
Ask HN: How do I fire someone who has sensitive data on their personal laptop? - firingpii
I&#x27;m in a bit of pickle.<p>I need to let someone go from my startup (20 people, millions of users, funding) who was here since the very beginning.<p>He&#x27;s been using his personal laptop and has at least one copy of our production database on it that he uses for analytics and data mining.<p>He won&#x27;t take the firing well (I think) and I worry that he might leak some of that information. It could be company-killer.<p>How should I ensure the data is deleted and mitigate this risk?
======
brijeshp
I had a similar issue; here's my recommended approach:

1) Tell everyone (don't single him out) that by the request of a client,
you're double-downing on internal security and implementing a set of policies
and procedures (P&P) for minimizing risk (I personally used HITRUST as the P&P
standard).

2) Part of the P&P entails an audit by the designated Security Officer (in
this case, me), in which I personally oversaw the deletion of all production
data from every personal and non-personal machine. No one individual suspected
I was singling him/her out, as I was doing this across the board, but
admittedly, my intention was to go of one individual who had his hands on very
sensitive data.

3) Make him and every employee sign-off on the P&P Handbook, in which there's
a clear clause that in case any personally identifiable data is on his/her
machine, he/she is fully liable for the implications of that data getting
leaked. Any such employee will be complicit in any criminal proceedings.

4) Fire him.

~~~
mocko
This assumes he doesn't backup his laptop. Beware that there may be other
copies of the data.

Also (assuming your soon-to-be-ex employee is smart) I doubt the threat of
criminal proceedings will have much effect. If multiple people have access to
the data you'd have difficulty proving which one of them leaked it.

~~~
phaus
If he's smart, he wouldn't even consider leaking any data he may have access
too.

~~~
imglorp
Right.

Because an individual defending himself against civil AND criminal proceedings
will get very expensive very fast. In addition, any competitor would be very
cautious about touching that data if the guy approaches them trying to sell
it, because see figure (1).

So the only avenue remaining is selling the PII to spammers and identity
thieves, which will still land him at figure (1) if they get caught and roll
over.

------
Someone1234
This is a "people problem" not a technology one.

Meaning even if they wipe the laptop right in front of you, that is
meaningless, since they could have backups, a copy on their home machine, and
so on. So really your goal here isn't about a single laptop, it is about
trying to get a former potentially disgruntled employee to do what you want
after they are terminated.

I'd argue a payoff is your only viable way. You put a bag of money in front of
them, and then have them sign a contract that they will destroy all company
data, and won't redistribute it, or they have to pay you XYZ.

Then just hope that the potential for getting sued for XYZ and the bag of
money will keep them in line long enough for the data not to be as key to your
business.

As others have suggested you could also "promote" them away from daily access
to that data and then terminate them further down the line when the data
expires. But that would likely be more costly in the medium to long term.

~~~
alexander996
"have them sign a contract that they will destroy all company data" :)

------
beat
You know those complicated policies that big enterprises have, the ones
startups love to mock? This is why they have them. :(

You have two classes of tools... carrot and stick. His stick is much bigger
than yours. He can destroy your company, you can sue him for it with whatever
you have left after the company is destroyed. So stick is a problem.

Carrots may work better... ongoing stock options, contingent on destruction of
the data, certified by an expert and an oath? Basically bribe him.

Yet another alternative - do you _have_ to fire him? Why? Maybe do a Peter
Principle thing, and "promote" him to a less responsible position, maybe
something where he has no reason to touch production data anymore? Or start a
new project, and put him in charge of it?

~~~
ocdtrekkie
Yeah, this is the sort of thing that scares me about putting trust in signing
up for a startup's service. Somewhere out there, there's a startup that has
millions of user's personal information stored on a soon-to-be-disgruntled-
former-employee's personal laptop.

That's terrifying.

~~~
noir_lord
I'm currently developing a side project that stores medical data, a big chunk
of the design work I've done so far is how to work on systems where you never
see production data (things like accurate faking of data, seeding correctly
etc).

Just yanking a copy of production to a local machine is ridiculously and
horrifically common at pretty much everywhere I've worked.

~~~
smt88
You don't have to fake data in order to analyze production data safely. It is
possible to anonymize personal information, although it often requires a
security expert to make sure you're doing it correctly.

~~~
beat
Anonymizing PII is actually incredibly difficult. The problem is that the same
things that create the valuable uniqueness you need to operate on the data are
the things that are most sensitive.

------
davelnewton
The bottom line is that you probably can't ensure it's deleted.

Consider this: I have at least two backup mechanisms I use regularly (Dropbox,
Time Machine) and I don't even think about them at this point. Even if you
watched him delete it, it's pretty likely that data already exists outside of
his laptop, if he's even reasonably diligent about his machine.

