I had a similar issue; here's my recommended approach:

1) Tell everyone (don't single him out) that by the request of a client, you're double-downing on internal security and implementing a set of policies and procedures (P&P) for minimizing risk (I personally used HITRUST as the P&P standard).

2) Part of the P&P entails an audit by the designated Security Officer (in this case, me), in which I personally oversaw the deletion of all production data from every personal and non-personal machine. No one individual suspected I was singling him/her out, as I was doing this across the board, but admittedly, my intention was to go of one individual who had his hands on very sensitive data.

3) Make him and every employee sign-off on the P&P Handbook, in which there's a clear clause that in case any personally identifiable data is on his/her machine, he/she is fully liable for the implications of that data getting leaked. Any such employee will be complicit in any criminal proceedings.

4) Fire him.

This assumes he doesn't backup his laptop. Beware that there may be other copies of the data.

Also (assuming your soon-to-be-ex employee is smart) I doubt the threat of criminal proceedings will have much effect. If multiple people have access to the data you'd have difficulty proving which one of them leaked it.

If he's smart, he wouldn't even consider leaking any data he may have access too.

Right.

Because an individual defending himself against civil AND criminal proceedings will get very expensive very fast. In addition, any competitor would be very cautious about touching that data if the guy approaches them trying to sell it, because see figure (1).

So the only avenue remaining is selling the PII to spammers and identity thieves, which will still land him at figure (1) if they get caught and roll over.

#3 should cover this.

3) Make him and every employee sign-off on the P&P Handbook, in which there's a clear clause that in case any personally identifiable data is on his/her machine, he/she is fully liable for the implications of that data getting leaked. Any such employee will be complicit in any criminal proceedings.

"All production data" means all production data. Making that clear is part of this process.

Making it clear and making it happen are two very different things.

The principle of charity is having a bad time in this thread. brijeshp did not type "all" and secretly mean "all but the backups". I did not say "make it clear for abstract reasons, but don't bother making it concretely happen because that's not necessary". These "corrections" are not adding to the conversation.

On re-reading, I see your point. My apologies.

this is the best route, and really a security policy that should be implemented anyway. its one thing giving people access to the cloud, but a full copy of the entire database on their PC is a recipe for disaster even for a team member that you aren't firing.

what if the laptop got stolen? what if it is a node on a botnet?

this is a really good call and even if you don't take this approach, I'd definitely have HR initiate this.

I think this is the only approach. As much as we hate the CFAA generally (and the abuses of it against Aaron Swartz specifically), I'm quite sure references to felonies will at least make him think twice about doing damage.

This is a pretty good idea to implement for security in general, but isn't it a pretty exhausting amount of work just to avoid confrontation with a single person?

You could just put a lawyer in the mix, and make the employee sign a document that ensures all PII has been destroyed at time of firing, with a little more severance for the indignity of it all and clear consequences for non-compliance. If they're not an idiot, they'll do it

This route also increases your overall data security, something that is not to be frowned upon.

This is a "people problem" not a technology one.

Meaning even if they wipe the laptop right in front of you, that is meaningless, since they could have backups, a copy on their home machine, and so on. So really your goal here isn't about a single laptop, it is about trying to get a former potentially disgruntled employee to do what you want after they are terminated.

I'd argue a payoff is your only viable way. You put a bag of money in front of them, and then have them sign a contract that they will destroy all company data, and won't redistribute it, or they have to pay you XYZ.

Then just hope that the potential for getting sued for XYZ and the bag of money will keep them in line long enough for the data not to be as key to your business.

As others have suggested you could also "promote" them away from daily access to that data and then terminate them further down the line when the data expires. But that would likely be more costly in the medium to long term.

"have them sign a contract that they will destroy all company data" :)

You know those complicated policies that big enterprises have, the ones startups love to mock? This is why they have them. :(

You have two classes of tools... carrot and stick. His stick is much bigger than yours. He can destroy your company, you can sue him for it with whatever you have left after the company is destroyed. So stick is a problem.

