Learn how to keep you and your organization safe from legal or security issues when maintaining remote workforces.
Employee-exit strategies can be challenging even in the most ideal circumstances. COVID-19 introduced additional complexities that legal, financial, and data protection experts adapted to – from how a layoff might impact PPP loan forgiveness, to internal and external data threats, to legal and practical considerations when managing remote employees.
On October 6, 2020, Pathway Forensics’ Noel Kersh, Managing Principal, and Mike Trpkosh, Director of Cybersecurity, joined Briggs & Veselka colleague Kevin Stewart, Advisory Principal and Client Accounting Services Practice Lead and RMWBH Law experts for an in-depth webinar on employee-exit best practices.
Note: The information contained in this video and transcription is not legal advice, but rather general information for educational purposes, and will not establish an attorney-client relationship. Please consult with an attorney of your choosing before entering into any contract.
- Seniority is by far the best metric to use when doing layoffs or reductions in workforce because it’s really cut and dry and generally avoids discrimination claims – e.g., race, religion, sex, national origin, disability, age, etc. Using the seniority metric means you tend to keep older employees, so the more recent employees end up getting laid off first.
- When using performance as a layoff metric, remember that a lot of people like to be very complimentary and non-confrontational during annual performance reviews. Consider if these evaluations are accurate or should you use a special kind of rating system or special criteria, like can this employee do multiple kinds of jobs, do they have skills that translate to roles that would have to be filled post-layoff.
- The intent of the Payroll Protection Plan (PPP) Loan was to keep people employed during the COVID-19 pandemic. To ensure businesses are using the money the way it’s intended, there are strings attached to the loan: if you don’t spend correctly, if you don’t maintain employment at certain levels, and if you don’t maintain pay at certain levels, then the SBA and the government will reduce the amount of that loan that could potentially be forgiven.
- There are exceptions and safe harbors, but all of it comes down to math and timing. If you document that an employee left the company of their own accord or if an employee was let go due to justifiable cause, you can include those in your calculations. And be sure to consider the timing of your loan forgiveness application in case you’re able to rehire your furloughed employees before the application is submitted.
- Digital forensics is a discipline that’s dedicated to the collection of digital evidence for judicial purposes, and there are rules of evidence that are required by courts to be followed in order for evidence to be admitted into court. It can help with matters such as computer use violations, harassment/discrimination, internal data breaches, and preservation of evidence.
- IT departments are really good at what they do, but they’re not digital forensic examiners. An IT person is not necessarily a computer forensics expert. That’s like assuming an X-ray technician could perform brain surgery. Yes, they’re in the same field, but they have very different training and experience. So, just make sure that you’re using a digital forensics expert to do digital forensics jobs and not using an IT person to do those jobs.
- Employee-exit strategies begin the first day of employment and end after the exit interview. Not all employees are disgruntled and want to cause harm, but you should have standard policies and procedures to ensure your company is protected in all situations.
- Identity and access management (IAM) is an overarching program solution that is a hierarchical view of all the access that an employee has and generally provides you with a one-stop disconnect so you can shut off all of their active access at one spot and then go back slowly and remove access and ensure that there’s no continued access to large or small systems. That’s especially prevalent with single sign-on.
- An employee handbook can address confidentiality breach issues before they even arise, so you can try to prevent anything from a very angry client or customer to an outright lawsuit.
- Disclosing NDAs can be a tricky situation and must be done carefully in order to try to avoid litigation. If an NDA is in place for an exiting employee – or if you are the exiting employee – seek counsel to ensure you disclose your NDA according to best practices seen by the courts.
Read the transcription here
[Hope Everett] Good afternoon and welcome to our Employee-Exit Best Practices: The Legal and Technical Sides of Employee Exits During the COVID-19 Pandemic. Today’s presentation is being co-presented by RMWBH Law, Briggs & Veselka Co., and Pathway Forensics. More information about each company will be provided to you in the slide packet, which will be emailed after today’s webinar.
My name is Hope Everett and I am Senior Counsel at RMWBH Law and I work in the Litigation Section. I’ll be serving as your moderator today. A couple of housekeeping items before we begin. If you have a question during today’s presentation, please submit your question in the Q&A box. We’ll try to get to as many questions as possible after each speaker, well, at the end of after all the speakers. Today’s presentation will count as one hour of CPE credit that is for CPAs. To ensure you receive your credit, a few poll questions will appear randomly during today’s presentation. Please submit a response to each of those poll questions.
Joining me today are Justin Markel from RMWBH Law, Kevin Stewart from Briggs & Veselka, Noel Kersh from Pathway Forensics, Mike Trpkosh from Pathway Forensics, and Greg Godkin from RMWBH Law. I will further introduce our speakers before their section of today’s webinar.
