that as employees are leaving, making sure you get everything, but also long-term, how are you staying in connection with them and what are their obligations to support the company in the event of any type of litigation downstream, after their retirement.

So, really the first step to understand, the triage step here is that electronic evidence is very ephemeral in nature, meaning the further out we get from an event, it starts to rot and wither off of the vine, so to speak, and its value can become more and more useless just due to the way that computer systems function. They start to overwrite things, logs start to get updated and overwritten. You restart something, you may lose something. So, it’s really important to get a hold of preservation early on in any type of departed employee situation, where you suspect foul play or even when you don’t suspect foul play. Key players, key employees, having a good program that just kind of covers this as employees leave an organization for any reason is the best way to mitigate this. Don’t go it alone with in-house IT if you don’t have a strong program already in place for this between your InfoSec team, cyber teams, your HR teams, and your in-house legal teams. This is where we see a lot of issues and there’s quick to spoil data. Resist the temptation to look on your own.

Really, here is where bringing in experts are critical early on, because… and it’s really two things. You need a really good outside counsel that’s tactical as it relates to these types of employment events. Some folks do these turn-and-burn. They’re very good at them. They get some evidence, they send a TRO, they send a nastygram, it’s over. Others maybe will try to turn these into larger cases where they don’t need to be. Sometimes we see things right away, like a physician so to speak, we’re able to tell if this is simple indigestion or you have heart failure based on, really, a first level triage of a computer system. It’s always the same things you see, a USB was plugged in, hey, they were forwarding documents, oh, there was mass deletions, which is something to also think about. It’s not just about theft of trade secrets. It can also be around just bad actors who are doing things on their way out to put the company in a less competitive situation, or to cover their tracks, insomuch as if they did steal data. Usually, we can recover that stuff and it’s usually they’re dead to rights, and that’s the easy things to see.

So, really important to engage specialized computer forensics and outside counsel early on in any of these matters. You’ll have reduced spend. Really, when I say reduced spend, it’s also about setting the stage for what the definitions of a “win” are early. If I’m a plaintiff here and I’ve got a sales guy who delisted Salesforce and went to a competitor all in the same week, what I really probably want is, great, I probably don’t want them working there. It’s probably actually more difficult than it sounds, but I want to make sure they don’t touch our key clients, the clients I know that that person had. Likewise, from a defendant’s perspective, you want closure here, because you don’t want hanging chads that these can come back, and you want to be able to clearly define the bounds of where maybe somebody can operate. These get very messy when critical intellectual property is taken and it started to, basically, move from one organization to the other. These are when these become – they can become very expensive. They can turn to large legal matters, depending on the size and scale of the company, if there’s substantial misappropriation.

So, it’s really important to set these up upfront, because you don’t need that much to support a TRO. You see somebody copying critical information, you can see that, because we just see it, it was accessed. We may not have a flash drive, which you can’t actually see if something was truly copied, unless you have both endpoints, but you can see it inter-accessed and something was plugged in, you know you don’t have that device. You may just be in a situation where you’ve gone embed to rights early on, where a judge is going to really go ahead and give you that restraining order and/or they’re going to get fired from that job, because a lot of companies don’t want to actually deal with this when they get caught or even if they don’t tell employees to bring stuff, they still do and then it can turn into a really nightmarish situation.

So, we handle these cases on both sides of the aisle all the time, and it can sometimes be muddy. These are people who sometimes – as we get into things like non-competes and restrictive covenants. Things like who are the clients. Everybody sometimes knows who the clients are in certain industries.

Also important is to make sure that you get, early on, all the documents that somebody has signed, because these are going to give teeth to any nastygram that goes out to an individual or an organization, or oftentimes, an individual and the organization. It’s a strategy on the plaintiff’s side, you’re hitting both at once to apply pressure to get them to leave or just to get them to hand over what they took and just start to admit things. But really important to understand if they have a non-compete, they’re just not supposed to go over there. what are the local laws? These are different state to state, people move, companies don’t keep these up to date, they change job roles, they change their pay, they’re invalid, they don’t realize they need a new non-compete. They have to give them consideration. Really, looking at this stuff. This is all a part of the proactive piece too is managing your policies as it relates to your employee.