Carrots may work better... ongoing stock options, contingent on destruction of the data, certified by an expert and an oath? Basically bribe him.

Yet another alternative - do you have to fire him? Why? Maybe do a Peter Principle thing, and "promote" him to a less responsible position, maybe something where he has no reason to touch production data anymore? Or start a new project, and put him in charge of it?

Yeah, this is the sort of thing that scares me about putting trust in signing up for a startup's service. Somewhere out there, there's a startup that has millions of user's personal information stored on a soon-to-be-disgruntled-former-employee's personal laptop.

That's terrifying.

Yeah I don't think a lot of people understand the lengths some companies go to, to control access to their systems (either because of risk aversion, regulatory requirements, or something else). It's on a different planet from a startup mentality of 'We hire trustworthy people, so all 10 employees have access to prod'. This is 'How do we protect customer data from 1 in 2000 IT staff across 100 countries?'

For example, I was working at a massive bank that was implementing an access control system for their servers that meant that admin's didn't have direct access. You had to

- submit a change ticket that went through all the approvals.

- This triggered a workflow through a web interface that opened an RDP or text terminal session to the server, for the appropriate person (OS, application, database, etc)

- The RDP session was recorded to video, the text session was logged.

- Once you logged out the password on the server was auto-rotated.

- The text-session was indexed and searchable. The software coordinating all this was able to match server logs against the video RDP session so you could search through the video ("show me the SQL Server commands that admin ran")

- On a regular basis, the server state would be reconciled against all the logged tickets for that server and discrepancies investigated.

Please, PLEASE tell us the name of this place so we never have to work there.

Why would you care? Most devs have no business with admin access to production servers.

Note: this is different than being able to deploy new code, I am talking about messing with a box in a data center

It's called "Most Big Financial Companies"

This was the result of a huge case of risk aversion and response to very loose but firm regulatory requirements.

I agree there's a middle-ground, but it's not "Employees can use their personal laptops".

Almost every bank. My country assign a category to every bank. One of the requirements to earn a better category is the AUDITED production environment and its processes. a better category enables the institution to access bigger, riskier and more profitable business. That is: production environment practices affects business directly.

My employer has an ITIL system on place, and that is the only way to touch prod. It is not for everyone, I admit!

I'm currently developing a side project that stores medical data, a big chunk of the design work I've done so far is how to work on systems where you never see production data (things like accurate faking of data, seeding correctly etc).

Just yanking a copy of production to a local machine is ridiculously and horrifically common at pretty much everywhere I've worked.

One of the inspirations for my startup is the problem of developers supporting production systems they're not allowed to actually see.

I think we spoke about your start up a year or so ago on here, I hope it's going well :).

It's going well! Finally found a couple of co-founders, building a new version based on lessons learned from the alpha. The data model finally works the way I want it to work.

Enjoy the HIPAA; I know I do :(

I'm in the UK, different rules.

Spoke to a friend in local gov who put me in touch with the right people to deal with our equivalents however so I will be compliant, in addition since users self-elect to insert their data I've got my company's legal representative looking into it as well.

Medical data makes me nervous but this could help a lot of people, it's a product I'd have used immediately if it existed.

Anonymizing PII is actually incredibly difficult. The problem is that the same things that create the valuable uniqueness you need to operate on the data are the things that are most sensitive.

There's no way to reliably anonymize medical data in the general case. PII/PHI often exists within free-text fields and file attachments. You can't remove it all just by searching and replacing.

Bad news: big companies, governments, hospitals, etc., etc. are sharing your PII with 'data scientists' every day.

Unlikely hospitals are; HIPAA compliance and enforcement is an actual thing.

A doctors/hospital only needs the flimsiest of "business justifications" to share/sell data to whoever they want to. What the data can be used for is limited, but it can be shared all over the place. Source: Pulling this data is part of my job.

There are very strict laws regarding the use of PHI. It cannot be shared "all over the place". PII/PHI is regulated to the max; if you're working for a place that pulls or uses the data from places like I work for then you guys had better be darn sure that it isn't personally identifiable, or both your place, and my place, are in for a world of hurt at the next audit.

