Departing employee data theft: 12 signs and the playbook

Twelve signs an employee may be exfiltrating data, plus the forensic and legal playbook for investigating, documenting, and acting on departing-employee theft.

Published May 1, 2026Updated Apr 1, 202613 min read

Departing employee data theft follows recognizable patterns. The signs cluster: large after-hours downloads, USB activity in roles that do not require it, email forwarding rules to personal addresses, mass-prints of customer or pricing data, and a surge of activity in the two weeks before resignation. When you see two or more of these together, the right response is forensic preservation within hours, not days, paired with HR coordination and counsel involvement to protect privilege.

This playbook walks through the 12 signs we see most often, the preservation steps that should follow, the forensic artifacts that establish exfiltration, and the typical sequence from suspicion through HR action or litigation.

Why departing employees are the highest-risk insider scenario
The 12 signs
The first 24 hours after suspicion
What forensic acquisition recovers
Coordinating HR, IT, and counsel
Outcomes: termination, civil action, criminal referral
FAQ

1. Why departing employees are the highest-risk insider scenario

Most insider theft is not malicious in the dramatic sense. It is opportunistic. The employee has decided to leave, often to a competitor or to start their own venture. They take what they think they will need, what they think they can argue is "their own work," or what they think no one will notice.

The risk window is the two to four weeks before resignation, plus the period between resignation and final exit interview. Cloud-sync state, USB connections, and email forwarding can move enormous amounts of data in that window.

Most BC and Canadian employers have moderate-to-good detection on intentional malicious actors but limited detection on opportunistic departing-employee theft. The forensic record after the fact is usually how the employer discovers what happened.

2. The 12 signs

Any one of these can be innocent. Two or more together justify a forensic look.

1. Large after-hours downloads from SharePoint, OneDrive, or Google Drive. Particularly in the evenings or weekends in the four weeks before resignation.

2. USB drives connected in a role where USB is not authorized. USBSTOR registry keys and setupapi logs preserve the make, model, and serial of every USB device plugged in.

3. Outbound email forwarding rules. Auto-forwarding to a personal address quietly redirects messages for weeks.

4. Spike in print volume. Particularly volumes of customer lists, pricing matrices, or design documents.

5. Unusual access to file shares the user does not normally touch. Lateral movement within the file system that does not match the role.

6. Slack, Teams, or Discord conversations with external contacts. Particularly conversations that ramp up before the departure announcement.

7. Cloud account additions. New OAuth grants from third-party apps to M365 or Google Workspace, particularly to file-sharing or backup services.

8. Browser activity to file-sharing sites. WeTransfer, Sendspace, Mega, plus archive-creation tools, particularly with timestamped POST requests.

9. Sudden interest in customer lists, contracts, or pricing. Pulling materials that are unusual for the role or the current project.

10. Calendar invites to "interviews" or "personal appointments." Particularly during business hours, particularly recurring.

11. A resignation that arrives shortly after a competitor's announcement. Of a new product, a hire, or an investment round.

12. Soft signals from peers. Coworkers report the employee has been "checked out" or has been making comments about leaving. HR often hears these well before the resignation.

3. The first 24 hours after suspicion

Once two or more signs cluster, the response window is short. The right sequence:

Hour 0 to 6: Counsel involvement. The matter should be channelled through internal or external counsel from the start. This is what creates litigation privilege over the subsequent forensic work and HR coordination.

Hour 6 to 12: Forensic preservation. Cloud audit log preservation is the most time-sensitive piece. M365 unified audit log retention is 90 to 180 days by default. Endpoint preservation can run in parallel. Both should begin within the same business day.

Hour 12 to 24: HR scoping. HR confirms the employment status, the access scope, the upcoming resignation timeline, and any signals from the employee's recent conduct.

Hour 24 to 48: Examiner scoping. The forensic examiner reviews the preservation, identifies the in-scope artifacts, and gives counsel a written timeline for the analysis.

The total elapsed time matters because audit logs are aging out and the employee may still be in the system, modifying behaviour as soon as they suspect they are being watched.