Secondly, if they have a non-solicitation, and they just can’t go and call on your clients. They can still go work there. You still have maybe some type of ways to remediate that depending if there has been a theft of hard trade secrets. These cost a lot on both sides once you start to get into this granularity. Non-competes, in general, in the Unites States year-over-year are typically weakening in almost every state. Some still have very strong laws, but the courts and just society, in general, they don’t really like non-competes that much. The non-solicitation agreements, though, and non-disclosure agreements, those are still very strong, and that’s oftentimes where these lie, especially in states like California where you don’t have a non-compete, you don’t have those types of laws, and it’ s even murky about non-solicitation. Oftentimes, as a lawyer, you’re trying to do things to really identify things as trade secrets to get them in with the non-disclosure agreements and the confidential business information.

Go ahead, John.

John Wilson

I was just going to say, we’ll get into policies and talking about policies towards the end here, but as Michael said, it is really important to understand what policies are in place and in effect, and do you have the actual documents from that employee related to those policies, acknowledging them, agreeing to them, being bound to them, understanding all of those. What documents you actually have becomes really important when you’re pursuing a case of this nature.

Michael Sarlo

Can’t agree more, and we’ve seen cases where they’re bringing in handwriting experts to see if documents were forged. Things like that happen at smaller companies when a key player leaves. Ownership will go to great lengths. So, you never know what’s going on with these cases sometimes and who is doing what. We know from a digital forensics’ standpoint, but the social dynamics and everything that led up to it can be very muddy.

So, we’re going to get out of this element of it, and get into – since everybody loves hearing about – which is the technology and the workflow and the digital forensics. I’m going to hand it off to my colleague, Sergio Garcia, who probably has been up to his eyes and ears many times in these types of investigations, as much as anybody else on this line, on the topic of purposeful investigation, and just framing favorable outcomes for end clients with forensic evidence.

Go ahead, Sergio, take control.

Sergio Garcia Jr.

Great, thank you, Michael. I want to switch it to kind of start talking about how we actually have a client call and we actually have an event that occurred, and they want to investigate. So, we definitely want to start getting a very – our scoping questions upfront to ensure we get a big idea of what kind of occurred, what were the triggers of the event, what are the actual endpoints involved. We want to get as much information possible, because typically, when we get these calls, we get clients that say, hey, I’ve got a laptop and I think the person who left the company may have copied off a bunch of data onto some type of device, can you pull off the copy log from this computer and provide it over to us? Well, we’ll quickly burst their bubble and let them know, hey, unfortunately, there isn’t a copy log on the system that we can refer back to say, this is the exact events that happened or occurred. But what we can do is put together some artefacts that may lead to signs that they may have done that.

When we get on these calls, we want to see what was the initial trigger of these events. What did you see or what occurred? It is just kind of just more an investigation that this person left for a competing company that’s in the same space as you, and we’re just doing a blanket investigation, or did they do something that may have triggered something, like they shared a Google Drive document to themselves using their personal email account. So, now we have signs that, hey, they were looking to exfiltrate data or push it off to their personal email before they were leaving the company. So, it’s very important to get these key elements upfront to kind of determine what exactly may have happened.

The first one being, hey, when did the employee actually depart the company? What was the exact date of his departure? Was the content… were all his accounts deactivated? What were the procedures? Do we have a list of everything that he had access to? Did he have a – not only a laptop, did he have a desktop as well? Did he have a mobile device that was issued by the company? So, all of this gives an idea of, right, what are the endpoints that we’re actually going to have to look after. What are we going to investigate and what is the timeframe?

So, typically, when we look at the timing of devices, you will start seeing, here is where he was fired or departed from the company on 1 March. So, at that point, what we’ll do is we’ll build timelines based on 60 days, 90 days out from that date, so knowing that exact departure date would be very important.