We’ll begin today with Justin Markel discussing considerations for employees. Justin is an equity shareholder in the Houston office of RMWBH Law and the Corporate Section of the practice. He’s board certified by the Texas Board of Legal Specialization and Labor and Employment Law. Justin advises and counsels employers regarding various employment law issues. Among other things, Justin assists employers in crafting employment policies and contracts and also counsels employers regarding issues related to the hiring pay discipline and termination of employees.
[Justin Markel] Thanks, Hope. My name is Justin Markel and thanks for joining us today. I’m going to be going over basic legal considerations when laying off employees or deciding to do a layoff or reduction in force.
So, first we’ll consider some pre-layoff considerations. We’ll talk about some considerations to avoid discrimination and retaliation claims, and then we’ll talk about some kind of miscellaneous issues.
So, first, before instituting a layoff, what should employers consider? Well, first is do you even need to do a layoff in the first place? Would a hiring freeze or promotion or transfer freeze help reduce costs? Would a furlough help reduce costs without having to go through a layoff or would temporarily reducing hours or pay do that as well?
If you’re considering reducing employees pay commensurate with the hours that an employee is going to work, just be careful about messing with that when it comes to exempt employees. For employees under a white-collar exemption, you need to be able to pay on a salary basis, and generally what that means is that the employee’s pay can’t be tied to the amount of work the employee produces or the number of hours that the employee works. So, if you fluctuate it back and forth, the employee might lose their exemption.
Besides those pre-layoff considerations, it’s useful to consider certain things in order to avoid potential discrimination claims and retaliation claims. In avoiding discrimination claims, really, documentation is key. You should have documentation as to what kind of criteria you’re using in layoffs, how you’re making those decisions, whether they’re reviewed by anyone, and then even after going through that selection process, whether that selection process or the criteria you’re using might create a disparate impact, and if so, what you would do about that – whether you maybe alter the selection criteria or take other measures to avoid a potential disparate impact claim. I mean, for those that don’t know on the call, disparate impact claims are basically claims by employees that although a termination decision might be based on legitimate reasons or business reasons, a disparate impact claim asserts that regardless of those neutral reasons, the decision or layoff process selection criteria has adversely impacted a particular protected class – whether that’s based on race, religion, sex, national origin, disability, age, and those kinds of things.
So, what kind of criteria can you use or should you use? Seniority is by far the best because it’s really cut and dry and it generally avoids these kinds of discrimination claims, especially because you tend to keep older employees, so the more recent employees end up getting laid off first. But if you’re not going on a seniority basis, there are other neutral criteria that have been approved by the courts, and they’re listed here.
When considering performance, I would just note a lot of people when they do performance reviews every year, they just like to be very complimentary and non-confrontational. So, if you’re going to use performance as a metric and doing a layoff, then I’d consider are these evaluations really accurate in the first place or should you use a special kind of rating system or special criteria, like can this employee do multiple kinds of jobs, do they have skills that translate to jobs that would have to be filled or roles that would have to be filled post-layoff, and that kind of thing.
I’d also note that if you’re looking at compensation levels as a metric or consideration for a layoff, I would just be very careful. Those kinds of considerations can backfire on an employer. They might result in an age discrimination claim because in certain companies, older employees might be on the higher end of the compensation scale.
In addition to avoiding discrimination claims, it’s important to avoid retaliation claims as well. So, when going through layoff criteria and seeing who ends up on the selection list based on those criteria, it’s important to note has anybody on that list taken any protected activity recently. That could be opposing a discriminatory practice, complaining about harassment or discrimination. It could be requesting leave under the FMLA, it could be requesting an accommodation because of a disability or because of religion. It could be somebody who’s also taken military leave; that’s also considered protected.
In addition to avoiding discrimination and retaliation claims, it’s also important to look at some other things like does the employee have an employment contract. That contract – if it exists – executive employment contracts might hinder your ability to do a layoff or at least if that person is within the selection list for a layoff, it might result in a company obligation to pay severance.
Something else noted on this slide: an independent review committee might help to avoid discrimination and retaliation claims. This kind of committee would take people from different departments and they really just act as a backup to review decisions for legitimacy after the lower-level managers make preliminary layoff selections.
And then finally, consider severance packages. Severance packages – severance agreements – are very useful in layoffs, particularly because if they’re signed, they provide the company a release of claims. And so, you get finality, and you know that once the agreement is signed and returned back and severance pay is given that you don’t have to worry about a potential claim in the future.
Finally, I just note that for employers with over 100 employees, if you’re going to engage in a reduction in force or a layoff, you have to look at whether the WARN Act would apply. Now, that WARN Act is a statute that requires 60 days notice of certain kinds of reductions in force. Those are legal terms in plant closing and mass layoffs. Those kinds of reductions in force or those defined terms are very technical and it’s a little bit more detailed than what I can go into today. But just generally speaking, it involves an employment loss of over 50 employees at a single site of employment. And there’s aggregation rules as to whether multiple rounds of layoffs can be considered one. For the purpose of the WARN statute, you generally have a 90-day window that you need to look at to be able to see whether that advanced notice is required.
