Ask HN: How do I fire someone who has sensitive data on their personal laptop?
I'm in a bit of pickle.
I need to let someone go from my startup (20 people, millions of users, funding) who was here since the very beginning.
He's been using his personal laptop and has at least one copy of our production database on it that he uses for analytics and data mining.
He won't take the firing well (I think) and I worry that he might leak some of that information. It could be company-killer.
How should I ensure the data is deleted and mitigate this risk?
103 comments
[ 3.4 ms ] story [ 163 ms ] threadHelp?
If any of that data were ever to be released, it wouldnt be hard to point the finger at the few people who had access (and especially motive). It would be incredibly short-sighted of him to release anything.
This thread has some great advice, but in addition to that it sounded like hes a friend to you? Perhaps soon after he is let go you can have a word with him as a human instead of as a business and just say: "Look, thanks for your hard work, I really appreciate what you've brought to the table. Be aware that people here at the company will notice if you release or reuse anything you worked on here so you might want to make any copies of work stuff you still have disappear. I know its not good timing but youre sitting in a timebomb and I dont want it to blow up under you"
Help?
The other question might be, why are you letting go of a seasoned member of your team? If there is someone their junior then why not them, or check with the person you're looking at letting go and see if they'd be willing to take a pay cut to stay part of the team (assuming it's payroll related and not behavioural).
Lastly, if it's PII, the legal ramifications for the employee should be enough of a deterrent that they wouldn't go about disclosing the information in a manner that could be tied to them, and most people don't have and can't find the connections to "sell" the data.
Consider this: I have at least two backup mechanisms I use regularly (Dropbox, Time Machine) and I don't even think about them at this point. Even if you watched him delete it, it's pretty likely that data already exists outside of his laptop, if he's even reasonably diligent about his machine.
So you're left with a few options:
* Trust
If you're firing him for a good reason, and can validate that reason in his mind, you can choose to trust that he won't be a douche
* Trust with seeds
Before firing make sure the data has something uniquely traceable to him. Data that only his export gets; dummy users, dummy data, something steganographic so if your trust is violated you can identify the breach source.
Your options are limited, AFAICT. Once data exists in the wild it's essentially impossible to maintain any semblance of control. Your only real hope is that he's honorable. Even in the worst of circumstances I'd never breach trust in that way.
Especially when there are much more insidious, passive-aggressive, entertaining ways to bring down a company.
If he's not a rational person, then it becomes a PR problem of how to handle the aftermath.
You have two classes of tools... carrot and stick. His stick is much bigger than yours. He can destroy your company, you can sue him for it with whatever you have left after the company is destroyed. So stick is a problem.
Carrots may work better... ongoing stock options, contingent on destruction of the data, certified by an expert and an oath? Basically bribe him.
Yet another alternative - do you have to fire him? Why? Maybe do a Peter Principle thing, and "promote" him to a less responsible position, maybe something where he has no reason to touch production data anymore? Or start a new project, and put him in charge of it?
That's terrifying.
Just yanking a copy of production to a local machine is ridiculously and horrifically common at pretty much everywhere I've worked.
Spoke to a friend in local gov who put me in touch with the right people to deal with our equivalents however so I will be compliant, in addition since users self-elect to insert their data I've got my company's legal representative looking into it as well.
Medical data makes me nervous but this could help a lot of people, it's a product I'd have used immediately if it existed.
For example, I was working at a massive bank that was implementing an access control system for their servers that meant that admin's didn't have direct access. You had to
- submit a change ticket that went through all the approvals.
- This triggered a workflow through a web interface that opened an RDP or text terminal session to the server, for the appropriate person (OS, application, database, etc)
- The RDP session was recorded to video, the text session was logged.
- Once you logged out the password on the server was auto-rotated.
- The text-session was indexed and searchable. The software coordinating all this was able to match server logs against the video RDP session so you could search through the video ("show me the SQL Server commands that admin ran")
- On a regular basis, the server state would be reconciled against all the logged tickets for that server and discrepancies investigated.
This was the result of a huge case of risk aversion and response to very loose but firm regulatory requirements.
I agree there's a middle-ground, but it's not "Employees can use their personal laptops".
Note: this is different than being able to deploy new code, I am talking about messing with a box in a data center
My employer has an ITIL system on place, and that is the only way to touch prod. It is not for everyone, I admit!
Addresses:
* A delete may not delete the PII because it could be in multiple places and deletes don't really delete unless you do a secure delete that truly overwrites the deleted data.
* Gives him a monetary incentive to cooperate.
Does not address:
* Any backups that he might have that are out of your control.
Filesystems can also make this quite difficult (and that is without considering snaphots), most journalling and log-structured filesystems break the old shred [2] program for instance.
[1] https://www.usenix.org/legacy/event/fast11/tech/full_papers/... [2] man shred
Meaning even if they wipe the laptop right in front of you, that is meaningless, since they could have backups, a copy on their home machine, and so on. So really your goal here isn't about a single laptop, it is about trying to get a former potentially disgruntled employee to do what you want after they are terminated.
I'd argue a payoff is your only viable way. You put a bag of money in front of them, and then have them sign a contract that they will destroy all company data, and won't redistribute it, or they have to pay you XYZ.