Again, looking back at the various devices, also, what were the policies on these various endpoints. Were they under a universal device management or a mobile device management system that had controlled access to the systems where USB policy is blocked or things of that nature, so we know exactly where to target, where we want to deviate from our investigation? So, a lot of that information is important. We want to make sure what are the endpoints again, what accounts were available, and how were they managed. Because if a laptop was available and they don’t have admin access to the actual system, then we’ll look at what applications may have been installed. At that point, we won’t have to concentrate on that effort, because we know they didn’t have access to that. At that point, we’ll start targeting specific areas of investigation.

John Wilson

Going back to the timelines. So, it’s not always just the events, the departure date, but you also have to be concerned with was there an inciting incident that caused that employee to leave the organization. Did they get passed over for a promotion or not receive a bonus, and looking at those trigger dates as well, because that can also help unfold the appropriate timeline for the investigation. And then when you start talking about the technology side of it and getting into what repositories they used. It’s really important to understand the specifics of what systems the organization uses.

We had a case where we actually worked and the organization were using Google for Business, and the person was exfiltrating information from the organization by creating drafts, and due to the special way that Google handles drafts, or different way that Google handles drafts, the traces were very minimal. We managed to be fortunate and be able to recover a couple of items that then opened that box for us, but there’s some key elements of that nature, is making sure you understand all of the technology that’s at play and what the restrictions, benefits, and challenges of those solutions might be.

Sergio Garcia Jr.

Absolutely. Thank you, John, for that. On top of that, also, going back to disabling access to the various systems. When the employee departed, did all the systems that he had access to get disabled. Were all his email account access cut off? Were all the accounts to all the network shares, were those disabled? His cloud accounts, Dropbox, Box. Another one would be the keycard access, did he have keycard access to the building. Sometimes we have cases where that comes into play, where we can correlate keycard access to various activities that were happening behind a machine within the property of the organization. All of those things are important things to know, whether or not they occurred when the employee departed.

Another thing is what type of file types, or where are the documents that are of interest here. Are we investigating a specific software company, where they primarily code in Python or Ruby, so .rb files and .py files will be very important for this case [inaudible] specifically isolate specific file types at that point? So, those are the initial scoping questions we would go through and try and determine where we want to attack and go through and investigate, narrow down our scope of it.

And then we go into more specific scoping questions on various endpoints and things like that. Again, policy in places versus the assets for laptops. Are they locked down to only…? I’m sorry, locked for cloud accounts. Are they locked down to only be used on managed devices? So, can you only log in to your corporate Box account from these devices, or are they open. If I had a home computer, can I log in to my Box account there. so, things like that. Now, we can expand out. So, now we know, hey, we’ll go back and check into Box.com logs and say, well, there was a new IP address or a new device ID that was logged in that was a non-corporate device. Let’s see what that one… let’s see where did you log in from. We now have another endpoint to go through to acquire, to see what had happened at that location. That builds out that timeline. Again, providing those specific… asking the specific scoping questions is very important. Again, going back to actual specific recoverable items from different devices.

Again, what exactly happened? So, that will determine where we’re going to target our investigation. For laptops, specifically Windows systems, there are a lot of artefacts that we can look after. Typically, we target the low hanging fruit here. Let’s create a quick file list of all of the files that are available both active and easily recoverable on the system, files that are deleted but not overwritten yet. So, let’s start off there and go through that list, see if there’s anything that may have been removed from the system that was on there once and that way you can target a specific file.

Then we go to USB device identification. Were there any types of USB devices attached to the system at a given time, whether it be 30 days, 60 days, 90 days out. Typically, the user may have not plugged in anything before the incident, why is he plugging into systems now, and where is this USB device now.

Additionally, with the proliferation of cloud data, browser history is becoming really important. What was his history looking like during the timeframe before his/her departure? Was he visiting more cloud sites? Was it Gmail? If you’re not a Gmail system, are they visiting Gmail accounts? Are they logging into their personal account? So, we can then look at the various browser artefacts here? Let’s see what this person may have done, the last website they may have visited. Let’s check the cache, so if he deleted his history, there may be remnants of the files of specific sites that he/she may have visited and see what’s there. session restores, so sometimes people aren’t aware that these browsers track your last few sessions, so every time you close out, you may have had 12 browsers open that are saved on the system. Those are different artefacts that we can go after to check. Depending on if it’s a Mac system, there’s other artefacts that specifically are found, unified logs, and then you have APFS snapshots and a variety of things. So, making sure we get all that information upfront will allow us to make sure we have a more targeted investigation, make sure it’s more purposeful, make sure we’re not spinning our wheels on an asset that we know is not going to be or has any data that will yield anything in our investigation. So, making sure that information is scoped upfront is very important.