So, hopefully with that you have a better idea as to what kind of legal considerations to consider to avoid discrimination claims, retaliation claims, and other things to consider when thinking about layoffs.
I’ll pass it over to Hope.
[Hope] Thanks, Justin.
Next is Kevin Stewart. Kevin is an Advisory Principal and Client Accounting Services Practice Lead at Briggs & Veselka. Kevin has been with Briggs & Veselka since 2007. Kevin brings 20+ years of experience turning around and building accounting and finance teams to remediate failures, stabilize the now, and create environments to support growth in a wide range of industries. Kevin is a member of Briggs & Veselka’s SBA PPP Task Force.
Today, Kevin will be speaking on the issues of PPP loans and forgiveness with employee exits.
[Kevin Stewart] Thank you, Hope.
Being at Briggs & Veselka, and just to provide a little bit of background about our firm, we are the largest independent firm headquartered in Houston, Texas. We have approximately 350 professionals between Houston, Austin, The Woodlands, and a couple of smaller locations across Texas.
A few months ago – or I guess five or six months ago – the SBA came out with the CARES Act, and we’ve been pretty heavily involved from the very beginning just trying to get an understanding: how does it impact us, how does it impact clients, and also just the local community of business. So, I’ve performed a lot of webcasts, done a lot of deep dives, and I sometimes have questions – why are we actually doing this, how is it benefiting us, but I think really the truth is we’re doing this to provide good will back to the community and to help our friends in the community within the business perspective.
I think I’ve got about nine slides here, but I won’t be speaking too much directly to them because there’s a fair amount of information on here.
If we think back to the PPP, the intent of that was really to keep people employed, and the way to do that was through this loan – the Payroll Protection Plan Loan – by which to get the funds from the US Government, this grant, this help, this whatever else. And it went through the banks to facilitate an ease of transferring those funds to it.
What came with that was this loan process. The intent was to get funds to employees to keep employment because there’s a lot of concern overall that there are going to be these layoffs, there’s going to be a reduction in business, and there has been some of that. I don’t think any of us really knew what to expect back on March 18th, 19th, whenever that time frame was when all of this kind of really started impacting Houston for the most part.
By getting those funds to business and not for those businesses to just pocket these funds for themselves, there are these thresholds to help protect employees and protect that this money is actually being used for what it’s supposed to. With those strings attached to the loan, there are impacts saying if you don’t spend, if you don’t maintain employment at certain levels, and if you don’t maintain pay at certain levels, then we’re going to reduce that. From when I say “we”, I mean the SBA and the government is going to reduce the amount of that loan that could potentially be forgiven.
On this next slide and the next slide both, they talk through what that reduction might potentially look like and there’s, I believe, five steps here. But effectively, what it’s doing is – and again, when you refer back to this, just know that this is all just math, right? And sometimes math is complex, and if you’re like me, you barely got through Business Calculus for Dummies, but it’s just math. By reading the instructions, looking at the math, you’re going through these steps. And so, this initial measurement period – I believe March 31st is that date – you’re trying to get an understanding of what that covered period is and what is your benchmark by which you’re evaluating yourself against for forgiveness.
And along with that is the intent – this is intended for employees that are making $100,000 or less when you annualize that. So, if that’s an eight-week period, it would be eight 52nds of whatever the annual salary is, and you’d annualize that, so anything about $100,000 would be excluded from forgiveness, excluded from getting loan money for as well. But as you’re going through these steps, it’s computing the average annual salary or hourly wage during the covered period or the alternative cover period. So, that’s your time frame by which you’re evaluating, and so what is the pay during that time period? It’s computing the average annual salary for that benchmark period, which was January 1st through March 31st 2020. You’re comparing Step 2 to the Step 1.
You get into Step 3 and you’re dividing what is the impact – what really is the impact where you’re going? And where we’re on this slide now is Step 4 and Step 5. All this is really attempting to do without going into extensive detail here is in comparison: was the money that you got for this payroll actually used for payroll, who was it delivered to, and did you maintain the headcount, did you maintain flex, which we’ll talk about in just a minute. Or what were the funds used for? Something else? Something not necessarily intended?
Now we move into the safe harbor concept on the next slide. The safe harbor concept is really if you’re a restaurant business or in the hospitality business, they were significantly impacted early on, and so by paying salaries to people who aren’t working, is that the best use of funds? And that’s for every business to decide. In calculating the safe harbor, it’s looking at, again, that annual salary. It’s comparing that annual salary to what was the actual pay during that covered time period and is one greater than the other; is this calculation the same or greater than the one before. If it’s the same or higher – if what you actually paid out is the same or higher, then you’re good. You just kind of move on. However, if funds are reduced, if they were less for not good reasons, then potentially there is no safe harbor.