Yeah, I know. One thing I saw was Google soliciting hospitals for them to store DNA records there. The idea that Google could absorb thousands of people's DNA records without their permission via offering a storage service to a hospital...

Or a completely content employee who just happened to make a poor security choice at home.

Retaining him - rewarding him, even - in contravention of company policy seems to create a great deal of liability for the firm if there is any PII leakage. "My client's personal data was stolen from your firm, and we found that you have this employee, who had the client database on his home laptop, but you didn't fire him? Here's a lawsuit."

On the other hand, retaining him long enough to implement a policy and start enforcing it - and enforcing it on him - might be a good idea.

hey, id like to fire you, but you have sensitive information on your laptop, so instead im promoting you to the position of data security, and your job is to create and enforce policies so i never get in this situation again. consider yourself lucky.

Sounds like a dilbert cartoon!

The bottom line is that you probably can't ensure it's deleted.

Consider this: I have at least two backup mechanisms I use regularly (Dropbox, Time Machine) and I don't even think about them at this point. Even if you watched him delete it, it's pretty likely that data already exists outside of his laptop, if he's even reasonably diligent about his machine.

So you're left with a few options:

* Trust

If you're firing him for a good reason, and can validate that reason in his mind, you can choose to trust that he won't be a douche

* Trust with seeds

Before firing make sure the data has something uniquely traceable to him. Data that only his export gets; dummy users, dummy data, something steganographic so if your trust is violated you can identify the breach source.

Your options are limited, AFAICT. Once data exists in the wild it's essentially impossible to maintain any semblance of control. Your only real hope is that he's honorable. Even in the worst of circumstances I'd never breach trust in that way.

Especially when there are much more insidious, passive-aggressive, entertaining ways to bring down a company.

I use a personal laptop for work and honestly my backups are so automated I didn't even consider this.... I have 2 TM backups (one at home, one at office), Backblaze, Dropbox (rarely does code touch this as svn/git wreaked havoc last time I tried but still) and a HD clone that is updated daily... Honestly I don't even know where all my data is backed up to or it is likely I would forget.

The options are not limited to trust, enforcing a ISO27001 in the company obligates the worker to give the data. And this implies that you can trace the flux of data, in and out, from the company. If the data ever leaks, you know where it came from.

Except that (a) "obligating" someone to do something is useless, because it doesn't mean they will, and (b) OP already stated data integrity wasn't maintained.

You are right. It is a complex issue.

In the firm I work for, we deal with much secret information and many paranoid clients. Generally when someone is terminated we give them a severance contingent on signature of a pretty ironclad non-disparagement letter and a further reinforcement of existing NDA. You could extend this concept to this situation, crafting a letter such that if he does ever leak that data, his liability is assured and his incentives are aligned with yours.

This is a time to spend a bit of money and speak to your external counsel. They will have a good solution for you.

NDA and non-disparagement are radically different things; I have zero issues with NDA, I'd take umbrage at not being able to say a place I used to work at sucks.

To me, non-disparagement agreements are an instant red flag that a company is doing something heinous. I don't think anyone has problems with NDAs, but when I see non-disparagement, that instantly translates to "We know we're doing something really shitty, and you'd be right to warn others about us, so we're going to threaten you with our lawyers to keep you from talking about it."

See here: http://www.washingtonexaminer.com/silenced-workers-who-lost-...

Eh, when they're dangling several months salary in front of you, signing a non-disparagement is a pretty hard thing to pass up.

Regardless it's pretty juvenile and self-destructive behavior to go around disparaging an employer for firing you to begin with. Getting a cash bonus for the self-censorship a rational adult should be exhibiting anyhow, is not such a bad thing

If you work in a terrible place but do your best and just don't fit it in you should have a right to say what you didn't like about the places culture, no?

It keeps you from posting honest glassdoor reviews (no cons/negatives and zero faith glassdoor wouldn't release your info on discovery), telling friends what it was like to work there, etc.

>Onto your specific point, N-D is not unusual for senior employees

Not unusual for junior employees either.