4. What forensic acquisition recovers

The recoverable artifact set in a typical departing-employee matter:

USB connection records in the Windows registry SYSTEM hive (USBSTOR, MountedDevices) and setupapi logs, with make, model, serial, and timestamps.
Cloud upload activity in OneDrive, Google Drive, Dropbox, and Box logs, often correlated to specific files and exact byte counts.
Email forwarding rules in M365 and Google Workspace mailbox settings, plus the audit log entries that record their creation.
Browser uploads to file-sharing sites, with timestamps and (where available) the file names of uploaded content.
Print job records showing volumes and document names.
File access timestamps in the MFT and USN journal that establish exactly which files were touched and when.
Recently used and jump list artifacts showing the user's interaction with specific documents.
Cloud sync state that often preserves file content even after local deletion.
App-specific artifacts from communication tools (Slack export, Teams chat history) where the user discussed exfiltration plans.

The strength of the matter often comes from correlating multiple artifacts to a single timeline.

5. Coordinating HR, IT, and counsel

The classic mistake is for HR or IT to investigate first and bring counsel in only after a decision has been made. This:

Loses litigation privilege over the early forensic work.
Creates inconsistent records across HR, IT, and the eventual forensic team.
Risks alerting the employee through visible HR or IT activity.

The right model is counsel-led, with HR and IT supporting. The forensic team is engaged through counsel. All communications about the investigation are channelled through a defined contact list.

Once the forensic record is in hand, HR can act (suspend, terminate, negotiate severance), counsel can file (interim injunction, civil claim, criminal referral), or both.

6. Outcomes: termination, civil action, criminal referral

Most departing-employee matters resolve at the HR or civil level. Criminal referrals under Criminal Code section 342.1 (unauthorized use of a computer) and section 430(1.1) (mischief in relation to data) are less common and typically reserved for the most aggressive cases.

The forensic record supports all three tracks. The same examiner report that grounds a termination decision can support a civil claim under breach of fiduciary duty and (where applicable) Defend Trade Secrets-style provisions in employment contracts. If a criminal referral is appropriate, the report goes to police as a starting point for their independent investigation.

Reference: Criminal Code of Canada, Section 342.1. Office of the Privacy Commissioner of Canada, breach reporting guidance.

7. FAQ

Q: How quickly do we need to preserve evidence? A: Within hours. M365 audit log retention is short and the employee may modify behaviour as soon as they suspect they are being watched.

Q: Can we preserve evidence without alerting the employee? A: In many cases yes. Cloud audit log preservation is server-side. Endpoint preservation can use remote agents during scheduled maintenance windows.

Q: What if the employee has already left and returned the laptop? A: Often a strong starting point. As long as the device has not been wiped or re-imaged, the artifacts on it are preserved by default. Move quickly because IT often re-images returned devices within days.

Q: Can the forensic record support both termination and a civil claim? A: Yes, when the engagement is structured to litigation-grade standards from the start. Defensibility, chain of custody, and methodology disclosure all matter.

Q: How long does an investigation take? A: A single-employee matter typically moves from intake to draft report in two to four weeks. Urgent matters can be expedited.

CTA strip

Headline: Suspect a departing employee took data? Primary CTA: Book a confidential consultation Secondary text: Or call (604) 800-9060

Frequently asked

How quickly do we need to preserve evidence?

Within hours. M365 audit log retention is short and the employee may modify behaviour as soon as they suspect they are being watched.

Can we preserve evidence without alerting the employee?

In many cases yes. Cloud audit log preservation is server-side. Endpoint preservation can use remote agents during scheduled maintenance windows.

What if the employee has already left and returned the laptop?

Often a strong starting point. As long as the device has not been wiped or re-imaged, the artifacts on it are preserved by default. Move quickly because IT often re-images returned devices within days.

Can the forensic record support both termination and a civil claim?

Yes, when the engagement is structured to litigation-grade standards from the start. Defensibility, chain of custody, and methodology disclosure all matter.

How long does an investigation take?

A single-employee matter typically moves from intake to draft report in two to four weeks. Urgent matters can be expedited.