Moving even further than this within that safe harbor as well, you get into full-time equivalence. How do you measure the number of employees because different employees make different amounts? So, how do you maintain that? When you’re going through this process, you have to evaluate on an employee-by-employee basis. For this employee at the beginning of the pay period and at the end of the pay period, did the pay change, the hours change? The way that you can do that is through this full-time equivalent.
There was a lot of debate initially saying what is a full-time equivalent (FTE), how is it defined – and it wasn’t defined. We were trying to find the specific guidance from the SBA similarities, and they ended up coming up with basically two calculations. One is if you’re doing a calculation and you’re dividing those hours by 40. An employee can only be considered one full-time employee, so you can’t have an employee that’s considered a 1.2 FTE. It also can’t go below one-half. You can either round the decimal to the 10th place or you can assign a one-fifth to each employee.
There may be some variances there. When you’re going through the process – if you did get a PPP loan – and you’re calculating your FTE, it is beneficial to do some analysis in addition to saying this is just the number that we have.
In this next part we talk about FTE a little bit differently. This is the FTE reduction of safe harbor. The borrower may be exempt from the reduction of forgiveness if the borrower was unable to operate at the same level based on specific criteria – based on the impact of decisions made outside of your control, by decisions made by the Secretary of Health and Human Services, maybe by the CDC or OSHA. Basically, if you were prevented from actually delivering the service because of new laws/legislation, those are justifiable reasons to say you couldn’t operate. Then you would get an exemption from that safe harbor and you don’t have to reduce the funds to be paid back.
The second safe harbor is the borrower could be exempted based on if the company was able to return to full-time levels as of December 31st or at the date of the application. We have several clients who are holding off filing their application because they did have to furlough employees and might potentially be able to bring them back as business picks back up. Some of that is indirectly seasonal, but some is not; some of it is based on how that business works, and some have truly been impacted by COVID, so they’re holding off filing for this forgiveness until they’re actually able to bring these people back when business (hopefully) recovers. If you’re able to hire back as of December 31st or whenever you file the application for forgiveness, you’ve got a safe harbor there as well.
There are some reference periods for evaluation to see if they’re being satisfied. Again, this all goes back to the original intent of PPP – to maintain employment levels, maintain salary levels, and maintain pay. The intent here is to make sure your people are employed, so they’re giving you some leeway and some grace because this has extended far beyond what everyone initially expected.
When the fee reduction doesn’t apply, the safe harbor doesn’t apply, when there is no safe harbor for FTE reduction, the bar is basically to calculate the reduction quotient on Schedule A (that we’ll see in just a minute) and enter on Line 7. If a specific employee’s salary has reduced by more than 25%, then there’s a reduction. If there has been an employee reduction by more than 25%, then there’s a reduction there as well.
Considering that there’s two components to PPP: the actual payroll piece and the non-payroll fees for things like mortgage interest and rent expense and those types of things, that’s where we get that 75% area. By going through these calculations, by doing the math that we all hate, we come back to: is there some sort of reduction or quotient that needs to happen? You’re taking that quotient and you’re multiplying it; you’re inserting it into the schedule to get the average FTE. You’re comparing it back and forth.
Jumping forward, if an FTE reduction has taken place, it’s important to keep in mind that there are also exceptions. If you have a million-dollar loan and you did have reductions, there may not be much of a way around it. You made your choices, you got some free money per se, but a piece of that does need to be paid back or it needs to be paid back over the period of the loan (two years, four years, or whatever the time frame is).
But there are exceptions; there may be reasons that the employees left. What we saw in some instances was people were taking early retirements. One said, “You know, I don’t need to be out, I don’t have to work from here, so I’m going to work from home and I’m going to be good.” In that instance, you didn’t choose to push them out, you didn’t have them leave. You may not have replaced them, but they left of their own volition. That would be excluded, so when you’re going through your payroll and your calculation, then you would effectively add them back in because they would count as an FTE. If you fired someone for cause, there’s no reason that you have to maintain them if there’s legitimate causes and you have the documentation.
We talked about voluntary leaving. Maybe you furloughed them for a time, they’re on unemployment for a little bit, but unemployment’s better than what they’re going to make if they came back. In those instances, if you have documentation, you can say, “You can come back now. We want you to come back.” If they say no, you have that documentation, that email or some sort of other documentation to say that you made a good faith effort to have them return and they chose not to. Again, that doesn’t penalize you. You can add those back in as well.
So, if any of these exceptions apply, borrowers will want to keep very detailed documentation. You’ll want to keep the emails, maybe the phone records or a phone log of who you talked to and when you talked to them and capturing that information. In the event that the SBA comes back in and says, “We need more information, and we need to know why these people were let go,” you can easily just provide that back to them.
When making these decisions about should you furlough, lay off, let some people go, remember there is a timing aspect here and there. There’s perception as well as when it actually happens, so you want to make sure you’re going through the right steps, get the right documentation in place, and that you’re doing what really is best for the business and potentially for the employees as well.
If you have questions, concerns, thoughts, please put them in the chat here or follow up with me afterward. I appreciate your time.