>they are a strong tool for preventing disgruntled former employees from saying bad things which might hurt a business.

It prevents you from saying entirely true things which might hurt a business that fully deserved it.

Do they typically prevent this? Somethink like libel (or slander I always confuse the 2) often can be defended with proof.

So, I wouldnt have a problem with a company not wanted to litigate false claims, but true claims being muzzled is another thing.

A N-D keeps you from saying anything that a court might rule is negative regardless of truth.

For instance if I say, "I liked working at Company X but I think the CTO lacked leadership skills/vision" that's disparagement. It subjective/opinion, but assume you have factual reasons you could use to back-up how you formed that opinion.

IIRC "disparagement" has a legal definition that's roughly "injurious or misleading falsehood". An opinion cannot be false. The legal definition of disparagement is different than general usage.

For example, PA law:

* The statement is false;

* The publisher either intends the publication to cause financial loss or reasonably should recognize the publication would result in financial loss;

* Financial loss does in fact result; and

* The publisher either knows that the statement is false or acts in reckless disregard of its truth or falsity.

There is debate regarding the efficacy of non-disparagement clauses for a variety of reasons, but it's often tough to make them stick.

The laptop is really a bit of a red herring. If the person is the sort that would be inclined to retaliate against the company, they could have taken a copy of the pii whether or not the laptop was in the picture.

You could offer them payment for signing a severance agreement. You would do this in recognition of their significant contributions to date. The agreement would reiterate that they are bound by their existing NDA, explicitly state that they have fully deleted any company info/files that they may have had in their possession, acknowledge that disclosure of any private company info could have significant negative impact on the company, and could possibly include non-disparagement wording.

(sarcasm, but true story, afaik:) You could do what I understand a former employer of mine did: fire the employee, then call the state police and report that the employee "stole" company property by not wiping source code from a personal laptop as was demanded by the company at the time of firing. Police confiscated laptop, and employee was forced to hire counsel to get it back.

I imagine it was effective at encouraging the employee to delete the data, but at the great cost of advertising to all employees that we were all viewed as dirt.

If there's a lesson to take from this, it's that when you're in a position of power, you should use sticks carefully if at all. But I hope that many (including the OP) already learned that lesson as a child.

(Thankfully, I was able to leave the company myself not long after.)

This seems a very risky option, if he has a copy of the data and you are harassing him this way, there is a good chance the data is going to be released somehow.

First of all, I'd suggest addressing the issue company wide. Before firing, tell everyone pii outside of the office is unacceptable. Figure out a way you want to deal with that that lets people keep working, whatever it's work through a VPN, anonimizing data, or what not. Address it as the privacy issues it is, and ask all developers to acknowledge and agree to the policy change. It might smell funny to some, but it's not an unreasonable policy.

After that, offer increased severance as other posters have suggested.

Have you confronted him about the fact that it's probably not a good idea that he has this data on his personal laptop? How did the data end up there in the first place? Why doesn't he have a work laptop?

How long have you known/how did you learn? Has it maybe been a "public secret" for a while, and you tacitly accepted it? If so, you probably can't fire him for it.

"Hey, dude, it struck me the other day that it's a pretty bad risk for the company that you have that database on your personal laptop -- do me a favour, pick out a top-of-the-line ThinkPad/MBP, expense it, and put the DB on an encrypted volume -- and make sure you delete the DB from your laptop and any backup you have. Thanks, man!"

I should also note here that I know that the first mistake I made was allowing this situation to happen in the first place. We have policies now, but we didn't push this employee to adhere to them at the time he joined.

Help?

I have never been in your position, and I dont envy the pickle you're in - but I HAVE had customer data (possibly sanitized or partially sanitized, I never peeked) at various times and I always viewed it more as a liability than leverage!

If any of that data were ever to be released, it wouldnt be hard to point the finger at the few people who had access (and especially motive). It would be incredibly short-sighted of him to release anything.

