Insider threat — departing employee or contractor
A current or recently-departed staff member misused access.
The scenario
An employee or contractor with administrative access leaves under tension — or stays, but is suspected of exfiltrating data or sabotaging systems.
Who this is for: HR director, CAO, IT lead, counsel.
First steps
- 1. Disable access at the moment of decision, not the moment of departureFirst hour
If termination has been decided, network, email, VPN, SaaS, and physical access all revoke before the conversation. This is policy, not punishment.
- 2. Preserve the user's mailbox, chat history, and access logsFirst hour
Most platforms allow a litigation hold or in-place hold. Apply it before the user is notified.
- 3. Coordinate with HR on the legal and union frameworkFirst day
Union contracts often require specific notice procedures. Counsel and HR walk through this before any monitoring is enabled.
- 4. Audit the user's recent actionsFirst day
Mass downloads, mass deletes, USB usage, external sharing in M365 / Workspace, late-night logins. Most insider activity is visible in standard audit logs if you look.
Continuity of service
- Reassign critical permissions and ownership before the access is revoked.
- Notify the team — without naming the individual — that access is being audited as part of a separation.
Communication
Closed session only — personnel matters are protected under most open-meeting laws.
Regulator hand-off
- Only if data exfiltration is confirmed and PII was taken — then standard breach-notification rules apply.
FAQ
Depends on jurisdiction, union contract, and your acceptable-use policy. Get HR and counsel involved before enabling monitoring — evidence collected outside policy may be inadmissible.