[Hope] Alright, thanks.
Next up is Noel Kersh. Noel is the Managing Principal at Pathway Forensics. He has 20+ years of experience conducting digital forensic acquisitions and analysis on a variety of cases. He is an EnCE and licensed PI in Texas.
Today, Noel will be speaking on digital forensics during employee exits.
[Noel Kersh] Thank you, Hope.
Good afternoon, everybody. Like Hope said, my name is Noel Kersh and I’m with Pathway Forensics. We’ve been around since 2008. We’re a computer forensics, eDiscovery, and cybersecurity firm. Our headquarters are in The Woodlands and we also have offices in Houston as well as in Austin. We were acquired by Briggs & Veselka in 2018.
Today, I’ll be trying to answer three questions primarily. Number one: what is digital forensics and what role does it play? Knowing that this audience may not be digital forensics experts or attorneys, my goal here really is to do some education on what is digital forensics, especially if this isn’t an area that you are familiar with.
Another area we’re going to talk about is how can digital forensics help departments such as HR with employee exits. And then, why use a digital forensic expert when I have an IT department. That’s a very common question that we get and one I want to address in today’s webinar.
Digital forensics is a discipline that’s dedicated to the collection of digital evidence for judicial purposes. For the non-attorneys in the audience, there are rules of evidence that are required by courts to be followed in order for evidence to be admitted into court. For example, if I were to file a lawsuit and there was an email that I wanted to have admitted into court to prove my case, I can’t just print that piece or that email off and take it to the judge and the judge allows it into evidence and then considers that for their decision. That evidence actually has to be verified to be what it purports to be. In other words, I can’t just create evidence and give it to the court and have them rely on it. For their decision, it has to go through a process whereby it is verified to be exactly what it purports to be, and that’s where digital forensics comes into the fold. We help you meet those rules of evidence so it can be admitted into court.
I always tell my wife that as long as there are people doing stupid things on their computer, I’m going to be very busy and we’ll have food on the table. There’s an endless supply of that, thankfully, so I’m going to be fine for a long time.
How can digital forensics help HR? There are four primary areas I’m going to talk about today, and I’ll go into detail for each of these, but the main areas are: computer use violations, harassment/discrimination issues, internal data breach matters, and to help preserve evidence.
In the area of computer use violations, we can do investigations of allegations of computer use violations. If a company has specific computer use guidelines that employees are supposed to follow and they don’t follow them – for example, viewing explicit materials at work, spending too much time on the internet, etc.
I had a case before that a client said, “Hey, I think that this person is spending too much time on the internet and not actually doing work.” They sent me this employee’s computer. We did an investigation of her web activity and found that in a 40-hour work week, she spent all of 2.5 hours not surfing the internet. That’s really hard to do and I don’t think I could find 30+ hours of web material to keep me occupied at work, but somehow she did it.
I was able to provide that client with the report that an independent person can. I’m not a party to the employment decision that’s being made by the company. But my report can say there is some weight to the allegations they’re making against this employee, therefore that allegation holds a lot more water when another person – independent of the company – says there is something to these allegations against this employee.
Another area is harassment and discrimination issues. We can support or refute allegations of harassment or discrimination. All sorts of things can be found in emails, texts, chat, and instant messaging.
In this example, this subject is not aware of what the computer is actually recording of her chat activity. This is a real case; I promise this actually did happen. Several years ago, I got a call from a client I’ve worked with for many years. He said, “Hey, we just received a letter from an attorney representing a former employee and she’s suing us for sexual harassment. She’s claiming that her manager used a very specific vulgar phrase to describe her to her coworkers and she was very, very offended by this. I don’t even know what to tell you to do, but just look at the computer and tell me what you find.”
So, I got her work computer, examined it. What I did is a search for that vulgar phrase that she claimed she said was being used against her. I was trying to find where the manager had said that phrase electronically, but what I actually found was that she was using Yahoo Messenger to chat with a coworker of hers – who wasn’t her husband, but was her boyfriend – and was using this vulgar phrase to describe herself in a very lighthearted, joking manner. We printed all that information out and our client faxed it to her attorney and that’s where that matter died.
All sorts of things are being recorded by the computer and just a simple investigation like that – which wasn’t even $1500 – was able to get them out of a lawsuit that was going to be a lot more expensive than $1500.
Another area that we can help with is in the area of internal data breaches. This is when an employee puts in their resignation and then they copy data to a thumb drive/USB, cloud storage, or email/webmail. Those are the most common ways data is stolen. We work with clients to identify what was stolen and how it was stolen, and then recreate the steps of that person on the computer and assist them with getting their information back.
One example of this happening was a client who called me and said, “I’m going to send you a former employee’s cell phone. I want you to take a look at it. What we think is happening is that they’re trying to take our employees and our business.” We examined the cell phone using a specific software. In this case, the person actually did have 14,000 text messages and almost 300 voicemails on the phone.
