I need to let someone go from my startup (20 people, millions of users, funding) who was here since the very beginning.
He's been using his personal laptop and has at least one copy of our production database on it that he uses for analytics and data mining.
He won't take the firing well (I think) and I worry that he might leak some of that information. It could be company-killer.
How should I ensure the data is deleted and mitigate this risk?
1) Tell everyone (don't single him out) that by the request of a client, you're double-downing on internal security and implementing a set of policies and procedures (P&P) for minimizing risk (I personally used HITRUST as the P&P standard).
2) Part of the P&P entails an audit by the designated Security Officer (in this case, me), in which I personally oversaw the deletion of all production data from every personal and non-personal machine. No one individual suspected I was singling him/her out, as I was doing this across the board, but admittedly, my intention was to go of one individual who had his hands on very sensitive data.
3) Make him and every employee sign-off on the P&P Handbook, in which there's a clear clause that in case any personally identifiable data is on his/her machine, he/she is fully liable for the implications of that data getting leaked. Any such employee will be complicit in any criminal proceedings.
4) Fire him.
Also (assuming your soon-to-be-ex employee is smart) I doubt the threat of criminal proceedings will have much effect. If multiple people have access to the data you'd have difficulty proving which one of them leaked it.
Because an individual defending himself against civil AND criminal proceedings will get very expensive very fast. In addition, any competitor would be very cautious about touching that data if the guy approaches them trying to sell it, because see figure (1).
So the only avenue remaining is selling the PII to spammers and identity thieves, which will still land him at figure (1) if they get caught and roll over.
what if the laptop got stolen? what if it is a node on a botnet?
this is a really good call and even if you don't take this approach, I'd definitely have HR initiate this.
You could just put a lawyer in the mix, and make the employee sign a document that ensures all PII has been destroyed at time of firing, with a little more severance for the indignity of it all and clear consequences for non-compliance. If they're not an idiot, they'll do it
This could potentially make it so that the developer would effectively be leaking their own private data if they tried any shenanigans.
Meaning even if they wipe the laptop right in front of you, that is meaningless, since they could have backups, a copy on their home machine, and so on. So really your goal here isn't about a single laptop, it is about trying to get a former potentially disgruntled employee to do what you want after they are terminated.
I'd argue a payoff is your only viable way. You put a bag of money in front of them, and then have them sign a contract that they will destroy all company data, and won't redistribute it, or they have to pay you XYZ.
Then just hope that the potential for getting sued for XYZ and the bag of money will keep them in line long enough for the data not to be as key to your business.
As others have suggested you could also "promote" them away from daily access to that data and then terminate them further down the line when the data expires. But that would likely be more costly in the medium to long term.
You have two classes of tools... carrot and stick. His stick is much bigger than yours. He can destroy your company, you can sue him for it with whatever you have left after the company is destroyed. So stick is a problem.
Carrots may work better... ongoing stock options, contingent on destruction of the data, certified by an expert and an oath? Basically bribe him.
Yet another alternative - do you have to fire him? Why? Maybe do a Peter Principle thing, and "promote" him to a less responsible position, maybe something where he has no reason to touch production data anymore? Or start a new project, and put him in charge of it?
For example, I was working at a massive bank that was implementing an access control system for their servers that meant that admin's didn't have direct access. You had to
- submit a change ticket that went through all the approvals.
- This triggered a workflow through a web interface that opened an RDP or text terminal session to the server, for the appropriate person (OS, application, database, etc)
- The RDP session was recorded to video, the text session was logged.
- Once you logged out the password on the server was auto-rotated.
- The text-session was indexed and searchable. The software coordinating all this was able to match server logs against the video RDP session so you could search through the video ("show me the SQL Server commands that admin ran")
- On a regular basis, the server state would be reconciled against all the logged tickets for that server and discrepancies investigated.
Note: this is different than being able to deploy new code, I am talking about messing with a box in a data center
This was the result of a huge case of risk aversion and response to very loose but firm regulatory requirements.
I agree there's a middle-ground, but it's not "Employees can use their personal laptops".
My employer has an ITIL system on place, and that is the only way to touch prod.
It is not for everyone, I admit!
Just yanking a copy of production to a local machine is ridiculously and horrifically common at pretty much everywhere I've worked.
Spoke to a friend in local gov who put me in touch with the right people to deal with our equivalents however so I will be compliant, in addition since users self-elect to insert their data I've got my company's legal representative looking into it as well.
