In the web 2.0 age, redundancy programmes carry a new level of security risk. Martin Baldock explains how to minimise the threat of grudge-bearing former employees

With economic predictions for the professional services sector looking increasingly bleak as the year draws to an end, it would have come as little surprise to any observer of the legal market that almost a quarter of the UK's top 50 law firms are considering making redundancies – as reported by Legal Week on 6 November.

So, what issues should those managing this sensitive issue be thinking about? With more and more information being held electronically by law firms, the scope for acts of workplace computer sabotage and vandalism by disgruntled employees, as well as the destruction of incriminating evidence, has dramatically increased. Consequently, it is vital for firms to implement sound procedures when employees are laid off.

It is important to remember that many of those employees being laid off will see the consultation period as an opportunity to make copies of assets such as client lists, customer price agreements and employee contracts that could be useful to a competitor. The same thought process is often evident when an employee chooses to leave of their own accord.

First and foremost, firms need to consider the 'what if' scenarios. What if this associate has access to our client database? What if the finance manager has copied out passkeys to our bank accounts? There should also be consideration of what digital evidence recovery techniques might be required if an investigation follows at some stage.

When recovering digital evidence, the initial step is to capture the entire contents of a user's PC. This process is known as imaging. It usually involves removing hardware from the target computer and hosting that hardware in a controlled environment, such as a secure workshop. The process goes far beyond capturing visible files from the PC, recovering deleted files, partially overwritten files and potentially much valuable incident-related information, such as registry entries, temporary internet files and internet email – all of which could become important to prove or disprove an allegation at a later date.

Obviously, the earlier the imaging is carried out, the less the chance of spoliation. It makes sense to do this as part of the exit procedure: the 'image' does not have to be searched, but can be stored with the personnel file just in case something needs investigation in the future. The cost of this is minimal compared with the cost, time and potential damage to reputation that could be caused if there is no evidentially secure data to fall back on in the event of a later dispute. The process also does not take very long. In fact, after only a few hours the user's PC can safely be rebuilt and returned with all data – both visible and deleted – preserved.

Exit procedures

While the exit policy should be run by the human resources (HR) department, it needs absolute support from partners and management. Indeed, it may be a good idea to obtain further support from external specialists in order to provide a level of independence. Here is a checklist of steps that should be taken as soon as the employee is notified of their redundancy, or indeed as soon as possible after a resignation:

• Before final selection is made one has to consider cases that the relevant lawyer has worked on, and where client communication could be stored. Historically there would be a paper file, not so in the electronic age.
• Where the employee is being removed from the workplace, accompany them at all times until they leave the premises.
• Ensure the employee surrenders all company-owned laptop computers, notebooks, personal digital assistants (PDAs), mobile telephones or other electronic devices as soon as they are informed that they are being made redundant. It is important to ensure that the employee is not given an opportunity to tamper with or wipe such devices clean before returning them.
• HR must make the IT department aware of any imminent departures. Employees' computer accounts should be deactivated immediately, including any remote access and database accounts.
• Particular care is needed where the disaffected employee is a network or systems administrator. Such employees may implement unauthorised 'back doors' into the systems they administer or maintain, which they can use to obtain remote access regardless of whether their official dial-in account is deactivated.
• Home working and remote users pose additional risks and difficulties – all the more so if employees use their own computers, PDAs, mobile telephones or other devices to connect to company networks. The company will normally only have a legal right of access to these devices if they are its property. In many jurisdictions, the unauthorised inspection of a computer system (e.g. one purchased by an employee) constitutes a criminal offence – in the UK, for example, such inspection constitutes an offence under section one of the Computer Misuse Act 1990. If possible, the organisation should stipulate a 'right of access' to computer systems used by any employee for business purposes at home as part of the standard employment contract. This 'right of audit' is rarely written into employment contracts, and it is normally not possible to access people's home computers without a court order – even when the employee is in possession of company data.
• The return of any company equipment used at home should be done in the presence of the employee at the earliest possible opportunity, and preferably on the day of their being notified of redundancy or dismissal. In the UK there is need for a consultation period prior to an employee actually leaving the company. This is a high-risk time during which companies should be particularly vigilant.
• Check whether the employee's internet or broadband service is being funded, as you may wish to terminate any such arrangement.
• Ensure data from all computer systems (including laptops) is secured in a forensically sound manner. The data need not necessarily be reviewed, but it should at least be archived in the event that the employee brings a tribunal claim.
• Ensure remote access server and network audit monitoring are effective to record any attack on the systems – without audit trails and event logging, it will be difficult to prosecute for computer misuse.
• Security passes should be deactivated and returned, but in some cases it may also be appropriate to advise security staff and receptionists that the employee is to be denied access, should they attempt to return to the building.
• Finally, telephone answering systems and voicemail should also be secured against tampering or the unauthorised re-recording of answer messages.