So, going from there, another typically case we usually get involved with clients are remediation projects, a remediation project where a protocol may be already set in place or where we assist and create the protocol. Two parties have agreed to confer and discuss what types of files or what services maybe running across the system that maybe moved and deleted once they’ve been identified.

So, a lot of the times we’ll assist with either creating the protocol or we’ll assist with executing the protocol. So, a few things to discuss is the identification of items within the protocol. So, how many custodians are we talking about here. So, what are the endpoints to be remediated? So, are we talking about, again, laptops, mobile devices, personal Gmail accounts, iCloud accounts? So, making sure we identify everything that’s to be searched and identified here is important. Another key part is whether or not the custodians are allowed to keep their devices during the remediation. If this is their active laptop, you have to be concerned whether or not they’re allowed to keep it. Does it make sense for them to hold onto it or should we keep it and do an entire remediation, only provide it once all of the documents have been removed from the system. So, all that is important to be defined within the protocol upfront.

And then we go to the area where the search of the files, what exactly are we searching across these various systems? Are we looking at just key terms? Are we looking at a date filter? Again, specific extension. Going back to the software example, this company primarily codes in specific language, those types of extensions are going to be very important. Then again, email address. If we know that the custodian’s email address was a personal one, we can include that in the search. All that information is important in the protocol, so that way we can adhere to any kinds of steps that are necessary regarding that search.

John Wilson

You also have to… when you start talking about these remediation protocols, you’ve got to be thinking about things. So, there’s a customer spreadsheet that was put into email, an email to a personal account, how many places does that actually wind up. Could that be on the laptop, could it be on the mobile device? Did that get backed up somewhere? Is it in a backup now somewhere? Is it backed up into a cloud account? What other actions may have occurred, any automations or anything running within the personal mail program of the user as well that can also copy or backup data to other places. You’ve really got to think through all of the repercussions of where data can end up. Just saying, oh well, we just want to get this one email. Well, that one email could wind up being in 20 or 30 locations for a single custodian.

Go ahead, Sergio.

Sergio Garcia Jr.

Thank you, John. So, once we have that search set identified, we go into the next steps of the protocol, which are typical of… we go into the privilege review and then into the remediation review, so we’re going to review the documents that were identified in the search stage for any type of privileged document at this point, so that way, we’ll exclude those from the set that’s going to be reviewed for possible remediation.

Things that we typically do in a review, we’ll provide the privilege log and the reason for the privilege, and then we’ll provide that over. So, after that stage is sent, we have the remediation review where all the documents that hit on the key terms that were non-privilege, are then presented. This will kind of be the meat of everything, where this is going to provide the list of documents that will then be remediated from the various endpoints.

One thing to note when writing or reviewing some of these protocols, it is ensuring that we have enough time for each of the various stages. A lot of the time, somebody who is writing these aren’t aware of the amount of work that’s involved within the remediation, so we want to account for things like making sure if we do have 10 custodians and there are three assets per custodian, we’re looking at 30 items, that we have enough time for each stage of the protocol to ensure that we’re not going to be running up against any deadlines.

So, we’ve seen instances where we had the 30 assets, and the remediation phase is only five days. So, if we have thousands of documents across the 30 devices, five days is never going to be enough time to complete that process. So, identifying those documents and keeping that in mind is a very important part of the protocol as well.