So you're left with a few options:

* Trust

If you're firing him for a good reason, and can validate that reason in _his_
mind, you can choose to trust that he won't be a douche

* Trust with seeds

Before firing make sure the data has something uniquely traceable to him. Data
that only his export gets; dummy users, dummy data, something steganographic
so if your trust is violated you can identify the breach source.

Your options are limited, AFAICT. Once data exists in the wild it's
essentially impossible to maintain any semblance of control. Your only real
hope is that he's honorable. Even in the worst of circumstances I'd never
breach trust in that way.

Especially when there are much more insidious, passive-aggressive,
entertaining ways to bring down a company.

~~~
ainiriand
The options are not limited to trust, enforcing a ISO27001 in the company
obligates the worker to give the data. And this implies that you can trace the
flux of data, in and out, from the company. If the data ever leaks, you know
where it came from.

~~~
davelnewton
Except that (a) "obligating" someone to do something is useless, because it
doesn't mean they _will_ , and (b) OP already stated data integrity wasn't
maintained.

~~~
ainiriand
You are right. It is a complex issue.

------
scrumper
In the firm I work for, we deal with much secret information and many paranoid
clients. Generally when someone is terminated we give them a severance
contingent on signature of a pretty ironclad non-disparagement letter and a
further reinforcement of existing NDA. You could extend this concept to this
situation, crafting a letter such that if he _does_ ever leak that data, his
liability is assured and his incentives are aligned with yours.

This is a time to spend a bit of money and speak to your external counsel.
They will have a good solution for you.

~~~
davelnewton
NDA and non-disparagement are radically different things; I have zero issues
with NDA, I'd take umbrage at not being able to say a place I used to work at
sucks.

~~~
helpfulanon
Eh, when they're dangling several months salary in front of you, signing a
non-disparagement is a pretty hard thing to pass up.

Regardless it's pretty juvenile and self-destructive behavior to go around
disparaging an employer for firing you to begin with. Getting a cash bonus for
the self-censorship a rational adult should be exhibiting anyhow, is not such
a bad thing

~~~
snark42
If you work in a terrible place but do your best and just don't fit it in you
should have a right to say what you didn't like about the places culture, no?

It keeps you from posting honest glassdoor reviews (no cons/negatives and zero
faith glassdoor wouldn't release your info on discovery), telling friends what
it was like to work there, etc.

------
MaDeuce
The laptop is really a bit of a red herring. If the person is the sort that
would be inclined to retaliate against the company, they could have taken a
copy of the pii whether or not the laptop was in the picture.

You could offer them payment for signing a severance agreement. You would do
this in recognition of their significant contributions to date. The agreement
would reiterate that they are bound by their existing NDA, explicitly state
that they have fully deleted any company info/files that they may have had in
their possession, acknowledge that disclosure of any private company info
could have significant negative impact on the company, and could possibly
include non-disparagement wording.

------
dantillberg
(sarcasm, but true story, afaik:) You could do what I understand a former
employer of mine did: fire the employee, then call the state police and report
that the employee "stole" company property by not wiping source code from a
personal laptop as was demanded by the company at the time of firing. Police
confiscated laptop, and employee was forced to hire counsel to get it back.

I imagine it was effective at encouraging the employee to delete the data, but
at the great cost of advertising to all employees that we were all viewed as
dirt.

If there's a lesson to take from this, it's that when you're in a position of
power, you should use sticks carefully if at all. But I hope that many
(including the OP) already learned that lesson as a child.

(Thankfully, I was able to leave the company myself not long after.)

~~~
realusername
This seems a very risky option, if he has a copy of the data and you are
harassing him this way, there is a good chance the data is going to be
released somehow.

------
apalmblad
First of all, I'd suggest addressing the issue company wide. Before firing,
tell everyone pii outside of the office is unacceptable. Figure out a way you
want to deal with that that lets people keep working, whatever it's work
through a VPN, anonimizing data, or what not. Address it as the privacy issues
it is, and ask all developers to acknowledge and agree to the policy change.
It might smell funny to some, but it's not an unreasonable policy.

After that, offer increased severance as other posters have suggested.

------
nullundefined
Why would they take the firing poorly? Why fire the person at all? If you
trusted them enough to work on critical data and systems they must have been
doing their job well.

If this person _wants_ to hurt you they will. There's nothing you can do to
prevent it. All the legal protection and fake policies are not going to
prevent this person from creating multiple copies of the data and releasing it
a year later.

Your best bet is to make the person happy enough to let the betrayal go. Such
as a huge severance package.

If the person is anything like me, they will have backups as well as
documentation and copies of all conversations that have ever taken place in
email, Slack etc.

If they want to hurt you they can and will and the data is probably not the
only way they can do that. At the end of the day don't fuck people over or
they will fuck you over.

Be as nice as you can and make sure you are justified in firing this person or
else they are going to fuck you.

------
mseebach
Have you confronted him about the fact that it's probably not a good idea that
he has this data on his personal laptop? How did the data end up there in the
first place? Why doesn't he have a work laptop?

How long have you known/how did you learn? Has it maybe been a "public secret"
for a while, and you tacitly accepted it? If so, you probably can't fire him
for it.

"Hey, dude, it struck me the other day that it's a pretty bad risk for the
company that you have that database on your personal laptop -- do me a favour,
pick out a top-of-the-line ThinkPad/MBP, expense it, and put the DB on an
encrypted volume -- and make sure you delete the DB from your laptop and any
backup you have. Thanks, man!"

------
firingpii
I should also note here that I know that the first mistake I made was allowing
this situation to happen in the first place. We have policies now, but we
didn't push this employee to adhere to them at the time he joined.

Help?

