Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:


Code42 Support

Best practices for protecting data when employees leave

Who is this article for?

Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:



The ease with which employees can exfiltrate data continues to be a large insider risk. You can use Code42 to help mitigate this risk by:

  • Detecting who is taking data in the days before they leave
  • Identifying the data that was taken
  • Gathering file evidence so you can take legal action if necessary

This article provides best practices for using Code42 to keep company data secure when employees leave.  

For best practices to detect file exfiltration by current employees or business associates, see Detect and respond to insider risks.


  • The procedures described here are suggestions, not requirements, for using Code42 to handle employee departures at your organization. Be sure to adjust the tasks described in this article as needed to work in accordance with your company's own processes for offboarding employees.
  • You must have an Incydr or Code42 Platinum product plan to use the departing employee, alerts, and Forensic Search capabilities of Code42. Contact your Customer Success Manager (CSM) for assistance with product plans. If you're not sure how to reach your CSM, email and we will connect you.
  • You must have the Customer Cloud Admin role or the Security Center User role to perform the tasks in this article.
  • Many of these tasks can be performed using the Code42 API. If you have a standard offboarding scripting procedure, you can add the Code42 API tasks to the script. For help with using Code42 APIs, contact your Customer Success Manager to engage the Professional Services team.

Step 1: Capture file activity

Enable endpoint monitoring to capture file activity on each device in real time, helping you identify potential data leak vectors or security problems. Enable the following endpoint monitoring options:

  • Removable media
  • Cloud Sync Applications service
  • Browser and other Application Activity (file upload and download)
  • Printers (Mac and Linux only)
  • File Metadata Collection (only available if your product plan includes it)

Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection.

See Enable endpoint monitoring for file exfiltration detection for more information.

Enable File Metadata Collection
Select File Metadata Collection when enabling endpoint monitoring to start collecting file event data. You must select this option if you want to use Forensic Search to investigate departing employees' file activity.

Step 2: Detect file exfiltration

If your product plan includes Risk Exposure dashboards, Risk Detection lenses, or advanced alerting criteria, detect unauthorized movement of files offsite using the following options in the Code42 console:

Risk Exposure

The Risk Exposure dashboard shows file activity from throughout your entire environment to help you catch possible file exfiltration. 

See Review unusual file activity with the Risk Exposure dashboard for more information.

Departing Employees

From User Activity > Departing Employees, review the file activity of employees who are leaving your company. 

  • Quickly identify suspicious file movement
  • Review endpoint and cloud services activity
  • See file activity for the 90 days leading up to a departure

See Add departing employees for more information.

Track departing employees as soon as possible
Add employees to the Departing Employees list as soon as you have their departure dates, and enable alerts for all departing employees. If you delay, you could miss detecting unauthorized file activity. 


Watch the short video below to learn how to add users to the Departing Employees list. For more videos, visit the Code42 University.


Add security alerts to notify you when important data may be leaving your company. View existing alerts to find potential data leaks.

See Create and manage alerts for more information.

Step 3: Investigate suspicious file activity

Investigate for file exfiltration using the following options in the Code42 console

If your product plan includes File Metadata Collection or cloud and email services, use these additional options to investigate file exfiltration:

You can also use third-party tools in conjunction with Code42 to investigate suspicious file activity.

User activity

User Activity searches for users' security events detected by endpoint monitoring. Use this option when you want to view activity rather than receive notifications. You can see a trend of the user's activity over the last 60 days, providing a baseline of normal activity that helps you identify spikes in file movement that signal abnormal activity. You can export the results to a CSV file for analysis or archiving.

If your product plan includes advanced alerting criteria, use Alerts instead of the user activity feature. Alerts cover more types of file activity and allow you to investigate events in Forensic Search.

See User Activity and Activity Notifications reference for more information.

Activity notifications

When you first learn of an impending employee departure, set up activity notifications for the employee to monitor file activity detected by endpoint monitoring and receive an email notification when suspicious activity occurs. 

If your product plan includes advanced alerting criteria, use Alerts instead of activity notifications. Alerts notify you on a wider range of file activity. 