You can see the text messages that were sent, and the three highlighted ones were actually deleted text messages. The first one says, “I’m sending a customer. Who should they contact?” This is proof that he indeed was sending a customer over to his new employer before his last day. Then he said in a conversation that some have non-competes and, “I have some employees that want t go with me.”
Again, these were messages that he sent on his company’s cell phone and then deleted them. We were able to get those messages back, and it proved that the allegations against this person were actually true. We have an extra case example in the slide deck for you to review after this.
The next area is about preservation of evidence. Which of these actions will result in unrecoverable data? Is it formatting a hard drive twice that makes it unrecoverable? Deleting a file then deleting it out of the recycle bin, which is also known as double deleting? Is it hard drive crash or malfunction, or is it downloading and using free data-wiping software?
If you guessed the “download and use free data-wiping software” one, pat yourself on the back because you were correct. That actually will result in the data being unrecoverable on the drive. Everything else on that list we’ve been able to recover deleted information from a device. There are two case examples in the slide deck for your reference.
We’re going to move on the talking about the IT department versus forensic examiners. One of the most common things we get when we get a new case from a client is this situation: “Hey, I’m sending over a piece of evidence and my IT department has already copied some data off of there, but we want to know what this person did.”
I tell them, “Wait a second, back up. Because if your IT department got on the computer and attached the USB drive and started copying data off of there, that really tampers with the evidence.” It’s sort of like sending a CSI team into a crime scene where the police have already manipulated the weapon that was used to commit a crime, they’ve moved the body, or they’ve cleaned up some evidence from the scene already and then asked us to come in after the fact and try to recreate what happened. It’s a bit of an impossible task to do.
IT departments are really good at what they do, but they’re not digital forensic examiners. I tell people that an IT person is not necessarily a computer forensics expert. That’s like assuming an X-ray technician could perform brain surgery. Yes, they’re in the same field, but they have very different training and experience. So, just make sure that you’re using a digital forensics expert to do digital forensics jobs and not using an IT person to do those jobs.
Here are a couple dos and don’ts slides to round out my time. As IT involvement goes, make sure that you’re preserving evidence before wrongdoing is expected or found. Just make a copy of the hard drive before you suspect anything has been done. Turn off the computer and store it, then establish a relationship with a computer forensics company before an incident occurs. In other words, don’t wait for a fire to start before you start trying to fine the fire department’s phone number.
Also, don’t allow another employee or the IT department to browse the computer. And don’t attach a USB device; that’s a big no-no.
The last one is on mobile phones. Make sure that you’re getting the passcodes for the phones before the employee leaves the company. That’s important for us to be able to unlock the information that’s on that device. Without it, we can’t do our job. Do make sure that you’re instructing your departing employees not to reset the device. That does delete everything off the device. And don’t reassign the device to a new employee before the departing employee leaves and don’t delete any data from the phone.
That’s my time today. Hope, I will take it back over to you.
[Hope] Thank you.
Next, we have Mike Trpkosh. Mike is the Director of Cybersecurity at Pathway Forensics. He is a former Chief Information Security Officer (CISO) and cybersecurity consultant with over 30 years of IT experience. He spent the last 15 focused exclusively on cybersecurity risk and compliance.
Mike is speaking today on the cybersecurity risks during employee exits.
[Mike Trpkosh] Thank you, Hope.
When we’re speaking about exiting employees, I generally categorize them three ways. We have the non-malicious employees. Those are the folks who leave on good terms, they’re eligible for rehire, they’re generally great people and we’re sad to see them go.
Then we have the malcontents, who are unhappy, but they’re still here. They’ve wanted to leave, and they’ll leave at the first chance that they can. The one thing about them is I don’t really consider them malicious; I consider them opportunistic. When they do get a chance to leave, they’re going to take whatever they can with them that’s available.
Third, we have the disgruntled folks. They’re not only leaving, but they’re going completely scorched earth when they walk out the door. What I mean by that is, depending on their access, they’re going to leave back doors, they’re going to destroy data, they’re going to erase things, they’re may even set up dummy accounts so that when their account is disabled, they still have access. That generally happens in larger organizations, and it’s a good reason to do user account reviews.
So, what is the risk when an employee leaves? Especially now that we’re in the digital age, any type of technology can be stored and massive amounts of it can be put on something as small as a thumb drive. You’re looking at cyber technology, information, network diagrams, policies and procedures, or any type of IP or sensitive information that leaves with the employee.
Disgruntled employees, again, can edit, delete, or erase information. They know how to use the free software Noel was talking about to make sure it’s not available once they’re done. And they’ll also send irresponsible emails to clients just to be naughty. Things like bad social media posts – there’s all kinds of bad stuff that can go on. If they have important plans like your diagrams or data, they’ll share it with competitors. The other thing they’ll do is they’ll send employee or customer information to competitors or outside individuals with malicious intent.