This thread has some great advice, but in addition to that it sounded like hes a friend to you? Perhaps soon after he is let go you can have a word with him as a human instead of as a business and just say: "Look, thanks for your hard work, I really appreciate what you've brought to the table. Be aware that people here at the company will notice if you release or reuse anything you worked on here so you might want to make any copies of work stuff you still have disappear. I know its not good timing but youre sitting in a timebomb and I dont want it to blow up under you"

What do you hope to achieve by firing him? Admittedly storing PII on a personal laptop is unacceptable in most places, but I'm curious:

(i) do you have a policy and associated training so that people know what they should and shouldn't do,

(ii) was this employee ever required to use his personal laptop for company work (e.g. pre-funding)?,

(iii) was there ever a time in your company's past when you and others would have considered this situation to be OK, at least temporarily?

If he's doing things the way your company always did things, and hasn't been informed that you need to apply a higher standard, then why move immediately to firing him? Why not just ask him why he's storing the data that way, and figure out together how he can do his job whilst accessing the data in a safe way?

It's not clear whether you're trying to

(a) set an example for other employees to help ensure compliance with an existing policy,

(b) ensure that this particular personal laptop does not become the cause of a leak, or

(c) something else?

But, why doesn't this guy have a work laptop?

I have a work laptop my company provided. My wife has a work laptop her company provided. Everyone in both of our companies have work laptops provided by the employer.

Plus there are policies in place with this. We have agreements that all work is done on the work laptop and nothing personal. We signed saying we agreed. When we leave they take the laptop, in its entirety. It is also encrypted and automatically backed up. They also know if we have plugged in ANY external device like a flash drive and or external HD.

So not buying a work dedicated laptop for this guy, I think will cost you now that you care about what he might do with it.

Maybe the guy just wanted to use his personal laptop rather than set up a new one, and it wasn't a decision from OP to save money.

If a company gives you a laptop to work on, and says that you can't put company data on personal devices, then in no situation should the employee be able to say 'I don't wanna'. Because that's how you end up in this exact situation.

But why is it the employees decision?

Possibly don't post to HN.

Right? These anonymous advice posts always worry me for the OPs. Surely, the third party(s) in question read HN to?

i would say this is fairly anonymous post, there is little if any identifying information and given that this is HN there are probably loads of readers who have this sort of info on their laptop.

Yeah.... Until the OP starts following any of the advice in this thread!

An imperfect solution might be to buy his laptop for enough money to allow him get a new laptop and the licensed software on the laptop that he purchased. Doing this at the time of dismissal would make it more likely to regain control of the data. [Edit add] Also, give him opportunity to copy his data off the hard drive. This would have to be supervised, obviously.

Addresses:

* A delete may not delete the PII because it could be in multiple places and deletes don't really delete unless you do a secure delete that truly overwrites the deleted data.

* Gives him a monetary incentive to cooperate.

Does not address:

* Any backups that he might have that are out of your control.

Secure delete has become quite difficult to achieve, if it is on a SSD then you may only be safe with an ATA command, but not all drives will even do that right[1]. It is even hard to be sure that you have over-written every block anyway, due to over-provisioning.

Filesystems can also make this quite difficult (and that is without considering snaphots), most journalling and log-structured filesystems break the old shred [2] program for instance.

[1] https://www.usenix.org/legacy/event/fast11/tech/full_papers/... [2] man shred

This particular problem is quite common in this stage of your business. You have to cover legally all the data that might be leaked from some other places and when you are completely sure that there can't be any other source of leakage, ask him politely the return of that data to adhere to a higher standard of information security. This has to be a very delicate request. I have been both requested and requester, good luck dealing with this.

Do the security p&p thing.

One other thing that I haven't hear yet is that you could do is introduce "identifying easter eggs" into the data if you can. Sorry, not sure what the right word is, but it's a proven technique in certain high level negotiations. You make it easy for this employee to obtain an ever so slightly modified recent version of the data. The modifications are minimal, but allow to identify him as the source of the leak.

Document the easter eggs in a registered letter to yourself. Wait until fairly sure the "custom" version of the data is on employee's machine. Then sue if he leaks.