See Configure activity profiles for more information.

Forensic Search

Forensic Search provides detailed visibility for Code42 administrators about files on user devices, including files not selected for backup. Use Forensic Search to search file metadata to gain a clearer understanding of an employee's file activity in the time leading up to their departure.

Forensic Search helps you to quickly answer questions such as:

  • Is there file activity that looks suspicious?
  • Is there evidence of covering up suspicious file activity?
  • Does the employee have a specific file, or did the employee previously have it?

See Enable File Metadata Collection for more information.

Use Forensic Search to investigate suspicious file activity
Forensic Search is a powerful tool for investigating suspicious file activity. See our use case to learn how to use Forensic Search for departing employees.

Data connections

If your product plan includes one or more cloud service data connections (for example, Google Drive or Microsoft OneDrive), authorize Code42 to collect information about file movement into and out of these cloud services. Once connected, this information is available in Forensic Search for investigation.

See these tutorials for detailed instructions:

Third-party tools

Use the following third-party Code42 integrations to detect file exfiltration.


Splunk is a solution for data analytics monitoring and visualization. Use the Code42 Insider Threat app for Splunk to monitor file exfiltration. 

See Install and manage the Code42 Insider Threat app for Splunk for more information.

Splunk Phantom

Splunk Phantom is a security orchestration, automation, and response (SOAR) solution. Use the the Code42 app for Splunk Phantom to add Code42-specific actions to your Splunk Phantom environment, including running file queries with Forensic Search. 

See Code42 app for Splunk Phantom for more information.

IBM Resilient

IBM Resilient is a platform for orchestrating and automating incident response. Code42 for Resilient adds Code42-specific functions, rules, and workflows to extend the capabilities of your IBM Resilient environment, including the ability to investigate departing employees.

See Code42 for IBM Resilient for more information.

Step 4: Retain the departing employee's files

Before you deactivate the user who is departing, determine the methods you'll use to retain their files: 

Add the user to a legal hold for departing employees

Add the user to a departing employee legal hold matter using Code42's Legal Hold. Adding these employees to a legal hold:

  • Extends the data retention period beyond the default cold storage period 
  • Ensures you're prepared in the event of a lawsuit involving the user

See Configure a legal hold for more information.

Add high-risk employees to a legal hold
Add employees who have the highest risk of taking sensitive data to a legal hold. Adding them to a legal hold keeps the employees' data for a longer period, in case it is needed for additional investigation or future legal action. Deactivated users cannot be added to legal holds. If you need to add a deactivated user to a legal hold, first reactivate that user.

Retain archives in cold storage

When users are deactivated, their backup archives go into cold storage. Cold storage is a temporary holding state for archives after they are deactivated but before they expire and are permanently deleted. Archives in cold storage are similar to files in your computer’s Recycle Bin or Trash. A user who has an archive in cold storage still consumes a user subscription. Administrators can retrieve archives from cold storage throughout the cold storage retention period.

See Cold storage for more information.

Download the departing employee's files

Use Web Restore in the Code42 console to download the departing employee's files to a target device. Then you can retain the files as long as necessary. For example, you can perform a web restore to the device of the departing user's manager so they can reference past work or complete in-progress projects.

See Restore files from the Code42 console for more information.

Step 5: Deactivate the user

When an employee leaves, you must either manually deactivate the user, or if you have SCIM provisioning, deactivation happens automatically when you offboard the user via provisioning. When you deactivate a user, the user is signed out of all devices and online sessions, and the user cannot sign in to any part of your Code42 environment (either the Code42 app or the Code42 console).

When you deactivate a user, all of the user's backup archives go into cold storage. Archives in cold storage do not continue to back up, do not undergo archive maintenance, and by default will be deleted after a set number of days. (The cold storage quota may be configured differently for the user's organization.) To keep backup archives longer than the set cold storage period, see Retain a departing employee's files, above.

See Deactivate and reactivate users and devices for more information.

Deactivate departing employees on their departure date
Deactivate the employee's Code42 user account on their departure date to prevent them from signing in to the Code42 environment and getting access to company data after they leave.
  • Was this article helpful?