She gave two weeks notice. Professional. Amicable. We wished her well.
Three weeks after she left, a client called asking if we'd "sent someone else from the team to follow up" because a person from a new company had contacted them referencing details that only someone with access to our internal notes would know.
Pulled the access logs. She'd exported our full client database, including contact details, project history, and internal notes, two days before her last day. 340 client records.
She'd started her own competing firm and was using our client data to warm-call our existing accounts. Not cold outreach. Warm outreach with insider information about their projects and pain points.
No non-compete. No non-solicitation agreement. No data protection clause in her employment agreement beyond a generic confidentiality line that my lawyer said would be expensive to enforce.
Lost two clients to her in the first month. Both said she'd referenced specific details about their accounts that made her pitch feel like a continuation of our work rather than a cold approach.
Built a proper data protection policy after. All employees now sign specific non-solicitation agreements. CRM access is role-limited and export privileges require approval. Exit procedures include immediate access revocation and a documented data audit.
Also started sending clients a quarterly relationship summary, a one-pager built in Gamma (visual report tool) showing what we've delivered and what's planned next. Not just for the client's benefit. To reinforce that the relationship is with the firm, not with any individual employee. If someone leaves and reaches out to our clients, the client has a recent document from us that anchors the relationship to the company.
$0 spent on prevention before. Multiple clients and revenue at risk because I trusted that people would behave ethically after leaving. Some do. Some don't. Build the system for the ones who don't.