How to cut data loss risks when employees leave

Voluntary vs. involuntary departure risks

Data breaches from insiders still happen, even with employees leave on good terms. Verizon's 2025 Data Breach Investigations Report showed privilege-misuse breaches -- where employees or partners abused legitimate access -- are driven by financial gain, followed by espionage and grudges. However, not all data breaches are malicious -- they could be accidental.

Voluntary resignations are tricky. Many employees will leave the company amicably, so breaches aren't always intentional. Employees might take work they developed, such as computer code or scientific research, believing they have ownership rights. Others might leave with a trove of company data on their personal devices due to weak BYOD policies.

However, that doesn't mean all data breaches from voluntary departures are mistakes. Some employees might knowingly take proprietary client information to cultivate relationships at a new employer or to gain a competitive advantage.

Employees who are fired or laid off might take similar actions, sometimes acting out of anger. Cyberhaven's 2024 Insider Risk Report found a 720% increase in data exfiltration in the 24 hours before a layoff takes effect. Employees terminated involuntarily might:  

• Deliberately click a link in a phishing email to compromise data security.
• Sell insider access to hackers if they suspect a pending termination.
• Steal or release data to harm the organization.

The risk of data loss also varies by the employee's position and what they can access. Hard work isn't required to do damage. The Verizon report noted that in most cases, "bad actors (employees, contractors and partners) are sitting in their usual places while nonchalantly taking copies of data they have been granted access to."

The Cyberhaven report also found that the most common types of sensitive data lost due to employee exfiltration are client and customer data, source code, sensitive project files, design files and product formulas. The most common exfiltration methods are personal cloud storage, removable media and generative AI tools. Personal webmail and personal messaging are also frequent techniques. Offsite employees are more likely than in-house staff to use Bluetooth and AirDrop.

Preventing data loss during departure

A strong data loss prevention (DLP) program reduces risk for both current and departing employees by defining acceptable use and enforcing data controls. A strong DLP program includes:

• Data classification to match controls to each sensitivity level.
• Continuous monitoring of data in use, in motion and at rest.
• Data loss detection capabilities.
• Access controls and security policies.
• The principle of least privilege access, so employees only have access to what they need to do their jobs.
• Employee training and awareness.

An effective offboarding process further reduces data-loss risks. It should specify how and when to:

• Coordinate management, HR, IT and legal during a departure, especially terminations, to give time for extra security and DLP measures.
• Revoke access to systems and data, including any paper files.
• Collect digital assets and employer-issued devices.
• Conduct and document any forensic reviews to determine whether data was lost.

These steps won't eliminate risk. Nothing completely can. However, they will help reduce it and help executives protect the organization's assets, maintain compliance and safeguard its competitive edge.

Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.