Exiting workers taking confidential data with them

As layoffs continue apace, a survey released on Monday shows what many companies fear--exiting workers are taking a lot more with them than just their personal plants and paperweights.

Of about 950 people who said they had lost or left their jobs during the last 12 months, nearly 60 percent admitted to taking confidential company information with them, including customer contact lists and other data that could potentially end up in the hands of a competitor for the employee's next job stint.

"I don't think these people see themselves as being thieves or as stealing," said Larry Ponemon, founder of the Ponemon Institute, which conducted the online survey last month. "They feel they have a right to the information because they created it or it is useful to them and not useful to the employer."

The survey also found a correlation between people who took data they shouldn't have taken and their attitude towards the company they are leaving. More than 60 percent of those who stole confidential data also reported having an unfavorable view of the company. And nearly 80 percent said they took it without the employer's permission.

Most of the data takers (53 percent) said they downloaded the information onto a CD or DVD, while 42 percent put it on a USB drive and 38 percent sent it as attachments via e-mail, according to the survey.

The survey also found that many companies seem to be lax in protecting against data theft during layoffs. Eighty-two percent of the respondents said their employers did not perform an audit or review of documents before the employee headed out the door and 24 percent said they still had access to the corporate network after leaving the building.

The survey was commissioned by Symantec, which offers software that helps companies protect against data loss by indexing database and monitoring for patterns of word combinations that might be used by exiting employees to steal data. The Symantec software also can monitor outbound e-mail for confidential data and alert IT if large amounts of certain types of data, such as Social Security numbers, are being copied to removable storage devices.

[Penguinisto]

Err... wouldn't an NDA prevent that?

[TNCharlie]

Try to get a judge to enforce an NDA or non-compete. My wife had an employee leave with client and media contact lists to start her own PR firm. Her employment contract specifically forbade her from doing so or even being in the PR business for 2 years after working for the company. In court she just batted her eyes, turned on the waterworks, and the judge fell for it hook, line, and sinker.

[pentest]

What the hell is wrong with companies thinking they can control ex-employees?

A 2 year non-compete clause?

Reason #5435436565634543 why America is going down the toilet.

[Vegaman_Dan]

Seems like anyone who did this would pretty much guarantee they would never get another job in the industry again. Whomever hires them that finds out that they did this would be in a horrible legal line of fire.

No sir, just not worth the heat.

[Penguinisto]

Agreed. It would be drop-stupid to even try. Most large employers are keenly anxious to avoid getting sued into oblivion, so it's not like they would happily countenance such acts anyway.

[expatincebu]

Good for them! Funny how these companies that treat their employees like dirt expect loyalty and hard work in return. Maybe Americans are finally wising up to the fact that big business is the problem in America, not the solution.

[Penguinisto]

You get what you negotiate for. Don't like it? Start your own business.

Fact is, if you handle sensitive data, odds are good that you have to sign a Non-Disclosure Agreement before starting work with any competent organization. It is a contract (which you can negotiate or modify before signing it). Violating a contract is still actionable. If you're dumb enough to swipe sensitive information while shouting "up the man!", don't come crying if your former employer decides to sue you (and your new employer) anyway.

You know? I once worked for a corp that had a very simple and effective way of dealing with corporate espionage and misuse of someone else's sensitive information: They fire the SOB and then call the affected competitor and (if warranted) the FBI. Why? Because they don't want to end up eating a massive lawsuit and crippling themselves just because some donut-head thought it would be cute and try to stick it to a former employer. Even worse, if it involves personal contact or ID info, it can easily become a federal crime.

I for one don't blame 'em... the last thing I'd want if I were a CEO is to watch a boatload of profits evaporate in a puff of legal vapor (and worse, having to explain it to the shareholders), and/or do the perp walk to Club Fed, just because of the actions of an unethical idiot.

If you can't see your way to man-up and act like a professional, then don't expect any sympathy from the industry at large the next time you go looking for a job.

/P

[humanssssss]

Penguinisto is a troll.

[Penguinisto]

So, humansssss..... do you advocate the theft of confidential data? I mena, if you disagree with what I wrote, it would help to say what parts you had problems with.

[Vegaman_Dan]

Penguinisto:

In the case where someone is terminated for compromising confidential data like that with another company is definitely one you'd want to keep both companies informed- especially if that information has any real value to that second company. Once they are alerted as to the source of that information, they can't act on it or use it in any way without running afoul of the law. I agree with that action totally.

I've had to sign my share of NDA's and non-compete clauses. I've had my background checked by the FBI for several jobs including time with a police department. There are times when you simply do not talk about your job to outsiders.

[Matthew Es]

They ask for loyalty but then they do layoffs. What do you expect?

[kraterz]

It's not about laid off workers stealing data. If they wanted to, they'd have done it ages ago, on a daily or weekly basis. When you fire them, they already have everything they need.

How do you reconcile with the fact that these employees actually need the said data to perform their daily jobs? If they're really crooked, you don't have to wait till layoff time to find gigs of confidential data sitting in their homes. Even if you disallow USB drives, they could simply email customer lists and docs to their personal account.

[lupuslefou]

I agree, humanssssss.

[buddesatva]

Alvin Toffler points out the fluid quality of wealth in the information age. One of his points includes the idea that unlike previous symbols of power ( the club, the gun, gold, the dollar, etc) information can be held by more than one person. Value flows from creativity. The notion behind that and the morallity of this time is that information is inherently untethered. It is not viewed as stealing. This should not be read as justification but rather explination.

[jeffsmyname]

I'm sorry that things happen in life like layoffs or downsizing. But that's life. Look at it from a customer standpoint. Would you be OK with someone stealing your personal information? Can you think of any way it could be used that you would be OK with? Identity theft and fraud seem a much more likely scenario than using it in a legitimate business. Even in the best case, where the ex-employee were going to get a job or start their own business... would you really want to do business with someone who's a thief or a business who would employ them? Getting layed off or fired DOES NOT give you the right to commit corporate espionage or to steal. What these people are doing is illegal and illegal for a good reason. They belong in jail.

[mattflaschen]

"Most of the data takers (53 percent) said they downloaded the information onto a CD or DVD."

I call BS. There is no way that .60*.53=31.8% of laid off workers know how to burn a CD.

[mattflaschen]

"Most of the data takers (53 percent) said they downloaded the information onto a CD or DVD."

I call BS. There is no way that .60*.53=31.8% of laid off workers know how to burn a CD.

[marap]

Why does this article applies only to "employees" and not addressing executives.
What and who is stopping a CEO or CIO or executive level person to leave one job and influence his list of contacts to do business with his new company or with his new gig ? Or even leverage secrets of his past business.
This is a sales pitch from symantec to sell its product. As stated, "this study was done by symantec", and not by a independent 3rd party.
If one employee takes a bunch of partner/customer information then its all hell, however, when one CIO or CEO jumps ship or kicked out and then starts to influence his list of contacts to do business with his new venture ..... then where is symantec ? Just look out, industry is full of such executive level people.
And please ..... stop making a poor employee subject of all this. Things are already tough.

[EDunigan]

I am not surprised that a greater percentage of those individuals who took data had a negative view of their employer. It is important for companies to create positive work environmnets as well as have procedures in place to prevent data theft in good and bad times.

I wonder how many of these businesses were using a database to store information vs. excel spreadsheets. If databases were used, were permissions set up accurately? I wrote a recent post on the five ways databases help protect data (user permissions, etc.). In addition to having procedures in place for data security, it is also important to have the appropriate tools in place.

http://www.trackvia.com/blog/2009/03/06/five-ways-database-protects-data/