[brijeshp]

I had a similar issue; here's my recommended approach:

1) Tell everyone (don't single him out) that by the request of a client, you're double-downing on internal security and implementing a set of policies and procedures (P&P) for minimizing risk (I personally used HITRUST as the P&P standard).

2) Part of the P&P entails an audit by the designated Security Officer (in this case, me), in which I personally oversaw the deletion of all production data from every personal and non-personal machine. No one individual suspected I was singling him/her out, as I was doing this across the board, but admittedly, my intention was to go of one individual who had his hands on very sensitive data.

3) Make him and every employee sign-off on the P&P Handbook, in which there's a clear clause that in case any personally identifiable data is on his/her machine, he/she is fully liable for the implications of that data getting leaked. Any such employee will be complicit in any criminal proceedings.

4) Fire him.

[mocko]

This assumes he doesn't backup his laptop. Beware that there may be other copies of the data.

Also (assuming your soon-to-be-ex employee is smart) I doubt the threat of criminal proceedings will have much effect. If multiple people have access to the data you'd have difficulty proving which one of them leaked it.

[phaus]

If he's smart, he wouldn't even consider leaking any data he may have access too.

[imglorp]

Right.

Because an individual defending himself against civil AND criminal proceedings will get very expensive very fast. In addition, any competitor would be very cautious about touching that data if the guy approaches them trying to sell it, because see figure (1).

So the only avenue remaining is selling the PII to spammers and identity thieves, which will still land him at figure (1) if they get caught and roll over.

[jrs235]

#3 should cover this.

3) Make him and every employee sign-off on the P&P Handbook, in which there's a clear clause that in case any personally identifiable data is on his/her machine, he/she is fully liable for the implications of that data getting leaked. Any such employee will be complicit in any criminal proceedings.

[jerf]

"All production data" means all production data. Making that clear is part of this process.

[dhimes]

Making it clear and making it happen are two very different things.

[jerf]

The principle of charity is having a bad time in this thread. brijeshp did not type "all" and secretly mean "all but the backups". I did not say "make it clear for abstract reasons, but don't bother making it concretely happen because that's not necessary". These "corrections" are not adding to the conversation.

[dhimes]

On re-reading, I see your point. My apologies.

[BorisMelnik]

this is the best route, and really a security policy that should be implemented anyway. its one thing giving people access to the cloud, but a full copy of the entire database on their PC is a recipe for disaster even for a team member that you aren't firing.

what if the laptop got stolen? what if it is a node on a botnet?

this is a really good call and even if you don't take this approach, I'd definitely have HR initiate this.

[Beltiras]

I think this is the only approach. As much as we hate the CFAA generally (and the abuses of it against Aaron Swartz specifically), I'm quite sure references to felonies will at least make him think twice about doing damage.

[helpfulanon]

This is a pretty good idea to implement for security in general, but isn't it a pretty exhausting amount of work just to avoid confrontation with a single person?

You could just put a lawyer in the mix, and make the employee sign a document that ensures all PII has been destroyed at time of firing, with a little more severance for the indignity of it all and clear consequences for non-compliance. If they're not an idiot, they'll do it

[bcg1]

I think this is a good approach. I'm not familiar with HITRUST so maybe this is part of it... but I wonder if there is a way for the lawyers to build something into the policy that makes it so that if a backup exists (for instance on the devs machine, Dropbox, etc) then everything on that machine/cloud account/whatever is also legally discoverable in the event of a leak.

This could potentially make it so that the developer would effectively be leaking their own private data if they tried any shenanigans.

[jagermo]

This route also increases your overall data security, something that is not to be frowned upon.