Adding Data Security to Your Off-Boarding Checklist

Every time an employee leaves the company, whether willingly or unwillingly, HR has a checklist to complete. Not only are you responsible for coordinating their departure and replacement with their team, supervisor, and subordinates, but there is also an incredible amount of data management to do. This was one of your flock, one of the tens to thousands of employees your company has monitored, cared for, and paid on time for the duration of their employment.

Files on this employee are woven through every part of your HR software and data suite because they have been an integrated part of the employee system. But now that they are leaving, you are in charge of both extricating their files from your databases and making sure that the employee themselves does not walk away with proprietary information or authorization that could cause trouble in the future. Needless to say, in the age of data security, a few extra items need to be added to the standard offboarding checklist. Don’t be shy about working with IT to make this process quick and easy for each employee you say goodbye to.

Delete Authorized Logins

Employees who have been let go and those leaving under duress have been known to take actions that harm the company on their way out using still-authorized logins. From tweeting on the company account to opening the servers to malware and hackers, leaving ex-employees with authorized logins of any type is incredibly dangerous. Even non-disgruntled employees who have left may accidentally cause problems by logging back in for a final prank on their old team or simply leaving the door open for a hack later on.

When an employee is on their way out, talk to their manager, team, and your IT department to determine any authorizations they have and revoke them. Delete or deactivate any account or login this employee has had access to. This includes the company email, though you may offer to help employees transfer their professional accounts like LinkedIn to a new email before shutting their work email down.

Change Shared Passwords Known By Employees

In the digital half of modern workplaces, collaboration is the new way things work. Many employees will have knowledge of passwords that are shared by their entire team or department. Shared projects, platforms, and servers are all possibilities for a single login used by many people. Because there is a possibility that an ex-employee may try to log back into these shared resources and you cannot block them by managing their logins, a change in password will be necessary. Let whoever manages the shared assets know that the password needs to be changed and ask for a confirmation when these changes are complete.

Recover Company Devices

Many employers give their teams mobile devices and laptops that meet the company security, performance, and uniformity standards. Make sure to take back any company phones, laptops, or computers that the employee has been in personal possession of. These can and will contain proprietary company information and will likely be auto-logged in to a variety of company apps and online resources. If permissible, give them a chance to recover contacts and personal information stored on the device or offer to extract personal information after the devices are submitted and send it to them in an email or on an SD card.

Wipe Company Data and Apps from Personal Devices

Companies that don’t provide devices to their employees (and some that do) instead enact a BYOD or Bring Your Own Device policy in which company apps and information can be downloaded onto the phones and laptops that employees already have. If your company works like this, ideally you or IT will have done a security check on the devices before they were allowed to be included in work process. You will now need to do a second security check and remove any apps or data that contain proprietary information or provide access to company resources.

Don’t just delete apps the standard way, you will need to make sure that all company-related data is wiped from their devices including app metadata and anything stored in their phone’s filing system. Don’t be afraid to build a game plan with your IT department to do this process correctly.

Extricate Their Social Media Accounts

Personal and company social media accounts often become intertwined. Not only are marketing and community management employees authorized to log in and post from the company social media account, they may also have separate authorization to associate their personal social media accounts with the company online activities. Make sure to change the passwords and remove ex-employee accounts from any admin privileges on your company social media profiles. This story from 2013 highlights why you may want to do this before an employee’s departure is complete.

If you’re parting on good terms, balance the removal from the company social media by inviting them to join your online alumnus groups. This has been found to increase the instances where past employees ‘boomerang’ back with more experience and skills under their belt.

Archive Employee Files

Finally, when you have paid the last paycheck and performed the exit survey, it’s time to deactivate the ex-employee as one of your active flock. Check your regulations for information you should delete cleanly from the system. For everything else, archive the employee’s files and records for posterity and keep in mind that they may be back to roll-up their 401K. For security’s sake, you should also clearly note that the employee is not active in any system where they still represented. This will help you and your colleagues avoid scams in which the identity of an ex-employee might be used to scam the company.

Being a good HR professional is all about walking the fine line between regulations, safety, and being an understanding human being. With help from the IT department, you can keep your company safe from retaliation or scams in the future. With the right HR attitude, you can help employees understand that these precautions are necessary but not (usually) personal. If even one person out of thousands decides to hurt the company or even just if their phone carrying proprietary information gets hacked, everyone including them could be put at risk. Your thorough offboarding procedures are vital to employee safety and company data security.