Employee exits aren’t just a cultural moment – they’re a high‑risk flashpoint for IP theft, and HR is now squarely on the front line of defence
For HR leaders, employee departures are often framed around culture, continuity and employer brand. But according to John Taylor, chief technology officer for Mimecast in APAC, they should also be treated as a critical point of risk for intellectual property (IP) and confidential information.
“Data theft by departing employees represents a significant legal and commercial risk for Australian businesses,” Taylor says. It is not an edge case – it is common enough that organisations across sectors are investing heavily in prevention and detection. HR, he argues, is squarely on the front line.
A problem that is more common than it appears
Just last year, an exiting Intel employee was accused of stealing around 18,000 files from the company, including those labelled “top secret”.
This wasn’t an isolated incident either, as a study from the Ponemon Institute found that 59% of employees departing a company take confidential or sensitive information with them.
Taylor noted that while the prevalence of IP theft varies by industry, seniority and function, it happens frequently enough to warrant systematic controls.
Departing employees may be tempted to take information when they move to a competitor, launch a start‑up, or seek an advantage in their next role. The information they copy can include client and prospect databases, detailed pricing models, proprietary algorithms, technical designs, and sensitive strategic business plans.
The most serious issue is not just how often this occurs, but how rarely it is detected in time. Taylor described detection as the “greatest challenge.”
In many cases, employers never realise information has been copied, or they discover it only after damage has occurred. By the time unusual behaviour – such as mass downloads or non‑typical access to high‑value systems during a notice period – is noticed, the data may already be in a competitor’s possession, well beyond the employer’s practical control.
The cost of getting IP protection wrong at exit
When organisations fail to adequately prevent or respond to data theft at the point of exit, the impact can be swift and severe.
Commercially, the risk is straightforward: when proprietary strategies, pricing frameworks and client data fall into a competitor’s hands, market position can erode very quickly.
A former employee who understands your margins, discount thresholds and pipeline can help a rival win deals by undercutting prices with precision and timing approaches to coincide with renewals.
As Taylor pointed out, when ex‑employees use customer lists or trade secrets to compete against you, the financial damage tends to compound rather than remain isolated to a single account.
Client relationships are also placed under strain. Departing staff often leave with deep relationship history and confidential account information stored in emails, notes and CRM systems.
If that knowledge, along with contact lists and sensitive commentary, is exported into a competitor or a new venture, it enables methodical targeting of your existing customer base.
Clients can suddenly find themselves courted by a familiar face armed with detailed knowledge of their issues, contracts and pricing. The result can be immediate churn, but also a longer‑term weakening of trust and future opportunities.
The loss of competitive advantage may be even more difficult to reverse. Trade secrets, algorithms, source code fragments and product roadmaps represent years of investment in R&D and strategy.
Overlaying all of this is legal and regulatory exposure. If the data that walks out the door includes personal information or other regulated content, the incident can trigger privacy and cybersecurity obligations, including regulatory investigations, mandatory breach notifications and the prospect of litigation.
Contractual commitments to customers, especially in sectors with strict confidentiality clauses, can also be thrown into question. For HR leaders, this means offboarding processes are no longer a back‑office activity; they are a visible component of the organisation’s risk and compliance posture.
Five lines of defence HR can shape
Taylor argues that Australian employers need multiple, overlapping safeguards to meaningfully reduce the risk of IP theft when employees move on. HR plays a critical role in almost every one of them.
The first line of defence begins at the start of the employment relationship. Employment agreements should contain robust confidentiality obligations, clear statements on intellectual property ownership, and, where appropriate and lawful, restraint of trade provisions.
HR leaders should ensure these contracts are reviewed regularly by legal advisers so that they remain aligned with current Australian employment law and case developments. When issues arise at exit, the strength and clarity of these documents can determine how effectively an organisation can respond.
The second line of defence is cultural. A company can have well‑drafted policies and still be exposed if employees view data as something they personally “own” and can take with them.
Taylor recommends that HR focus on building a culture where IP protection is understood as a collective responsibility rather than a sign of mistrust. This means embedding IP awareness into onboarding, reinforcing confidentiality obligations periodically rather than only at exit, and ensuring leaders model disciplined behaviour around data handling.
When people see that protecting information is essential to safeguarding the business that employs them, compliance becomes less about policing and more about shared accountability.
A third, more technical line of defence is sound data governance. Many incidents occur not because of deliberate malice but because access has expanded over time without review.
Organisations need clarity on which data exists, who owns it, where it resides, and how it flows between systems. Access should be limited to what individuals genuinely need to perform their roles, and those permissions should be revisited on a regular schedule.
Taylor advocates for quarterly access audits as a baseline, with automatic access reviews triggered when roles change or when an employee gives notice. For HR, that means integrating governance checkpoints into lifecycle events, not treating them as an afterthought once IT is informed.
The fourth line of defence is deeper collaboration between HR and security teams around exits. Offboarding should be managed as a structured, cross‑functional workflow, not as a loose checklist that varies manager to manager.
Taylor recommends that organisations create clear, documented processes for resignations, redundancies and terminations that spell out who does what and when.
These should specify the timing and sequence for revoking or tapering system access, outline how file activity will be monitored during notice periods, describe how devices will be collected and handled, and define how exit interviews will reinforce ongoing confidentiality obligations. When HR, IT and security operate from the same playbook, the chance of gaps and misunderstandings is greatly reduced.
The fifth and final line of defence is technology‑driven visibility and automation. Manual processes alone cannot keep pace with the volume and speed of data movement in modern environments, particularly as organisations adopt cloud tools and remote work arrangements.
Taylor highlights that modern security and data protection platforms can flag or block behaviours such as mass downloads, large external transfers, or unusual access to sensitive repositories.
Automated controls can challenge or halt high‑risk actions before information leaves the organisation. To make these tools effective, employers must understand where their critical data actually lives, how systems are interconnected, and where information flows both inside and beyond their infrastructure. Without that baseline visibility, even sophisticated tools can leave blind spots.
The HR imperative: from paperwork to risk management
Taylor’s overarching message to HR leaders is that employee departures can no longer be treated as a routine administrative endpoint. Each exit represents a concentrated moment of risk when valuable knowledge, relationships and data are in motion.
By strengthening contracts, shaping culture, embedding data governance into the employee lifecycle, formalising collaboration with security, and supporting investment in monitoring and automation, HR can turn offboarding from a vulnerability into a managed event.
Organisations that do this well not only reduce the likelihood and impact of IP theft; they also protect hard‑won competitive advantage, preserve client trust and demonstrate to boards and regulators that information protection is built into every stage of employment, from entry to exit.