Medical data makes me nervous but this could help a lot of people, it's a product I'd have used immediately if it existed.
Consider this: I have at least two backup mechanisms I use regularly (Dropbox, Time Machine) and I don't even think about them at this point. Even if you watched him delete it, it's pretty likely that data already exists outside of his laptop, if he's even reasonably diligent about his machine.
So you're left with a few options:
If you're firing him for a good reason, and can validate that reason in his mind, you can choose to trust that he won't be a douche
* Trust with seeds
Before firing make sure the data has something uniquely traceable to him. Data that only his export gets; dummy users, dummy data, something steganographic so if your trust is violated you can identify the breach source.
Your options are limited, AFAICT. Once data exists in the wild it's essentially impossible to maintain any semblance of control. Your only real hope is that he's honorable. Even in the worst of circumstances I'd never breach trust in that way.
Especially when there are much more insidious, passive-aggressive, entertaining ways to bring down a company.
This is a time to spend a bit of money and speak to your external counsel. They will have a good solution for you.
See here: http://www.washingtonexaminer.com/silenced-workers-who-lost-...
Regardless it's pretty juvenile and self-destructive behavior to go around disparaging an employer for firing you to begin with. Getting a cash bonus for the self-censorship a rational adult should be exhibiting anyhow, is not such a bad thing
It keeps you from posting honest glassdoor reviews (no cons/negatives and zero faith glassdoor wouldn't release your info on discovery), telling friends what it was like to work there, etc.
Onto your specific point, N-D is not unusual for senior employees with strong contacts in the company's target market (like e.g. sales & project management). They're not necessarily a sign that the company is doing anything shady, but they are a strong tool for preventing disgruntled former employees from saying bad things which might hurt a business. They're pretty aggressive, granted, but they serve a purpose. Most people's umbrage can be satisfied for a price.
Not unusual for junior employees either.
>they are a strong tool for preventing disgruntled former employees from saying bad things which might hurt a business.
It prevents you from saying entirely true things which might hurt a business that fully deserved it.
So, I wouldnt have a problem with a company not wanted to litigate false claims, but true claims being muzzled is another thing.
For instance if I say, "I liked working at Company X but I think the CTO lacked leadership skills/vision" that's disparagement. It subjective/opinion, but assume you have factual reasons you could use to back-up how you formed that opinion.
For example, PA law:
* The statement is false;
* The publisher either intends the publication to cause financial loss or reasonably should recognize the publication would result in financial loss;
* Financial loss does in fact result; and
* The publisher either knows that the statement is false or acts in reckless disregard of its truth or falsity.
There is debate regarding the efficacy of non-disparagement clauses for a variety of reasons, but it's often tough to make them stick.
You could offer them payment for signing a severance agreement. You would do this in recognition of their significant contributions to date. The agreement would reiterate that they are bound by their existing NDA, explicitly state that they have fully deleted any company info/files that they may have had in their possession, acknowledge that disclosure of any private company info could have significant negative impact on the company, and could possibly include non-disparagement wording.
I imagine it was effective at encouraging the employee to delete the data, but at the great cost of advertising to all employees that we were all viewed as dirt.
If there's a lesson to take from this, it's that when you're in a position of power, you should use sticks carefully if at all. But I hope that many (including the OP) already learned that lesson as a child.
(Thankfully, I was able to leave the company myself not long after.)
After that, offer increased severance as other posters have suggested.
If this person _wants_ to hurt you they will. There's nothing you can do to prevent it. All the legal protection and fake policies are not going to prevent this person from creating multiple copies of the data and releasing it a year later.
Your best bet is to make the person happy enough to let the betrayal go. Such as a huge severance package.
If the person is anything like me, they will have backups as well as documentation and copies of all conversations that have ever taken place in email, Slack etc.
If they want to hurt you they can and will and the data is probably not the only way they can do that. At the end of the day don't fuck people over or they will fuck you over.
Be as nice as you can and make sure you are justified in firing this person or else they are going to fuck you.
How long have you known/how did you learn? Has it maybe been a "public secret" for a while, and you tacitly accepted it? If so, you probably can't fire him for it.