Then, of course, the final stage is the actual remediation. What is the final list of documents and their various endpoints? Ensuring that we have a proper plan in place to ensure that we are remediating all of the various assets. So, if you have endpoints like a Gmail account that may also be synced to a laptop, we want to make sure we remediate the Gmail account first, because that’s going to be syncing down to the laptop at some point. It’s easier to remediate in the cloud and then sync back down, so that way those emails are then removed at the same time, so ensuring that we have the proper plan in place depending on the line of assets is very important. Again, the timing, making sure we have enough time to reach out to each custodian and remediate each device, especially now where the workforce is so spread apart with our current times, with the remote force. Previously, we were able to go just to the organization’s office and we were able to run the remediation in one central point. Now, we’re stuck where we have 10 custodians, 10 different locations, and sometimes, geographically, they’re on East Coast/West Coast, in different locations, so we want to make sure that all that is accounted for and we have a plan in place for that.

Then, finally, is the certification. What type of certification is required once all of this work is complete, and making sure that we have that statement upfront, and whether it’s created, or we have to create it on our side?

So, that was a quick review of a quick remediation project and the steps involved for that. Then from there, I’ll kick it off to John to discuss the protective measures, policy, process, controls, and technology. At this stage, what can be done upfront to ensure that these types of devices are not – this type of data isn’t exfiltrated from your systems and organization.

Michael Sarlo

I just want to add one thing to the remediation protocol section there. As a defendant, if you get a nastygram from an ex-employer of an employee that you just hired, mission critical to cordon off their access to your network and to really segregate them and to get them isolated. The situation when a competitor’s data that you don’t want starts to spread throughout your network can open just an eDiscovery can of worms that could become incredibly costly. All of a sudden, you’re searching hundreds of gigs, if not terabytes of data looking for a few contracts of client list that your new employee somehow copied and then sent to the rest of the staff.

I’ve seen cases where it got really bad and individual pieces of documents started to, basically, get merged into the competitor’s documents. We had to do a page-by-page comparison. I’ve seen this happen where, literally, review teams are a part of the remediation protocol. So, something that could have been avoided.
Again, sometimes, we make employees sign documentation that they’re not bringing anything from a competitor. That can be something good to do if you’re in a competitive industry where you might have movement of salespeople, scientists. That’s an interesting one. We actually do that here as well.
So, something to keep in mind that, as a defendant, this is where you do not want to end up is in one of these remediation protocols.

John Wilson

Thanks, Mike, definitely good thoughts there. so, moving into the protective measures, we’re going to talk about the policies and how do you actually protect your organization for when these events do occur, if these events do occur for you. Really, policies are the foundation that are going to give you the protections you need to be able to say, hey, my documents are trade secrets, my client lists are confidential information in the organization.

So, there’s several types of policies. You have kind of acceptable use policies that say, hey, how you can use your computer, your mobile device, whatever. When you’re conducting business, this is how you conduct business. And the controls that an organization has ownership of the work done on the corporate devices or the work that you do for the corporation belongs to the corporation. All of that gets defined in those acceptable use policies. So, ensuring that yo have a rock-solid acceptable use policy in place in place and that your employees are acknowledging that on a regular periodic basis, when you do your annual reviews or when you do your annual trainings, have them acknowledge, hey, here is this year’s acceptable use policy, it’s updated. Make sure that you’re updating them, keeping them relevant to the organization. As the organizations move from physical servers to cloud servers for cloud services, for email for instance, we had a case that we had where their acceptable use policy talked about their exchange, but didn’t extend to off-prem cloud services that you’re allowed to log in to remotely, due to the restrictive language in their acceptable use policy, that wound up being a real issue for them. They probably had to settle for less than they had expected to win coming to the remediation and resolution of the matter.

So, again, really important to understand those aspects. Do you have a data retention policy? How long do you keep data for? A lot of companies… storage is cheap, so companies keep data for a long time. Make sure you have an effective data retention policy that meets all of your regulatory requirements or industry requirements for whatever it is you do, but also ensure that you’re not just storing data longer than necessary. You want to make sure that it’s relevant and appropriate for your organization and your type of business.
But beyond that, you also have to ensure that they’re properly enforced. If you say you have a 90-day data retention policy and then you’ve just got years and years and years of email data sitting on your server, that’s going to wind up being a problem for you, because then you’re not following your policy, you’re not enforcing it and then that might open the bounds and allow them to look way beyond those date ranges.

