16.6 HR and Legal Coordination

HR and Legal Coordination

In external-attacker investigations, security leads and other teams follow. In insider threat investigations, security is one of three equal participants: security provides the technical evidence, HR manages the employment relationship, and legal advises on the process and potential outcomes.

The coordination model

Phase 1: HR referral (Day 0). HR contacts security with the risk indicator (resignation, competitor move). Security confirms the investigation scope and legal basis with legal counsel. No investigation begins without legal confirmation that monitoring is authorised.

Phase 2: Initial findings (Days 1-3). Security runs the baseline comparison and activity reconstruction (subsections 15.3-15.4). If the findings show normal activity: report to HR that no anomalies were detected. Investigation complete. If the findings show anomalous activity: present the timeline and exfiltration channel assessment to HR and legal. Do NOT present conclusions — present facts. “Marcus downloaded 67 files from the Design Archive on 28 March, which is 8x his daily average. 12 of those files were transferred to a USB device at 22:00 on 30 March. 5 files were emailed to a personal Gmail address on 29 March.” Let HR and legal determine the response.

Phase 3: Decision (HR/Legal). Based on the evidence, HR and legal determine: continue monitoring (if evidence is inconclusive), confront Marcus in a meeting with HR present, accelerate the departure (immediate access revocation + garden leave), or refer to law enforcement (if the value of stolen IP exceeds the criminal threshold).

Phase 4: Action (coordinated). If HR decides to revoke access: security executes the access revocation at a time coordinated with HR (typically at the start of the HR meeting with Marcus). If HR decides to pursue legal action: security provides the evidence package (subsection 16.5). If HR decides no action: security closes the investigation and documents the findings.

What security shares with HR

Share: Factual findings — file download volumes, file names, transfer channels (USB, personal email, cloud storage), timestamps, and the deviation from baseline.

Do NOT share: Raw KQL queries, technical log details, or speculation about intent. HR does not need to know that you used CloudAppEvents to find the data — they need to know that Marcus downloaded 67 proprietary files and transferred 12 of them to a USB drive.

Do NOT share with Marcus’ manager. The investigation is confidential to security, HR, and legal. Marcus’ manager is not informed unless HR decides to involve them — and that decision is HR’s, not security’s.

UK employment law considerations

Proportionality. Monitoring must be proportionate to the risk. A departing employee joining a competitor with access to proprietary data justifies investigation. A departing receptionist with no access to sensitive data does not justify the same level of investigation.

Data Protection Act 2018 / UK GDPR. The investigation processes personal data (Marcus’ email, file access, device activity). Ensure: the processing is lawful (legitimate interest of the organisation to protect its IP), the data minimisation principle is followed (only collect data relevant to the investigation), and the investigation is documented.

Employment Practices Code (ICO). The ICO’s guidance states that monitoring should be conducted openly where possible — but acknowledges that covert monitoring may be justified in cases of suspected criminal activity or serious misconduct. Data theft of proprietary IP justifies covert investigation.

Subsection artifact: The HR/Legal coordination model and the UK employment law considerations. These are unique to insider threat investigations — not covered in any other module.

Knowledge check

Presenting findings without bias

The investigation report must be factual — not accusatory. The distinction matters legally.

Factual (correct): “Between 25-31 March, the subject downloaded 67 files from the Design Archive SharePoint site, a site not accessed in the previous 6 months. 45 files were transferred to a USB device at 22:00 on 30 March. 22 files were uploaded to a personal Dropbox account on 31 March. 5 client contact lists were emailed to a personal Gmail address on 29 March.”

Accusatory (incorrect): “Marcus stole 67 proprietary files and smuggled them out via USB and Dropbox before his departure.” The word “stole” is a legal conclusion — not a fact. “Smuggled” implies criminal intent. These conclusions are for HR, legal, and potentially a court to determine — not the SOC analyst.

The language test: Before including any sentence in the investigation report, ask: “Could this sentence be verified by showing the log data?” If yes: include it. If no: rewrite as a factual observation.

“Marcus accessed files from the Design Archive” → verifiable from CloudAppEvents → include. “Marcus intended to take the files to his new employer” → not verifiable from any log → exclude.

What to include in the handover meeting with HR:

1. The factual timeline (who, what, when, from where — with timestamps).
2. The baseline comparison (normal activity vs investigation window — quantified).
3. The exfiltration channel evidence (which channels were used, what volume, what files).
4. The evidence preservation status (litigation hold active, eDiscovery export complete, chain of custody documented).
5. Your assessment of data sensitivity: “The accessed files include product specifications, manufacturing drawings, and client contact lists. HR and legal should determine the sensitivity classification and the appropriate response.”

What NOT to include: Conclusions about intent, recommendations for punishment, comparisons with other employees, or personal opinions about the subject. Your role ends at presenting the facts.