Then just hope that the potential for getting sued for XYZ and the bag of money will keep them in line long enough for the data not to be as key to your business.
As others have suggested you could also "promote" them away from daily access to that data and then terminate them further down the line when the data expires. But that would likely be more costly in the medium to long term.
1) Tell everyone (don't single him out) that by the request of a client, you're double-downing on internal security and implementing a set of policies and procedures (P&P) for minimizing risk (I personally used HITRUST as the P&P standard).
2) Part of the P&P entails an audit by the designated Security Officer (in this case, me), in which I personally oversaw the deletion of all production data from every personal and non-personal machine. No one individual suspected I was singling him/her out, as I was doing this across the board, but admittedly, my intention was to go of one individual who had his hands on very sensitive data.
3) Make him and every employee sign-off on the P&P Handbook, in which there's a clear clause that in case any personally identifiable data is on his/her machine, he/she is fully liable for the implications of that data getting leaked. Any such employee will be complicit in any criminal proceedings.
4) Fire him.
what if the laptop got stolen? what if it is a node on a botnet?
this is a really good call and even if you don't take this approach, I'd definitely have HR initiate this.
Also (assuming your soon-to-be-ex employee is smart) I doubt the threat of criminal proceedings will have much effect. If multiple people have access to the data you'd have difficulty proving which one of them leaked it.
Because an individual defending himself against civil AND criminal proceedings will get very expensive very fast. In addition, any competitor would be very cautious about touching that data if the guy approaches them trying to sell it, because see figure (1).
So the only avenue remaining is selling the PII to spammers and identity thieves, which will still land him at figure (1) if they get caught and roll over.
3) Make him and every employee sign-off on the P&P Handbook, in which there's a clear clause that in case any personally identifiable data is on his/her machine, he/she is fully liable for the implications of that data getting leaked. Any such employee will be complicit in any criminal proceedings.
You could just put a lawyer in the mix, and make the employee sign a document that ensures all PII has been destroyed at time of firing, with a little more severance for the indignity of it all and clear consequences for non-compliance. If they're not an idiot, they'll do it
This could potentially make it so that the developer would effectively be leaking their own private data if they tried any shenanigans.
I imagine it was effective at encouraging the employee to delete the data, but at the great cost of advertising to all employees that we were all viewed as dirt.
If there's a lesson to take from this, it's that when you're in a position of power, you should use sticks carefully if at all. But I hope that many (including the OP) already learned that lesson as a child.
(Thankfully, I was able to leave the company myself not long after.)
You could offer them payment for signing a severance agreement. You would do this in recognition of their significant contributions to date. The agreement would reiterate that they are bound by their existing NDA, explicitly state that they have fully deleted any company info/files that they may have had in their possession, acknowledge that disclosure of any private company info could have significant negative impact on the company, and could possibly include non-disparagement wording.
This is a time to spend a bit of money and speak to your external counsel. They will have a good solution for you.
See here: http://www.washingtonexaminer.com/silenced-workers-who-lost-...
Onto your specific point, N-D is not unusual for senior employees with strong contacts in the company's target market (like e.g. sales & project management). They're not necessarily a sign that the company is doing anything shady, but they are a strong tool for preventing disgruntled former employees from saying bad things which might hurt a business. They're pretty aggressive, granted, but they serve a purpose. Most people's umbrage can be satisfied for a price.
Not unusual for junior employees either.
>they are a strong tool for preventing disgruntled former employees from saying bad things which might hurt a business.
It prevents you from saying entirely true things which might hurt a business that fully deserved it.
So, I wouldnt have a problem with a company not wanted to litigate false claims, but true claims being muzzled is another thing.
For instance if I say, "I liked working at Company X but I think the CTO lacked leadership skills/vision" that's disparagement. It subjective/opinion, but assume you have factual reasons you could use to back-up how you formed that opinion.
For example, PA law:
* The statement is false;
* The publisher either intends the publication to cause financial loss or reasonably should recognize the publication would result in financial loss;
* Financial loss does in fact result; and
* The publisher either knows that the statement is false or acts in reckless disregard of its truth or falsity.
There is debate regarding the efficacy of non-disparagement clauses for a variety of reasons, but it's often tough to make them stick.
Regardless it's pretty juvenile and self-destructive behavior to go around disparaging an employer for firing you to begin with. Getting a cash bonus for the self-censorship a rational adult should be exhibiting anyhow, is not such a bad thing
It keeps you from posting honest glassdoor reviews (no cons/negatives and zero faith glassdoor wouldn't release your info on discovery), telling friends what it was like to work there, etc.
After that, offer increased severance as other posters have suggested.
And as long as he's running the production database out of Box, which is probably not exactly a recommended mode of operation for either Box or the database.
But otherwise, yeah.
One other thing that I haven't hear yet is that you could do is introduce "identifying easter eggs" into the data if you can. Sorry, not sure what the right word is, but it's a proven technique in certain high level negotiations. You make it easy for this employee to obtain an ever so slightly modified recent version of the data. The modifications are minimal, but allow to identify him as the source of the leak.
Document the easter eggs in a registered letter to yourself. Wait until fairly sure the "custom" version of the data is on employee's machine. Then sue if he leaks.