What To Do With A Departing Employee’s Computer?

November 15, 2008

Computing resources are hardly like paper clips for most small and medium businesses. When an employee leaves, most businesses want to put those valuable resources back to work as quickly as possible.

But simply turning over those devices – whether desktop, laptop, PDA, etc. – to another employee could have disastrous results. The media may contain saved passwords or sensitive information that the new user should not be able to access.

One possible preventative measure involves wiping the device’s hard drive clean before re-issuing the device. But doing so may destroy electronically stored information required by law to be preserved. Even if none of the data on a wiped hard drive is subject to legal retention requirements, if a former employee later institutes legal action against the business, electronic data which may have helped the business defend itself may have been lost forever.

Some experts advise installing a new hard drive and preserving the old one. A downside to that approach, however, is the likelihood of retaining information long past the time your data retention policy (you do have one of those, right?) would otherwise permit its deletion. Potentially making the matters even worse is that, in the event of future litigation, searching dozens or possibly hundreds of preserved hard drives could significantly inflate the cost of data review and production.

Here are a few considerations regarding departing employees and their company-issued computing devices:

(1) Never re-issue digital media without effectively purging sensitive data.

(2) Have procedures in place to identify data subject to retention (pending or anticipated litigation, regulatory compliance, etc.) when an employee leaves.

(3) Determine whether circumstances surrounding the former employee’s tenure or departure warrant preservation of data, and if so, preserve that data in a forensically-sound manner.

It’s very unlikely any departing employee’s data is either all properly deleted or all properly retained. Developing and implementing procedures to determine what to keep and what to delete will go a long way toward saving your business some big headaches.