Understanding the Risks When Employees Leave
When key employees leave their organisations, the stakes can be high. There is often a delicate balance between risk and reward, necessity and desire (see our previous article Needs Versus Wants: Budgeting in the World of Investigations and eDiscovery). The departure of a key team member can result in the loss of institutional knowledge and clients, but it can also expose the organisation to risks involving intellectual property, trade secrets, and other sensitive assets. While hard statistics are scarce, rest assured—these risks are real and more common than one might think.
The Social Element of Data Misappropriation
Data loss or theft happens more often than you’d think, and not always with malicious intent. Cloud synchronisation platforms make it easy for employees to inadvertently retain company data after departure. While organisations often focus on explicit theft—such as unauthorised downloads, email forwards, or deliberate misappropriation—there’s a human element that’s equally important. Some employees simply feel entitled to the work they’ve poured years into.
Let’s say you design rocket engines (way cooler than my job): You’ve spent years perfecting a component, debugging every flaw, fine-tuning performance. Of course, you feel like you own it. In many ways, you do—emotionally, at least. Legally? That’s another story. Employment contracts and intellectual property agreements exist for this exact reason. But understanding these personal motivations is key to mitigating risk. If someone feels they own something, they’re more likely to take it with them—whether they realise it’s a violation or not.
What is an Employee Risk Assessment (ERA)?
An ERA is a rapid, fixed-fee assessment of computing devices, designed to provide actionable insights into key areas of concern. These typically include:
- External device attachments
- Web browsing histories
- Folder and file access activity
- Local system searches
- Deletion attempts
- Log-on and log-off patterns
- File transfer indicators involving external devices
ERAs are not full-scale forensic investigations but are structured to provide predictable costs and outputs. The findings are then placed in the hands of legal counsel and the organisation to determine the next steps. This approach brings efficiency and cost control to an otherwise complex process.
How Often Should ERAs Be Conducted?
The frequency of ERAs depends on industry and organisational priorities. Some companies integrate them into their standard offboarding process, while others take a more reactive, case-by-case approach. In highly transactional industries where employees come and go, frequent assessments may not be necessary. But in sectors dealing with proprietary data—finance, insurance, biomedical technology—ERAs are often routine.
For some organisations, ERAs are triggered whenever key personnel leave, even without immediate red flags. It’s part of a broader risk management strategy—sequester, preserve, acquire, recycle hardware, move on. In closed-loop industries, where professionals tend to jump to close competitors, the risk is even higher.
Employee Risk Assessments are a core part of our practice. While not bound by geography, they tend to spike at certain points in the year—patterns we’ve come to expect.
Common Pitfalls in Risk Assessment
There are many cases in which the engagement relationship appears as follows:
NB: This was AI-generated, and I’m leaving the comically misspelled words intact—to remind us that machines haven’t replaced us (yet…).
One of the biggest challenges in handling departing employees is poor communication. A COO, for example, may have a limited understanding of IT systems and assume that investigating “the computers” is sufficient. This narrow view can trickle down to external legal teams and, ultimately, forensic experts, leading to inefficiencies. Asking the right questions upfront can help focus efforts on the most relevant data sources. Some critical considerations include:
- What is alleged to have happened, and is there already supporting evidence?
- If mobile communications (e.g., WhatsApp, Signal) are commonly used, why aren’t they included in the investigation?
- Is the primary risk data theft, team poaching, or client solicitation?
Asking the right questions upfront keeps risk assessments focused on what truly matters. Maybe it’s firewall logs and company email data, paired with select computer artifacts—without tearing systems down to the studs. The clearer the scope, the sharper the results.
Immediate Steps to Mitigate Risk
If expert engagement is not immediately possible, organisations should take proactive steps to preserve potential evidence. Recommended actions include:
- Identify, isolate, and preserve data – Avoid modifying key devices or data.
- For mobile devices – Enable aeroplane mode to prevent remote access.
- For computers – Keep them powered off and, where applicable, secure encryption keys. Ask IT to pull any necessary decryption keys (e.g., BitLocker).
- Enable litigation holds – If using Microsoft 365 or similar enterprise environments, activate Unified Audit Logging for an appropriate retention period (e.g., 90 days).
- Restrict access – Immediately disable access to critical systems (e.g., Salesforce, proprietary databases) that are no longer required for handovers.
Not sure where to start? We often share a checklist on this— iDS ERA Checklist.
Final Thoughts: Strengthening Risk Mitigation with ERAs
Employee Risk Assessments are a critical tool in protecting proprietary data and managing employee transitions. Taking a proactive approach—whether through early consultation or structured assessments—helps organisations determine the most effective course of action—before risks escalate.
iDS provides consultative data solutions to corporations and law firms around the world, giving them a decisive advantage – both in and out of the courtroom. iDS’s subject matter experts and data strategists specialize in finding solutions to complex data problems, ensuring data can be leveraged as an asset, not a liability. To learn more, visit idsinc.com.