~~~
err4nt
I have never been in your position, and I dont envy the pickle you're in - but
I HAVE had customer data (possibly sanitized or partially sanitized, I never
peeked) at various times and I always viewed it more as a liability than
leverage!

If any of that data were ever to be released, it wouldnt be hard to point the
finger at the few people who had access (and especially motive). It would be
incredibly short-sighted of him to release anything.

This thread has some great advice, but in addition to that it sounded like hes
a friend to you? Perhaps soon after he is let go you can have a word with him
as a human instead of as a business and just say: "Look, thanks for your hard
work, I really appreciate what you've brought to the table. Be aware that
people here at the company will notice if you release or reuse anything you
worked on here so you might want to make any copies of work stuff you still
have disappear. I know its not good timing but youre sitting in a timebomb and
I dont want it to blow up under you"

------
rahimnathwani
What do you hope to achieve by firing him? Admittedly storing PII on a
personal laptop is unacceptable in most places, but I'm curious:

(i) do you have a policy and associated training so that people know what they
should and shouldn't do,

(ii) was this employee ever required to use his personal laptop for company
work (e.g. pre-funding)?,

(iii) was there ever a time in your company's past when you and others would
have considered this situation to be OK, at least temporarily?

If he's doing things the way your company always did things, and hasn't been
informed that you need to apply a higher standard, then why move immediately
to firing him? Why not just ask him why he's storing the data that way, and
figure out together how he can do his job whilst accessing the data in a safe
way?

It's not clear whether you're trying to

(a) set an example for other employees to help ensure compliance with an
existing policy,

(b) ensure that this particular personal laptop does not become the cause of a
leak, or

(c) something else?

------
jason_slack
But, why doesn't this guy have a work laptop?

I have a work laptop my company provided. My wife has a work laptop her
company provided. Everyone in both of our companies have work laptops provided
by the employer.

Plus there are policies in place with this. We have agreements that all work
is done on the work laptop and nothing personal. We signed saying we agreed.
When we leave they take the laptop, in its entirety. It is also encrypted and
automatically backed up. They also know if we have plugged in ANY external
device like a flash drive and or external HD.

So not buying a work dedicated laptop for this guy, I think will cost you now
that you care about what he might do with it.

~~~
arrmn
Maybe the guy just wanted to use his personal laptop rather than set up a new
one, and it wasn't a decision from OP to save money.

~~~
NeutronBoy
If a company gives you a laptop to work on, and says that you can't put
company data on personal devices, then in no situation should the employee be
able to say 'I don't wanna'. Because that's how you end up in this exact
situation.

------
gvb
An imperfect solution might be to buy his laptop for enough money to allow him
get a new laptop and the licensed software on the laptop that he purchased.
Doing this at the time of dismissal would make it more likely to regain
control of the data. [Edit add] Also, give him opportunity to copy _his_ data
off the hard drive. This would have to be supervised, obviously.

Addresses:

* A delete may not delete the PII because it could be in multiple places and deletes don't really delete unless you do a secure delete that truly overwrites the deleted data.

* Gives him a monetary incentive to cooperate.

Does not address:

* Any backups that he might have that are out of your control.

~~~
rdc12
Secure delete has become quite difficult to achieve, if it is on a SSD then
you may only be safe with an ATA command, but not all drives will even do that
right[1]. It is even hard to be sure that you have over-written every block
anyway, due to over-provisioning.

Filesystems can also make this quite difficult (and that is without
considering snaphots), most journalling and log-structured filesystems break
the old shred [2] program for instance.

[1]
[https://www.usenix.org/legacy/event/fast11/tech/full_papers/...](https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf)
[2] man shred

------
mobiuscog
Possibly don't post to HN.

~~~
bayonetz
Right? These anonymous advice posts always worry me for the OPs. Surely, the
third party(s) in question read HN to?

~~~
celticninja
i would say this is fairly anonymous post, there is little if any identifying
information and given that this is HN there are probably loads of readers who
have this sort of info on their laptop.

~~~
sheepmullet
Yeah.... Until the OP starts following any of the advice in this thread!

