Protecting Departed Employee OneDrive Data

The following is a true story…really. The names have been changed to protect me.

What happens to a departing employee’s work data when they leave the company?

Several years ago, I received a call from a friend I used to work with at another company. They were looking for an interactive Excel TCO/ROI/NPV/BET model I had developed while employed at the company. It was a massive model that I had invested 2-3 months of work. It became a much-requested tool for sales to reference to show how a cloud-based archive could dramatically lower the overall TCO of archiving while (in most cases) showing a positive return on investment (ROI), profitable net present value (NPV), and a really short breakeven time (BET).

The downside was that it was relatively complex (it combined hundreds of calculations across eight different Excel pages), and so was difficult for many in sales (and everyone else) to describe/explain. Because I created it, I ended up being the designated presenter of the model at customer meetings and calls. This meant that I was one that kept the master version and over time, the only person that had a copy of the model.

Do you by chance still have…

Getting back to the call from my good friend and ex-coworker, he asked me if I still had a copy of the TCO/ROI model that, if yes, could I send it to him. It turns out that they had a very large potential customer that wanted to see a detailed ROI calculation and description of their particular situation. It seems the salesperson had mentioned that the company had a TCO/ROI model that would provide a detailed TCO analysis of the customer’s current technology and create a detailed ROI/NPV/BET calculation if the customer replaced it with the new technology.

Wanting to close the sale, the company had spent a great deal of time looking for the actual model but couldn’t find it. The customer was pushing hard to get the TCO/ROI results or, if not, choose another vendor’s solution.

It's on my laptop

In fact, I did not have a copy of the model – I swear! Part of the company’s exit process for departing employees included being presented a legal form to sign to certify that I had deleted ALL data/files I had generated and received while employed at the company - under penalty of prosecution. I took that very seriously and actually did delete everything.

I mentioned to my friend that when I had turned in my laptop on the last day of work, I had written a long email to my managing VP, giving him all of my passwords, share drive locations, etc. In fact, I believe I also noted to my manager that it would be stupid to reassign the laptop to another employee in the near-term because of the useful data the laptop contained. It turns out that they had wiped and reimaged my laptop within a couple of weeks, and all of the data on the laptop was irretrievably gone.

It's in my OneDrive account

Also in that final email to my manager, I had pointed out that my Office 365 email and OneDrive account also contained data they would find useful (including the TCO/ROI model) and to not reassign the Office 365 license until my data had been copied to another repository that people in my group could access when needed. Of course, the company quickly reassigned the Office 365 license and lost all of my files.

Let's understand what it means to delete an Office 365 license holder and transfer that license to another. When you delete a user in the Microsoft 365 admin center, the company can choose what will happen with the departing employee’s product licenses, email, and OneDrive data.

One possibility many companies choose is to grant access to the departed employee’s accounts so they can review and download what they think will b needed in the future. That designated user will have 30 days by default to access and download any data they want to keep.

After the 30 days, the OneDrive Cleanup process is run, and all data in that Office 365 account will be deleted at the end of the 30 days. If a manager is specified for the deleted account, the manager will receive an email telling them they have access to the departed employee’s OneDrive, and that the OneDrive will be deleted at the end of the 30 day retention period. Seven days before the 30 day retention period expires, a second email will be sent to the manager or secondary owner as a reminder that the OneDrive will be deleted in 7 days.

Best practices for departing employee data

I never asked my friend what happened with the potential deal, but for me, it highlighted an important missing process in many companies – that of treating departing employee data as valuable (also in some cases, legally required).

An important part of the employee exit process, safeguarding employee data, should be top of mind for HR, IT, and Corporate Legal. When an employee gives notice or is RIF’d, IT should be alerted immediately to begin capturing and consolidating their data and migrating it into data repositories, such as corporate cloud repositories where it can be secured, managed, and accessed by authorized employees. Your GC will probably want to keep all email and OneDrive data for an extended time in case lawsuits crop up during the statute of limitations as well as keeping it available for use and reference for current employees.

Remember, companies hire employees for their abilities, know-how, creativity, and experience. Blindly destroying the data they work with and create is a huge waste of money.

Archive360 works with clients to ensure departed employee Office 365 data is captured, migrated, stored, and managed in a legally defensible manner, ensuring those valuable assets are not lost. Contact us today to hear how we can help.