Then, do you have data use policies? And the data use policies include privacy policies. What are your employees allowed to do with your corporate clients’ information? Is there a right to make sure it’s protected? Do you have clauses in there that protect you from them exfiltrating data to foreign countries? Again, data use policies are really important and probably one of the most overlooked areas of policies. Most companies have an acceptable use policy, they haven’t looked at it in 10 years, but they have an acceptable use policy that was drafted a long time ago. Most organizations have some sort of data retention in place, they don’t always have a policy that reflects what the actual organization is doing, but they usually have some sort of retention in place.

Data use is where things start to get really slippery sloped, because a lot of organizations don’t have a data use policy. They’ll put a privacy notice out on their website and that’s pretty much it. So, understanding what your employees are allowed to do with your clients’ data, with your organization’s data, what the restrictions are, classifications of that data are. Putting policies in place around that, using those data use policies to protect the organization and it’s client data from being misused for these reasons gives you the protection you need when you have to pursue one of these cases.

Then lastly, do you have an actual departing employee policy? Do you have an exit interview and an exit policy and workflow as to how an employee leaves? Do they turn their devices in? What happens to those devices? Well, if they’re key employees or if they’re strategic employees in certain departments, maybe you have a retention policy that says, hey, we’re going to go ahead and automatically image their systems and retain that for a year after they depart just in case they took information with them and something happened. So, having those key employee policies, having that departing employee policy in place is really important, because you can run into situations where a partner in the company decides to leave the organization, you don’t really have a departing employee policy, and when anybody else has left the company, you didn’t do anything, but when that person left the organization, you preserved his device. There can be challenges with that because you’re not following a policy. You might have been prejudiced against that individual in the eyes of the court. Certainly, all these things have to be discussed with your legal team, which we highly recommend having that external legal team that’s assisting with these matters, but understanding that having the policy in place then gives you the protections to say, yes, absolutely, we image their devices because that’s what we do with all key management or higher employees that leave the company, or R&D team members or whatever particular role might put the company at particularly sensitive risk, sensitive data at risk.

And then having those workflows in place, and then ensuring that they’re followed, because just having the policy doesn’t get it done. You actually have to follow the policy, so making sure that that policy actually gets implemented and gets followed.

Having that exit interview and offboarding plan can be really critical, because when you have a lack of those policies and processes and procedures, then it’s, well, why did you image his phone and computer, but you didn’t image his phone. When this individual left, you didn’t do his phone, this individual left, you did. That’s where you want to be able to go back and say, hey, here’s the policy, it says anybody on R&D team gets imaged, all of their data or only their mobile data or only their chat data or their lab notebooks, whatever the case may be, but making sure that that policy was in place and being followed becomes really important.

Other challenges that come along with all of this are the lack of tracking the employee’s assets. What assets are they allowed to use? What assets are they assigned? Is there communal computer systems that are shared between employees and they’re used? Or do they have an assigned computer? Do they use that assigned computer? Do they have an assigned mobile device, or do they use BYOD? Does your acceptable use policies and your data use policies and your exit policies cover BYOD? Does it say in the agreement that when an employee departs the company, if they’ve been using their personal device for work, does it allow me to image that device? So, making sure that those sorts of things are all in place.

The timing of their access controls, making sure that the access controls have been implemented appropriately, that you’ve revoked permissions to their email system, to the accounting system, the financial system, the R&D systems, documentation systems, making sure that all of those access points that that individual may have had access to have been disabled. We had a large case where they disabled access to everything except for the register system that allowed them to process transactions, so they started processing… so, an individual started processing a bunch of fraudulent transactions to cause harm and reputation harm to the organization. So, they went out and found a bunch of stolen credit cards and processed a pile of stolen credit cards on the organization’s transaction system, ran up a bunch of fraudulent transactions that then look like the organization was having a banner month, and lo and behold, they all got declined, investigated, and it created huge challenges for that organization, and that was because they forgot to disable that access. The same thing with the email and any other communication platforms. In today’s day and age in business, a lot of organizations are communication on many platforms, not just one, so they’re using Slack, they’re using chat systems, make sure that you’ve received that user from Slack channels where they might be still talking with your vendors, for instance, if they’re left in those Slack channels and able to communicate in those Slack channels using their own credentials, because they were added that way. Or maybe they added themselves that way, so making sure that you’re checking all of the access points for the organization’s data to preserve and protect it. That all needs to be part of your policies. It needs to be part of the systems that you put in place.

