Ask Jack: Do Former Employees Present A Risk To My Data?

By Jack McCalmon, The McCalmon Group, Inc.

Third-party criminals are most of our focus for data security. Are we missing anything?


All data security is good security. Although third-party breaches snag the headlines and most of the class action litigation, it does not mean it is your only risk.

Former employees also pose a risk to your data, even though you are less likely to read about those breaches in your news feed.

One reason is that these breaches often go unreported and, ominously, undetected.

After an employee leaves your employ, it is a standard best practice to deny access to accounts. This may seem simple so long as you know the accounts the ex-employee has access to and if they use a single set of credentials to access those accounts. If an ex-employee has multiple sets of credentials; has access to the credentials of others; or has engineered a back door into an account, then your data is at risk.

One recent survey revealed that 10 percent of former employees used past credentials to disrupt company activities. Another 56 percent claimed that their credentials were never changed on accounts, allowing them access even after they were gone. Another 44 percent stated an existing employee provided passwords to them after they were gone.

The final takeaway is that you should monitor activity across accounts. All credentials need to be linked to a person, and that person must have approved access rights. Unusual activity must be tracked and dormant accounts purged. Most of all, organizations must develop and enforce a policy prohibiting the sharing or disclosure of credentials.

Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.

If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.


Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Ask Jack: Can Trusted Agents And Contractors Play An Unknowing Part In E-Mail Compromise Attacks?

Are internal breaches the main concern for email compromise attacks? Jack explains why such attacks go beyond office walls.

Ask Jack: Can Dating Scams Cross Over Into The Workplace?

Scammers are using dating apps to scam money from people looking for love. How can that creep over to employers? Learn why the leap is pretty easy.

Ask Jack: Is Disconnecting From The Internet A Smart Move If You Think You Opened Malware?

Jack explains the value of disconnecting and shutting down if you think you have selected a bad link or opened a questionable attachment.