"Hey, dude, it struck me the other day that it's a pretty bad risk for the company that you have that database on your personal laptop -- do me a favour, pick out a top-of-the-line ThinkPad/MBP, expense it, and put the DB on an encrypted volume -- and make sure you delete the DB from your laptop and any backup you have. Thanks, man!"
If any of that data were ever to be released, it wouldnt be hard to point the finger at the few people who had access (and especially motive). It would be incredibly short-sighted of him to release anything.
This thread has some great advice, but in addition to that it sounded like hes a friend to you? Perhaps soon after he is let go you can have a word with him as a human instead of as a business and just say: "Look, thanks for your hard work, I really appreciate what you've brought to the table. Be aware that people here at the company will notice if you release or reuse anything you worked on here so you might want to make any copies of work stuff you still have disappear. I know its not good timing but youre sitting in a timebomb and I dont want it to blow up under you"
(i) do you have a policy and associated training so that people know what they should and shouldn't do,
(ii) was this employee ever required to use his personal laptop for company work (e.g. pre-funding)?,
(iii) was there ever a time in your company's past when you and others would have considered this situation to be OK, at least temporarily?
If he's doing things the way your company always did things, and hasn't been informed that you need to apply a higher standard, then why move immediately to firing him? Why not just ask him why he's storing the data that way, and figure out together how he can do his job whilst accessing the data in a safe way?
It's not clear whether you're trying to
(a) set an example for other employees to help ensure compliance with an existing policy,
(b) ensure that this particular personal laptop does not become the cause of a leak, or
(c) something else?
I have a work laptop my company provided. My wife has a work laptop her company provided. Everyone in both of our companies have work laptops provided by the employer.
Plus there are policies in place with this. We have agreements that all work is done on the work laptop and nothing personal. We signed saying we agreed. When we leave they take the laptop, in its entirety. It is also encrypted and automatically backed up. They also know if we have plugged in ANY external device like a flash drive and or external HD.
So not buying a work dedicated laptop for this guy, I think will cost you now that you care about what he might do with it.
* A delete may not delete the PII because it could be in multiple places and deletes don't really delete unless you do a secure delete that truly overwrites the deleted data.
* Gives him a monetary incentive to cooperate.
Does not address:
* Any backups that he might have that are out of your control.
Filesystems can also make this quite difficult (and that is without considering snaphots), most journalling and log-structured filesystems break the old shred  program for instance.
 man shred
One other thing that I haven't hear yet is that you could do is introduce "identifying easter eggs" into the data if you can. Sorry, not sure what the right word is, but it's a proven technique in certain high level negotiations. You make it easy for this employee to obtain an ever so slightly modified recent version of the data. The modifications are minimal, but allow to identify him as the source of the leak.
Document the easter eggs in a registered letter to yourself. Wait until fairly sure the "custom" version of the data is on employee's machine. Then sue if he leaks.
An ideal situation is that you're getting rid of a B player that isn't a good fit for your company's future. You want him to talk to A players he knows positively and suggest that they would work well at your company despite it not being right for him.
All the trade secret, confidential information.
If you have an auditor (CPA firms do this as part of a due diligence) that can do a procedures and practices audit - that firm can act as the "bad guy" that flags things that need to be addressed.
You know of one problem, there probably are others.
For example, bank account information? What is the wire transfer procedure? Can someone break in to a computer, login to the company's bank account and wire the money to Romania?
The other question might be, why are you letting go of a seasoned member of your team? If there is someone their junior then why not them, or check with the person you're looking at letting go and see if they'd be willing to take a pay cut to stay part of the team (assuming it's payroll related and not behavioural).
Lastly, if it's PII, the legal ramifications for the employee should be enough of a deterrent that they wouldn't go about disclosing the information in a manner that could be tied to them, and most people don't have and can't find the connections to "sell" the data.
If he's not a rational person, then it becomes a PR problem of how to handle the aftermath.
If he demonstrably violated company policy then the company nonetheless may be responsible for his past and continuing actions. In this case I would also hire a knowledgeable private investigator to help determine what he might have done with the information.
If you are responsible for allowing the situation, or in allowing it to continue, then you may, in the end, be terminated or required to resign. Prepare yourself. Perhaps you should consult an attorney.
Also do this for every other employee that is using a personal laptop for work.
Make it a nice laptop too.
In the grand scheme of things this will cost less than losing the company.
And as long as he's running the production database out of Box, which is probably not exactly a recommended mode of operation for either Box or the database.
But otherwise, yeah.