One of the ways that we begin to mitigate this risk is to develop an employee-exit strategy. When we do that, the employee-exit strategy should begin the first day the employee is hired and continues until their exit interview. What we do as part of this strategy is maintain a record of all the assets that they have, whether it’s iPhones, laptops, anything that they may have access to and have in their possession. We need to keep very good inventory of all the access they have, both internal and external accounts. External accounts could be like Salesforce, and internal accounts could be any type of legacy accounts within the organization.
In a perfect world, we would have all of our employees bring all of the equipment they have to their exit interview and we would disable access while they’re in their exit interview. Unfortunately, that doesn’t happen very often, and even now with COVID and almost the entire workforce is remote, it provides us with a lot of challenges to do that. So, it’s really important to have the strategy in place. And think about that strategy before you bring those folks in for their exit interviews.
One thing that can help with this is what we call identity and access management (IAM). This is an overarching program solution that is a hierarchical view of all the access that an employee has. It generally provides you with a one-stop disconnect to where you can shut off all of their active access at one spot and then go back slowly and remove access and ensure that there’s no orphan accounts. An orphan means you’ve got access to an account, but no higher access. So, you might remove them from active directory, but they may have access to smaller systems. That’s especially prevalent with single sign-on.
Finally, as part of the strategy, we want to ensure that we’re going to change all the passwords to applications and systems that the employee works directly with. Also keep in mind if you have shared accounts. These are the ones that come back to get you in the long run. You want to make sure those passwords are rotated on a regular basis or especially when somebody leaves that has a higher level of access.
Delete or disable any accounts that belong to that individual and remove any permissions they might have to any types of networks, especially if you have access to a client’s network. Make sure that’s removed and send them notification that the employee has left the organization. Consider if the employee had access to any coworkers’ accounts, shared accounts, or if they just knew of another coworker’s accounts. Again, it would be wise to rotate the passwords.
Then, examine what an employee does on a day-to-day basis and keep a record of that. It’s much easier to make sure that you don’t miss anything.
That’s all I have. Hope, back to you.
[Hope] Thank you, Mike.
Our final speaker today is Greg Godkin. Greg is an Equity Shareholder in the Austin office of RMWBH Law and is the Litigation Section Practice Head. For over 20 years, Greg has represented some of the world’s largest corporations as well as individuals in the areas of complex business and corporate litigation, directors’ and officers’ liability, and fiduciary duty.
Greg is speaking today on protecting intellectual property in the remote work age.
[Greg Godkin] Thank you, everyone. I appreciate you guys tuning in and hope you’re learning some things.
I don’t think anyone ever anticipated we would be experiencing the situation that we’re in today. The pandemic has obviously created a number of challenges for employers as well as our employees.
The main challenge that we’ve seen – and I know it’s uniform throughout – is the number of people working remotely, the likes of which we’ve never seen before and probably may become the new norm, at least to a greater extent than ever anticipated. Because of that, there are a lot of issues that arise as it relates to employees.
Most employers, from small to large, have employee handbooks, which essentially establish the policies and procedures of the company. Seldom, if ever, did these employee handbooks ever contemplate the number of employees that would be participating remotely. The challenges that arise – that we’ve heard a little bit today and from some other speakers – is security, confidential information, the use of home equipment, and the vulnerability of security risks. All of these are challenges that no one anticipated. So, we’re seeing a lot of clients come to us and say, “What do we need to do to address these ongoing concerns because, in the very least, it’s going to be several months before we kind of go back to normal.”
Most likely we’re going to start seeing remote workplaces as a norm. One of the things that comes about is just confidentiality. To begin with, when people are at work and in a work environment, they tend to keep things more private and confidential than they do in their own home. Today, you have folks using their home computers that may also be used by someone else in the household. Having a policy in place that essentially separates out the use of that computer by other people to make sure that the information that is confidential to the employer is protected is absolutely key.
There are several steps that can be undertaken that are quite simple that will prevent some sort of confidentiality breach that could result in anything from a very angry client or customer down to another outright lawsuit. And these are things that can be addressed in an employee handbook before something ever comes awry.
Another issue that I know we’re going to see a lot of, and Justin somewhat touched upon this, is how do you make sure that employees are essentially not violating the overtime requirements. I know a lot of employers that have done surveys, including our own folks, that have talked to the employees and saying, “Look, when are you working during the day?” And we’re seeing a lot of times it’s all over the place in terms of if you have children at home, you have a situation where they may be working really early – from maybe seven in the morning to ten o’clock – and then they’ve got issues to deal with in the household. Then they’re coming back on in the afternoon, and you may see them go off again and then come back on in the evening.
One thing that I’m absolutely sure we’re going to see is a number of lawsuits that come about after COVID where the employee is going to allege that they were working overtime and they were not getting paid for it. It is absolutely critical that the employee handbook addresses these issues to discuss the necessity of getting approval before overtime is approved. There are several things that come into play to make sure that doesn’t happen, or at least can alleviate some issues that may arise, like having approval beforehand. All of this is high level.
