If a company terminates an employee they should consider everything the employee has to be lost. Businesses should require employees to keep data in central, backed up locations, e.g., file servers, databases, version control. Anything on laptop is transient and can be lost. When a company terminates an employee they have lost their good relationship and should expect nothing. I'm going to guess this was a Mac, as it's the easiest system to encrypt the home dir on. When the company asked for the laptop back there is nothing preventing the employee from securely erasing all the data; drag everything in Documents to the Trash, securely empty the trash (which is a DoD 7-pass erase). Too bad the employee never saved any documents, it turns out they were a horrible employee who never did any work at all, oops. Or boot off the install disk and do a 35-pass erase of the whole drive. Hell, most laptops I've keen sent back from terminated employees come regular US Mail. And sometimes they get "lost in the mail". What is the company going to do, sue for a $1000 laptop and try to prove that the ex-employee never sent the laptop, maybe have the FBI raid their house? It's not going to happen. Even if the severance agreement says all company documents and property must be returned, the ex-employee could say they don't have any paper documents or they got lost in a flood, or they do send the documents back but make photocopies first. If the data was that important the company would not have an "enlightened" policy of allowing employees to choose and configure their own laptops. If it was so important they wouldn't even allow it out of a secure facility. The policy should be relative to the importance of the data, ranging from enlightened policies to strict DoD-like rules. This kind of security theater is silly. I was once asked to watch remotely as a former employee deleted company material from a personal online account of his. So we had a WebEx conference with screen sharing and I watched him delete the files. Of course the meeting was arranged a week in advance, so if he really wanted to keep the files he could have downloaded them to his hard drive a week before I watched him delete the online versions. Watching him delete them was no more secure than asking him nicely to delete them. Now there is nothing preventing you from asking for the password. I personally am uncomfortable with asking for an individuals password. People reuse passwords too often, and I have no business knowing their Gmail or Facebook password. It would have been better to ask them to reset it to "password" before sending the laptop back.
In the future, if the company really cares about the data they should un-enlighten their policy a little. Let the employee pick a laptop from a list (e.g., any MacBook under $1500, or one of 5 Levono ThinkPads). Then IT configures the laptop with an encrypted HDD or home dir with a master password, and a backup agent that works remotely. And have a policy to keep important things in central/shared storage, because finding documents on an ex-employee laptop is too difficult (which of the 25 versions of Annual_Finance_Report_2010.xls is correct?). Just my twenty cents, Anton On Fri, Nov 11, 2011 at 12:11 PM, Sam R <[email protected]> wrote: > I've just run into something I haven't before, and I'm a little unclear > about where the footing is. We recently let go one of our remote workers, > and in the process retrieved all of the company hardware that they had > (phone and laptop). We're one of those smaller enlightened companies that > attracts people because we let you use the laptop you want (within a > budget), so we're seriously lacking in the centralized management > department. > > This particular user had gone so far as to have their home directory > encrypted. We didn't do this for him, but this is good! This laptop traveled > with the user, and we really didn't want a "left in a taxi" information > breach. > > However, the hardware didn't get into my hands until after the user was > formally severed and I've been asked to get the data off of it[1]. 98% of > which is in that encrypted home directory. I can certainly ask him to > divulge this, and if he does great! No problem. > > The problem comes if he, like so many people, reused the laptop password > somewhere else and says, "Um, no. Sorry." because that would give us access > to more than just the home directory. The Company CEO is of the opinion that > this is company property, the password is part of the property, to ex-user > has to divulge it. A nice legal theory, I just don't know if it holds up to > common practice[2]. > > Clearly, we need a method of admin-access to masively heterogenous hardware > (we have all three! Windows, Mac, and Linux (two flavors even) users). But > that's for later. > > The employee agreement doesn't cover this specific example, just property > and documents at termination. Interestingly, the paragraph in question > doesn't mention "in a recoverable form", so we just might be up a creek > here. Thus the question about the password. > > Is this kind of password demand at all common? > > [1]: So we can have it just in case. This is not a forensic, > evidence-preserving move. I checked. > [2]: I can argue that the laptop only stores a hash of the actual password, > not the password itself, and this is a false argument, but that's getting to > a level of brass-tacks I don't want to get into quite yet. > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
