Help! My Employee Quit and Deleted Their Files! Here’s What to Do

Disasters tend to happen when you least expect them to. That’s what makes them disasters. A bad situation is often made much worse simply because you didn’t expect it, and that can be the case here. Let’s say an employee suddenly quits, and deletes all of their files on the way out. This can be a sticky situation, so here are a few ways to handle it when it happens, and a few ways to prepare for it just in case.

Let's Help You Get Control Over Your IT. Get a Free Consultation Today

What Can You Do?

Let’s assume that you don’t have a backup—that’s the obvious remedy to all of this. We’ll talk about that a little later on.

The scenario plays out like this; you had an employee, they had a really bad day and wiped out all of their data and left without warning. Alternatively, you could have a similar situation where you fired an employee, or an employee gains the knowledge that they are going to be terminated—either way, this is a short-notice set of events triggered by an overwhelming emotional response. A lot can happen in a very short amount of time.

Let’s say this individual wanted to totally salt the Earth. They deleted their email inbox, their documents, wiped out their password manager, and anything else they could get their hands on and quickly remove. Maybe they got into SharePoint, Google Drive, OneDrive, or whatever file collaboration service you use and deleted everything they owned there too. Just to add complexity, let’s say you use some sort of CRM or other line of business application that stores a ton of customer information and historical data, and they logged in and deleted or altered a bunch of random information there as well.

If just conceptualizing this rogue employee makes your blood boil, you aren’t alone.

Data loss is a huge problem for businesses, and 94% of companies that suffer from a catastrophic data loss event simply don’t survive. Even if this individual only deletes their own data, or maybe data from their particular department, it can still be a major problem and take a ton of time, money, and effort to restore things back to normal.

Alright, let’s recap. Our rogue employee deleted the following (this is important, because each system may require a slightly different method of recovery):

• Their work email inbox
• Their documents on their local PC
• Their department-wide documents folder
• Their password manager
• Files they owned in SharePoint
• Random items and contacts from your CRM.

That’s a lot of damage, and the likelihood of recovery will depend on how each system is set up, but we’re going to work through each.

You Have Some Legal Recourse

Let’s get this out of the way. While this doesn’t get you your data back, it is something worth being aware of. Under the Computer Fraud and Abuse Act, it is illegal for an employee to knowingly damage or delete files without authorization. If you were to choose to pursue this, your employee could face criminal and civil liability. You’ll want to work with your lawyer to make this decision, and if it’s a case where the user stole data or could return some of the data, that might be a way to settle it.

Recovering Emails

Depending on your email platform, you might be able to recover this. In Outlook, deleted emails could simply just end up in the Trash folder, and could be moved. If it’s not there, the next spot to check is the Recoverable Items folder. This is a hidden folder. It’s not a guarantee, but there’s a chance some information could be there. Microsoft has some other failsafes to attempt, but if your email wasn’t set up with continuity in mind, you might not have a lot of options. If you use Google Workspace and corporate Gmail for your email, deleted emails can be restored as long as it is done within 30 days of the emails being deleted.

Recovering Documents on a Local PC

The obvious step is to check the system’s Recycling bin to see if the files are there. Otherwise, you need to rely on some sort of backup, whether it’s the built-in Windows backup (if it was configured) or some other backup solution. Our techs can evaluate further to see if there are any additional options for you.

This can put you in a tough situation, so it’s important to make sure that all of your users are always saving data to a centralized location and NOT their local machines, as it’s much more likely that your centralized server or document storage system is being backed up. Again, this is a huge “what if” for your organization, but having a backup solution isn’t a luxury—it’s an absolute necessity.

Recovering Documents on a Centralized or Shared Directory

This is going to be a big “what if” as well. If you have some sort of backup covering your servers, or you are using a cloud solution, then you should be able to restore from that. If you are using something like SharePoint or OneDrive or Google Drive, there are utilities that could be backing things up that you might not even be aware of. 

If you found this article because you are in the middle of dealing with deleted files, the last thing you probably want to hear again and again is “Well, you should have a backup,” but this really is an integral part of your IT and your overall business continuity, so we have to mention it.

If you are really in over your head, you can give us a call at (512) 343-8891 and we’ll work with you to see if there is anything we can do to help you recover your data—just know that without a backup of some sort, your options are severely limited.

Recovering Passwords from a Password Manager

Depending on the password manager, assuming you are using a business or enterprise solution, you should be able to get these accounts back. Deleted items and folders can typically be restored from the account, that process is just going to be a little different depending on the solution. 

Recovering Deleted Files in SharePoint

Similar to files on a PC, deleted items in SharePoint are kept in a recycle bin for a period of time before they are permanently deleted. This also applies to Microsoft OneDrive. An admin simply needs to access the recycle bin and restore the files.

How to Restore Deleted Items and Contacts Within Your CRM

This is probably the most tricky one, and it truly depends on your CRM or line of business application. Sometimes, they might simply have a recycle bin. Others might have some type of versioning built in so you can restore to a previous version of the data for a particular item. It’s also possible that we could restore the database if regular snapshots are taken and backed up.

If the CRM is cloud-hosted, it’s likely that there will be backups. The tricky part is being quick about restoring the information—if you don’t realize the data went missing for several days or weeks, it’s possible you’ll miss your window to restore it, and restoring it will cause you to lose the last several days of work.

Taking Preventative Steps Will Make All the Difference

Having a solid backup and disaster recovery solution, while following some best practices when it comes to how you manage data, would reduce the risk and headache if your business were to suffer from a rogue employee or some other similar threat.

All company data needs to be backed up automatically, and stored off site to guarantee retention. Cloud solutions and local applications alike need to be audited to ensure their data is being backed up, or they offer restoration/versioning options. Employees should only have access to the data they need to do their jobs (a sales person doesn’t need access to customer financial information, etc.). Reducing the amount of reach a user has will prevent issues from getting larger than they have to be.

Let's break down the steps to minimize potential damage:

Establish Policies for Employee Termination

Clearly communicate internal policies to all employees during onboarding and during regular IT training that there are consequences for deleting company files or attempting to cause damage to company systems and information. 

You can also establish network policies that limit how much information a user can access, where data is stored, and what software is allowed to be installed on a machine.

Revoke Access to Company Systems Quickly

If you are terminating an employee, make sure that you have IT on standby to immediately revoke their access. That includes access to email, files, and all company devices and accounts.

Perform an IT Audit Immediately

An audit should be performed, looking for signs of deleted files, unauthorized access, and user accounts that may have been missed in the step above. Changing passwords to shared devices or services need to be done quickly, and review email groups and policies to make sure the user isn’t still somehow getting access to sensitive information or messaging. If that user had access to the company website, or had access to a particular vendor account, make sure that passwords are changed and vendors are notified.

Err on the Side of Caution

We’re not saying you should distrust your employees. The vast majority of them are probably wholesome, honest, hardworking individuals. Here’s the thing though—a wholesome, honest, hardworking individual can reach the end of their rope and do something that’s out of character.

Maybe you’ll see it coming from a mile away, or maybe you’ll get that famous “business owner gut feeling” that just tells you that something is up with this particular employee. Either way, it’s a good practice to simply be prepared for malicious intent, and when implemented correctly, it shouldn’t demoralize the majority of your staff that would never imagine deleting files or causing other problems on the way out the door.

Whether you are dealing with an emergency right now and need help, or you want to take steps to prevent future issues, give Capstone Works a call at (512) 343-8891. We’re here to help Cedar Park area businesses with their technology.

Let's Help You Get Control Over Your IT. Get a Free Consultation Today