------
ainiriand
This particular problem is quite common in this stage of your business. You
have to cover legally all the data that might be leaked from some other places
and when you are completely sure that there can't be any other source of
leakage, ask him politely the return of that data to adhere to a higher
standard of information security. This has to be a very delicate request. I
have been both requested and requester, good luck dealing with this.

------
markvdb
Do the security p&p thing.

One other thing that I haven't hear yet is that you could do is introduce
"identifying easter eggs" into the data if you can. Sorry, not sure what the
right word is, but it's a proven technique in certain high level negotiations.
You make it easy for this employee to obtain an ever so slightly modified
recent version of the data. The modifications are minimal, but allow to
identify him as the source of the leak.

Document the easter eggs in a registered letter to yourself. Wait until fairly
sure the "custom" version of the data is on employee's machine. Then sue if he
leaks.

------
joshka
Work on the 'take the firing well' part. Letting someone go despite whatever
issues are at hand should be a way to look for a win-win situation. A former
staff member that feels let down or mistreated will talk about your company in
negative terms, which for a company of 20 people is going to be a fairly
significant risk even with the PII.

An ideal situation is that you're getting rid of a B player that isn't a good
fit for your company's future. You want him to talk to A players he knows
positively and suggest that they would work well at your company despite it
not being right for him.

------
pm24601
In addition to all the other great advise here, look at things like source
code, contracts, customer lists, etc.

All the trade secret, confidential information.

If you have an auditor (CPA firms do this as part of a due diligence) that can
do a procedures and practices audit - that firm can act as the "bad guy" that
flags things that need to be addressed.

You know of one problem, there probably are others.

For example, bank account information? What is the wire transfer procedure?
Can someone break in to a computer, login to the company's bank account and
wire the money to Romania?

------
varjag
An improved severance package in exchange for NDA.

------
jlangemeier
Do you have "Bring Your Own Device" policies currently in place? Even though
the work on the computer started before the policies may have been in place,
you would be able to enforce a device wipe or clean-up with those procedures.
Your next best option would be an NDA, since legally you could pursue action
if they did use the system against you or for their own benefit. Technically,
ignorance of policy doesn't excuse actions; that excuse flies like a lead
balloon in court.

The other question might be, why are you letting go of a seasoned member of
your team? If there is someone their junior then why not them, or check with
the person you're looking at letting go and see if they'd be willing to take a
pay cut to stay part of the team (assuming it's payroll related and not
behavioural).

Lastly, if it's PII, the legal ramifications for the employee should be enough
of a deterrent that they wouldn't go about disclosing the information in a
manner that could be tied to them, and most people don't have and can't find
the connections to "sell" the data.

------
RDDavies
Has this been addressed directly with the employee? It hardly seems worth
firing someone over.

~~~
uptown
It doesn't sound like he's being fired because he has the data.

------
natch
You can only rely on his self interest. If he does something that harms the
company, he will be ruining his own reputation. Most rational people won't
want to do that.

If he's not a rational person, then it becomes a PR problem of how to handle
the aftermath.

------
giardini
If he violated company policy by moving PII to his laptop, then the company
may punish and/or prosecute him. But if there was no consistent policy then
one must be formulated and all employees brought to heel without
recriminations.

If he demonstrably violated company policy then the company nonetheless may be
responsible for his past and continuing actions. In this case I would also
hire a knowledgeable private investigator to help determine what he might have
done with the information.

If you are responsible for allowing the situation, or in allowing it to
continue, then you may, in the end, be terminated or required to resign.
Prepare yourself. Perhaps you should consult an attorney.

------
unstatusthequo
Get an employment lawyer involved so you don't get sued for the termination or
the exposure of PII. Answer is longer than appropriate to post here.

------
daemin
How about you offer to buy them a new work laptop so they don't need to
continue using their existing personal laptop for work.

Also do this for every other employee that is using a personal laptop for
work.

Make it a nice laptop too.

In the grand scheme of things this will cost less than losing the company.

------
foldr
It sounds like he's far more likely to delete the data if you simply ask him
to do so. Why do you need to fire him? By firing him you're just losing any
control over him that you may currently have.

------
Spooky23
Talk to counsel. In my state, you'd be obliged to report this as a data
breach.

------
CodeWriter23
If he took it home with him, you can't ensure the data is deleted. Could be on
an external drive at home.

------
ilaksh
If he was there from the beginning, is he actually a part-owner of the
business? Are you sure that you can legally fire him? Honestly does his
analytics work provide more benefit to the company than your work output? Are
you sure it wouldn't really be better for _you_ to resign?

------
krisdol
Generous severance.

------
Nihilartikel
civilly?

------
jbob2000
Not the most honest route... but you could 'accidentally' damage it, buy him a
nicer one as a loaner, and send the damaged one to the shredder.

