Skip to main content

Who is this article for?

CrashPlan Cloud
CrashPlan for Small Business
CrashPlan On-Premises

Find your product plan in the Code42 console on the Account menu.
Not a CrashPlan On-Premises customer? Search or browse Incydr and Instructor, CrashPlan Cloud, or CrashPlan for Small Business.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, no.

Retired product plans, yes.

CrashPlan for Small Business, no.

Code42 Support

Best practices for protecting data when employees leave


Roughly half of all employees admit to taking their employer's data with them when they leave. Use Code42 to:

  • Detect who is taking data in the days before they leave
  • Identify the data taken
  • Gather file evidence so you can take legal action if necessary

This article provides best practices for using Code42 to keep company data secure when employees leave.  

More advanced methods for detecting files leaving your company, such as Forensic File Search, are available in the Code42 cloud version of our software. For more information, see the this article for Code42 cloud customers.

For additional best practices on protecting your company from data loss by current employees or business associates, see Best practices for using Code42 to address insider risk


  • The procedures described here are suggestions, not requirements, for using Code42 to handle employee departures at your organization. Be sure to adjust the tasks described in this article as needed to work in accordance with your company's own processes for offboarding employees.
  • Many of these tasks can be performed using the Code42 API. If you have a standard offboarding scripting procedure, you can add the Code42 API tasks to the script.
  • Some of these tasks require a product plan that includes the necessary features. Contact your Customer Success Manager (CSM) for assistance with licensing. If you do not know your CSM, please contact our Customer Champions for support.

Step 1: Capture file activity

Enable endpoint monitoring to capture file activity on each device in real time, helping you identify potential data leak vectors or security problems. Enable the following endpoint monitoring options:

  • Removable media
  • Cloud sync applications
  • Browser and other application activity (file upload and download)

Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. See Enable endpoint monitoring for file exfiltration detection for more information.

Enable monitoring for removable media and cloud sync applications
Select Removable Media and Cloud Sync Applications when enabling endpoint monitoring. These represent two common methods that departing employees use to take company data. 

Step 2: Detect file exfiltration

Code42 gives you visibility into activity such as moving unauthorized files offsite. Once you enable endpoint monitoring, alerts notify you when the suspicious activity occurs.

The following Code42 features help you monitor and view file movement:

User activity

User activity searches for users' security events detected by endpoint monitoring. Use this option when you want to view activity rather than receive notifications. You can see a trend of the user's activity over the last 60 days, providing a baseline of normal activity that helps you identify spikes in file movement that signal abnormal activity. You can also export the results to a CSV file for analysis or archiving. You can export the results to a CSV file for analysis or archiving.

See User Activity and Activity Notifications reference for more information.

Activity notifications

When you first learn of an impending employee departure, set up activity notifications for the employee to monitor file activity detected by endpoint monitoring and receive an email notification when suspicious activity occurs.

See Configure activity profiles for more information. 

Third-party tools

Use the following third-party Code42 integrations to detect file exfiltration.


Splunk is a solution for data analytics monitoring and visualization. Use the Code42 for Splunk (Legacy) app to monitor file exfiltration using security dashboards

See Install and manage the Code42 for Splunk (Legacy) app for more information.

Splunk Phantom

Splunk Phantom is a security orchestration, automation, and response (SOAR) solution. Use the the Code42 app for Splunk Phantom to add Code42-specific actions to your Splunk Phantom environment. 

See Code42 app for Splunk Phantom for more information.

Step 3: Retain the departing employee's files

Before you deactivate the user who is departing, determine which of the following methods you'll use to retain their files:

Add the user to a legal hold for departing employees

Add the user to a departing employee legal hold matter using Code42's Legal Hold web app. Adding these employees to legal hold:

  • Extends the data retention period beyond the default cold storage period 
  • Ensures you're prepared in the event of a lawsuit involving the user

See Configure a legal hold for more information.

Add high-risk employees to a legal hold
Add employees who have the highest risk of taking sensitive data to a legal hold. Adding them to a legal hold keeps the employees' data for a longer period, in case it is needed for additional investigation or future legal action. Deactivated users cannot be added to legal holds. If you need to add a deactivated user to a legal hold, first reactivate that user.

Retain archives in cold storage

When users are deactivated, their backup archives go into cold storage for 365 days (by default). Cold storage is a temporary holding state for archives after they are deactivated but before they expire and are permanently deleted. Archives in cold storage are similar to files in your computer’s Recycle Bin or Trash. A user who has an archive in cold storage still consumes a user subscription. Administrators can retrieve archives from cold storage throughout the cold storage retention period.

See Cold storage for more information.

Download the departing employee's files

Use Web Restore in the Code42 console to download the departing employee's files to a target device. Then you can retain the files as long as necessary. For example, you can perform a web restore to the device of the departing user's manager so they can reference past work or complete in-progress projects.

See Restore files from the Code42 console for more information.

Step 4: Deactivate the user

When an employee leaves, you must either manually deactivate the user, or if you have SCIM provisioning, deactivation happens automatically when you offboard the user via provisioning. When you deactivate a user, the user is signed out of all devices and online sessions, and the user cannot sign in to any part of your Code42 environment (either the Code42 app or the Code42 console).

When you deactivate a user, all of the user's backup archives go into cold storage. Archives in cold storage do not continue to back up, do not undergo regular archive maintenance, and by default will be deleted after 365 days. (The cold storage quota may be configured differently for the user's organization.) To keep backup archives longer than the set cold storage period, see Retain the departing employee's files above.

See Deactivate and reactivate users and devices for more information.

Deactivate departing employees on their departure date
Deactivate the employee's Code42 account on their departure date to prevent them from signing in to the Code42 environment and getting access to company data after they leave.
  • Was this article helpful?