Depending on what the employer/employee relationship is, there are various other things to keep in mind. Standards of conduct policy is another one that I think we’re going to start seeing a lot of litigation come out of. People are operating at home for a business day, but they may not be operating like they’re at a business. I actually had a call from a client the other day where their employee, along with another, went to a restaurant and decided to have a few margaritas and then they were involved in an accident on the way back.
The question arose, “Well, am I going to get sued over this? Are they in the course and scope of employment?” Well, technically no, but I told the employer, “Ultimately, at the end of the day, you may beat the rap and not the ride.” These are, again, things that you want to cover in your employee handbook for when you are or may be working remotely. When you’re still on the clock operating like you’re in a business atmosphere, it needs to be treated as such
One of the things that can be done to help alleviate some of the issues that may arise when employees are working remotely, and also upon exit which some of the earlier speakers touched on, is confidentiality and non-disclosure agreements. I could speak for hours on NDAs and proprietary right agreements, but essentially what you’re looking for is an agreement on behalf of the employee that upon termination or a voluntary leave, that the information from behalf of the employer is protected.
Again, these become very detail oriented. Their enforceability is a subject of countless lawsuits and court’s opinions. But there are things that can be done to protect client information and proprietary information that are enforceable in a court of law. It’s very, very important – in particular as we’re working more remotely – that these are addressed in the hiring stages and in the employee agreements as well.
This kind of touches upon some of the earlier comments by the presenters as well – what do you do upon exit procedures, making sure that the employer information is protected, that the client information is protected, proprietary information is protected, etc.
One of the things that we’ve seen before is when you’re in a situation – and again, it depends on the type of employee we’re talking about, which was just addressed by Mike – where it’s someone we’re just sad to see go or someone we can’t wait to see them go, but in the meantime, I hope they don’t burn us down in the process.
Depending on the type of employee in the situation, there are several things that can be done. One of them is making sure that they’re in compliance with any non-disclosure or proprietary information agreements. In certain circumstances, depending on what has happened and the risks that may occur if we don’t, is recommend that the new employer be reminded of an NDA.
With that there is a caveat. I as involved in a lawsuit two years ago where our client had taken it upon himself to do exactly that. That employee was terminated on about the fifth day of employment and the allegation was, “Well, you didn’t tell us you had an NDA and so you lied and we found out later and we don’t want you.” That employee sued my client, and my client sued his former employer for tortious interference.
The moral of the story is there’s sometimes when employers try to do the right thing, but the manner or method which they’re doing it is wrong. I highly encourage you to speak to counsel before anyone goes down the road. Again, a lot of times when I get our clients that come in and they feel that they’re very justified with their behavior, and they are, but it’s a process in which you do it and doing it wrong can lead to bigger problems than you had in the first place.
We’re often asked, “Okay, we have an employee that has taken proprietary information, they’re stealing customer lists, they’re seeking other fellow employees to go with them even though they have an NDA.” What is typically done is once a lawyer is involved, is an immediate lawsuit is filed, and what’s known as a temporary restraining order is filed with the lawsuit that asks the court to immediately prohibit that employee from creating any additional harm.
That next step is what’s called a temporary injunction hearing. That is where, frankly, these cases are won and lost. It’s where employers have the most power because the temporary injunction hearing essentially is a mini trial, and in the right case with the right facts, a judge will actually tell the employee, “Pending this lawsuit (which could do on for years), you are prohibited from doing certain things.”
This essentially hamstrings that employee from hurting his former employer and could include, but is not limited to, seeking employment with a competitor in the state of Texas or in the counties in which he or she was working, from contacting any prior customers that this employee worked with while he was employed with the prior employer, contacting fellow employees to come over, etc. It really gives the employer the opportunity to essentially do some horse trading and get what the employer wants in the best manner possible during those negotiations. Again, the employee is really hamstrung at that point and can’t do what he or she thought that they were going to be able to do.
This is high level. There is a lot of detail in all of these presentations, of course, but if you have any questions that we can help you with, our contact information is in the materials and we’re happy to help and talk to you any way we can, so thank you.
[Hope] Thanks everyone. And thank you to the speakers and everybody for being here. There are a couple of questions that were submitted. Those are going to be sent to the speakers.
We do have time for one, and it’s to Pathway. So, the question is: can you look at an employee’s cell phone that’s not a company phone?
[Noel] Actually, this is a bit of a legal question, but in my experience, what I’ve seen around this is that you have to have the employee’s authorization to do so, or, most commonly, it’s ordered by the court. The employer goes before the judge and says, “Your honor, we need to examine his phone,” and provide good reasons for doing so. Then the court will order them to turn over their personal phones for examination. Those are the typical scenarios that I’ve seen.
[Hope] Okay, well the presentation will be sent to y’all via email and the questions that weren’t answered today will also be sent to those respective speakers and you should be contacted.
Thanks again for joining.