When you’re following the workflow, that’s what is going to allow you to have positive control over that experience and the ability to then have an investigation and have a case later if necessary. Making sure that your policies around the whole system are received and acknowledged and updated on a good regular basis using, if you like, your LMS system or a document workflow system that you may have in the organization that allows you to have positive affirmation. Yes, they saw the document, received, reviewed the document. In our particular organization, when someone reviews a policy, they have to look at that policy for a certain amount of time. That certain amount of time is calculated by how fast an average person can read the page. But making sure that you have policies that do those sorts of things, and implement the systems if you have the technology. If it’s not a technology-driven solution, ensure that you have a process that can be followed and implemented and documented.

Then when employees do depart, make sure that the appropriate parties are notified, and that that notification is spread across the organization, so you don’t just go out to IT when a person departs. You need to make sure that other R&D members know that that person is no longer with the organization, because they may reach out to them and, hey, can you send me this or answer some questions about that? If they’re not aware that that person is no longer with the organization, they may share information that would now be considered confidential by the organization and put you in a compromise. So, ensuring that you have a full documented who needs to be notified, how they need to be notified, what actions need to be taken as part of that offboarding workflow.

And then making sure that your key critical systems, obviously, have to happen first. Again, we live in a world where not everything can happen automatically, and not everything can happen at once, but prioritize it. Ensure that email and server access are cut off first, and then start hitting all the cloud accounts. Whatever that process is, as much automation as you can utilize, even better, but ensure that you have a process that prioritizes the high-risk services first, so that you can get those secure and taken care of.

When you start talking about your endpoints, again, you’ve got your mobile devices. Is it BYOD? Are they corporate owned? Is there a mobile device management installed on them? Are there policies enforced by that mobile device management on that device, so that when the employee is terminated, it’s automatically locked, the PIN code gets automatically reset to some other PIN code, or does it automatically wipe the device, or does it do nothing. Understanding what your policies are and what your processes are and all of those tools, implement that appropriately. The same thing with tablets, laptops, desktops. Do your policies block USB access? Do you allow local administrator accounts on systems that may allow them to bypass those sorts of things? How locked down and hardened are your systems? Do you have an agent that’s monitoring interactions with the device? Understanding, documenting, including all of that in your offboarding workflow. Web monitoring, do you have any web monitoring in the organization that’s paying attention to what the users may be doing on the web and documenting it? If so, you have two things there. Make sure your policy covers that and then make sure that when you’re getting into your investigation that that’s covered. Hey, we have a web monitoring system, we can provide logs for all of the web activity, it may help you find that low hanging fruit of, hey, they logged into their personal Gmail, it was against company policy, so it stood out as a flag, and we have that documented. File servers, the same thing. Is there file activity logging on those? Are you using a document management system that says, hey, this person opened the document and viewed the document, saved the document, or are you just relying on the file system, the logging itself, and utilizing that information?

Securing your cloud repositories, ensuring that you have auditing and extended logging turned off if that’s appropriate for your organization and it meets your retention policies. When you’re logging into Office 365, by default, when it’s initially setup, the logging retention is fairly short. If you don’t go in and check that and audit that and ensure that that meets the standard of the organization, you may have a shortfall there. The same thing, all your messaging platforms, making sure what’s retained. Do they retain anything? How long is it retained for, where it’s retained? Is it stored locally? Is it stored out on the cloud? How might you gain access to it in the event of an investigation? Do you have audit logs for those systems? Can you get to those audit logs? Any of your online file systems, online repositories like Box and Dropbox. Is auditing turned on if appropriate within your retention policies? Having those things activated and turned on. Does the employee have access to corporate generic accounts, whether they’re a shared mailbox that they might know the password to? Social media accounts, can they log in to the Facebook for the company and post content? Well, if they’re the social media creator, that may very well be possible, or if you’re just a smaller organization, you may have several people that are managing social media responsibilities. So, understanding, making sure that you’ve got those aspects locked down.

