The Break-Up List - A Checklist to Avoid Information Management Issues with Employee Separation
Everyone has a process for onboarding new hires, contractors, consultants, etc. There's a checklist to follow: issue the badge, issue the keys to the office and the parking garage, and of course set up the Active Directory account, the email account, and all the other information management system set-up tasks.
Similarly, when employees separate, there's a checklist there too: remove access to systems, get the laptop back, get the keys back, etc. What happens to the employee's information stores? The laptop often gets wiped and reissued. Maybe the separated employee's inbox is assigned to the manager for review. Maybe the manager manages to do so at some point.
These can cause significant information management issues, particularly if the separation was not on good terms. Consider this: Do you know the statutes of limitations for common workplace issues such as discrimination, harassment, or hostile work environment? What is the likely outcome of litigation if it turns out that the former employee's laptop was wiped and reissued while litigation is underway or should have been reasonably anticipated?
And what about all the other information stores? These include but would by no means be limited to:
- Folders on network file shares, including personal folders
- SharePoint sites and collections
- Email archives and .PST files
- OneDrive for Business sites
- Box, Dropbox, and all the other file sync & share tools
- Slack, Teams, Yammer, Google Drive, and the plethora of other web-based collaboration tools available
- Flash drives
- User-owned devices and locations, if the organization allows or overlooks Bring Your Own Device/Bring Your Own Apps
- Social media accounts used on behalf of the organization
Theft of organizational information assets by separating employees is also a major issue. Research has shown that the majority of separating employees take at least some information with them when they leave. Whether inadvertently or intentional, this is a significant issue because of concerns about confidentiality, intellectual property, privacy, and others.
Organizations need to ensure that their employee separation plans address information management issues, and take appropriate measures with regards to any business information that is or was in the custody of separated employees. If the separation is on good terms, much of this can and should happen prior to separation; if not, it needs to be done as soon as is practicable.
This checklist should include, at a minimum:
- Revocation of access to all systems: on-premises, cloud-based, everything.
- Return of physical security credentials.
- Return of all company-issued hardware. Relevant hardware should *not* be reset or reissued but should instead be retained as-is in case of legal issues.
- Return/removal/destruction of all company-owned information outside the custody of the organization. Hardware and information should be retained until it is determined that there is no liability; this determination should be made through consensus among, at a minimum, the business unit, HR, legal, IT, and records management.
- Removal/deactivation of all company-issued software.
- Transfer of relevant social media accounts including logon credentials.
- Attestation by the separated employee that all company property, including hardware, software, and information, have been returned or destroyed.
- Identification of all applications and data stores used by the separated employee.
- Assessment of applications and data stores to determine potential liabilities. Where possible, data stores should be set to read-only to avoid potential issues with destruction, whether inadvertent or intentional.
- Assessment of data stores to determine whether any are part of an existing legal hold or other legal or regulatory action.
The steward assigned to the separated employee's information stores may review their contents with an eye towards fulfilling any outstanding obligations and ensuring necessary transfers of responsibilities, but care should be taken to ensure that information is not altered or deleted.