In an era of high employee turnover and increasing insider threats, secure offboarding is no longer optional – it is essential.
Delayed resignations, probationary employee terminations, and reductions in force (RIFs) have been in the news and ongoing for the past year. Tens of thousands of U.S. Government employees are being terminated or voluntarily leaving government service. Typically, U.S. Government agencies preserve forensic images of departing employees’ devices to maintain continuity and prepare for potential investigations. Private employers should adopt the same practice.
Obtaining forensic images of company-owned computers and extractions of company-owned cell phones protects both the employer and the employee.
The employer should maintain data from a departing employee’s company-owned computer and cellular phone, just in case a need for that data should arise. We recommend preserving data for all departing employees because you just never know what issues may arise after an employee leaves your employment. Below are some specific examples of situations in which an employer should maintain the data.
When Data Preservation Becomes Critical
- Departure of High Ranking/Long Term Employee: When the CEO, CFO or Chief Counsel leaves a company, their institutional knowledge also leaves. However, just as important is the data on their computer and cellular phone.
- Employee who departs suddenly: While not always an indication of wrongdoing, an employee who leaves with little or no notice could forebode issues, such as embezzlement, missing inventory, stolen proprietary data, etc.
- Employee with HR concerns: One of your first steps in an internal HR investigation (theft, harassment, substance abuse, time management, etc.), should be to preserve the employee’s digital devices. However, this should not be performed by your IT department. For use in any future litigation, the acquisitions should be completed by an expert who is trained, certified and licensed if required per state law in your jurisdiction.
- Whistleblower: An employee left and down the road becomes a whistleblower. The preserved data on the company-owned laptop and/or cellular phone could provide valuable intelligence.
- Stolen Data: If an employee has left to go to a competitor, there may be concerns the employee has taken proprietary company data with them, such as client lists, pricing information, or sensitive bid data.
These examples underscore the need for a proactive, forensic approach to offboarding – not just for security, but for legal and operational continuity.
With this preserved data, the employer will be prepared for anything unforeseen at the time of the employee’s departure. Consider it an insurance policy and one you will be glad to have should anything be uncovered later.
Why Use an Outside Digital Forensics Firm?
Preserving data is only half the battle. To ensure its integrity and legal admissibility, companies must rely on qualified digital forensics experts.
The use of an independent outside qualified digital forensics examiner quells any conflict issues and potential allegations of evidence tampering. Therefore, it is critical to use an outside digital forensics firm for the following reasons:
- Trained Professionals: The personnel acquiring the computer and/or the cell phone extraction should have the requisite training and experience to withstand scrutiny in a court of law. There is no fixed rule on what this looks like, but the digital forensics examiner should have verifiable training and several years of practical experience. A nice plus to have would be an industry-standard certification.
- Chain of Custody: The original subject digital device (i.e., computer, cell phone, external storage drive, etc.), and the image and/or extraction acquired from it, should each have a proper and verifiable chain of custody so that the forensic image can be admissible in court.
- Forensic Process: To be acceptable in any potential court proceeding, images and/or extractions should be acquired forensically by a qualified digital forensics examiner. This process uses specialized forensic software and hardware designed to make no changes to the data.
- Verifiable Forensic Images: A verifiable forensic image and/or extraction, completed by a qualified digital forensics examiner, will prevent evidence spoliation and accusations of evidence tampering, as the image and extraction will have a HASH value at the time of acquisition. The HASH value is an alphanumeric string, calculated by an algorithm, representing the content of the data acquired. This HASH value is unique to the data acquired and if one bit of the data is altered, the HASH value will change. This aspect of digital forensic acquisition is why it is admissible in court and can withstand evidentiary challenges.
The preservation of the data on your company-issued digital devices should be at the forefront of your departing employee checklist. It is an important security step and should be just as important as ensuring the departing employee no longer has access to your network. The acquisition of the digital devices in a forensic manner will enable the data on them to be admissible in court, should the unfortunate need arise.
Contact Us
Curious how forensic imaging fits into your offboarding strategy? Let’s talk – our Cyber and Information Security Services Team can guide you through the process.