And that brings us pretty much to the end. today, we went through a departing employee event. What do you do before an event occurs? Make sure that you have those policies in place, you have the systems in place to enforce those policies, and you leverage technology to accomplish those goals as best as possible if you have that technology available. Again, making sure that those policies meet your guidelines and support your organization’s mission. And then what that employee departure occurs, make sure that that offboarding policy workflow is followed, that the offboarding plan, the exit interview is done, devices are turned in, access is terminated, appropriate people are notified. Then as an event occurs, you get notice that, hey, we all of a sudden have this big dip, a bunch of customers left the organization. Well, what happened? Let’s figure it out.

You start that investigation. OK, well, John Doe left last week, so maybe it’s something related to that. Let’s start that investigation, making sure that you have an investigation plan, you have a policy around those investigation plans that provides guidelines and provides the boundaries for it. And then also understanding what a positive outcome for the organization is going to be. Is it getting the TRO? Is it getting the cease and desist? Is it getting monetary recompense because the individual cut heavily into your sales by going out and starting a new organization and took a bunch of your sales? Understanding what that positive outcome might be and what remediation steps may help you get there, and being able to implement those.

Michael Sarlo

Positive outcomes can oftentimes not feel positive. There’s an old saying, negotiation where… it was probably a fair deal if nobody feels that great about it, so that’s usually what the deal should be. It’s important to level-set both as an investigator, which we oftentimes rely on outside counsel who we’re working with, with corporate clients to do that, but not to be afraid to use common sense as well. These can get really pricey and out of control pretty quickly for things that sometimes won’t have an impact on your business… salesperson, it’s really going to be up to the organization to figure that out and to figure out how much they want to pursue these. Again, always handling any forensic investigation, focusing on the low hanging fruit, the stuff that’s easy early on. Simplicity with forensics is often the most impactful thing for a judge. You’ve got somebody who might be older, they don’t understand technology, they don’t want to read 30-page dissertations from a forensics guy, they want the clear facts, and it’s up to the lawyers, oftentimes, to frame it, and it’s our job as forensic experts to really be an agent of both parties and to make things as simple as possible.

Something I see oftentimes is these examiners who write these reports that are multipage diatribes, you don’t need those in these. All that does to an caustic litigation, is it causes the other side to do the same thing, and then quickly what ends up happening is the issues completely fall out of scope and things are just useless discovery issues. This is a rule of thumb for any litigation where forensics is involved, I would say, not just theft of trade secrets or anything like that. Don’t overdo it.

We have a question from the audience. It was just feedback. Somebody said, “Thanks team”.

Well, thank you guys so much. I’m going to turn it back over to Rob Robinson and close this out, and really appreciate you guys joining us. As always, feel free to email myself, John Wilson, Sergio Garcia if you have any questions, you want to talk about this stuff, you want us to come in and talk to your teams. Happy to get to know you if we don’t already know you, and if we do know you, then you know we always love chatting.

Thank you.


Excellent. Thank you very much, Mike, John, and Sergio for the excellent information and insight into Departing Employee Risk and How to Mitigate Them in a Defensible Manner. We always want to take the time to thank each and every one of you all who took time out of your eDiscovery day to spend it with us on today’s webcast. We know how valuable your time and we appreciate you sharing it with us.

Additionally, we hope you have an opportunity to attend HaystackID’s next monthly webcast scheduled for 13 January 2021 at 12 p.m. ET on the topic of Technology-Assisted Review in the Real World. Please check out the detailed description on our website and we hope you can attend.

And thank you again for attending, have a great rest of your eDiscovery day. This formally concludes today’s webcast. Thank you.


2020.12.03 - HAYSTACKID - Departing Employee BrightTalk Webcast - FINAL

Learn More About The HaystackID Forensics First Employer Protection Program

HaystackID Forensics First Employer Protection Program Fact Sheet