Work on the 'take the firing well' part. Letting someone go despite whatever issues are at hand should be a way to look for a win-win situation. A former staff member that feels let down or mistreated will talk about your company in negative terms, which for a company of 20 people is going to be a fairly significant risk even with the PII.

An ideal situation is that you're getting rid of a B player that isn't a good fit for your company's future. You want him to talk to A players he knows positively and suggest that they would work well at your company despite it not being right for him.

In addition to all the other great advise here, look at things like source code, contracts, customer lists, etc.

All the trade secret, confidential information.

If you have an auditor (CPA firms do this as part of a due diligence) that can do a procedures and practices audit - that firm can act as the "bad guy" that flags things that need to be addressed.

You know of one problem, there probably are others.

For example, bank account information? What is the wire transfer procedure? Can someone break in to a computer, login to the company's bank account and wire the money to Romania?

An improved severance package in exchange for NDA.

Do you have "Bring Your Own Device" policies currently in place? Even though the work on the computer started before the policies may have been in place, you would be able to enforce a device wipe or clean-up with those procedures. Your next best option would be an NDA, since legally you could pursue action if they did use the system against you or for their own benefit. Technically, ignorance of policy doesn't excuse actions; that excuse flies like a lead balloon in court.

The other question might be, why are you letting go of a seasoned member of your team? If there is someone their junior then why not them, or check with the person you're looking at letting go and see if they'd be willing to take a pay cut to stay part of the team (assuming it's payroll related and not behavioural).

Lastly, if it's PII, the legal ramifications for the employee should be enough of a deterrent that they wouldn't go about disclosing the information in a manner that could be tied to them, and most people don't have and can't find the connections to "sell" the data.

Has this been addressed directly with the employee? It hardly seems worth firing someone over.

It doesn't sound like he's being fired because he has the data.

You can only rely on his self interest. If he does something that harms the company, he will be ruining his own reputation. Most rational people won't want to do that.

If he's not a rational person, then it becomes a PR problem of how to handle the aftermath.

If he violated company policy by moving PII to his laptop, then the company may punish and/or prosecute him. But if there was no consistent policy then one must be formulated and all employees brought to heel without recriminations.

If he demonstrably violated company policy then the company nonetheless may be responsible for his past and continuing actions. In this case I would also hire a knowledgeable private investigator to help determine what he might have done with the information.

If you are responsible for allowing the situation, or in allowing it to continue, then you may, in the end, be terminated or required to resign. Prepare yourself. Perhaps you should consult an attorney.

Get an employment lawyer involved so you don't get sued for the termination or the exposure of PII. Answer is longer than appropriate to post here.

How about you offer to buy them a new work laptop so they don't need to continue using their existing personal laptop for work.

Also do this for every other employee that is using a personal laptop for work.

Make it a nice laptop too.

In the grand scheme of things this will cost less than losing the company.

It sounds like he's far more likely to delete the data if you simply ask him to do so. Why do you need to fire him? By firing him you're just losing any control over him that you may currently have.

If he took it home with him, you can't ensure the data is deleted. Could be on an external drive at home.

Talk to counsel. In my state, you'd be obliged to report this as a data breach.

Generous severance.

civilly?

Why would they take the firing poorly? Why fire the person at all? If you trusted them enough to work on critical data and systems they must have been doing their job well.

If this person _wants_ to hurt you they will. There's nothing you can do to prevent it. All the legal protection and fake policies are not going to prevent this person from creating multiple copies of the data and releasing it a year later.

Your best bet is to make the person happy enough to let the betrayal go. Such as a huge severance package.

If the person is anything like me, they will have backups as well as documentation and copies of all conversations that have ever taken place in email, Slack etc.

If they want to hurt you they can and will and the data is probably not the only way they can do that. At the end of the day don't fuck people over or they will fuck you over.

Be as nice as you can and make sure you are justified in firing this person or else they are going to fuck you.

Not the most honest route... but you could 'accidentally' damage it, buy him a nicer one as a loaner, and send the damaged one to the shredder.