When some people leave a job, the only thing they want to take with them from their office is their dignity, and maybe some family photos. Others leave with contact lists, project plans, marketing collateral, code snippets and other work-related files from their computers. Still other employees take the opportunity to loot the supply cabinet for notebooks, pens, flash drives and other items that they don't want to buy from Staples.
As IT professionals prepare to jump ship from their current employers, they need to know what they legally can and can't take with them. The same goes for the unfortunate employees at companies that are still conducting layoffs, who may be tempted sneak off with sensitive corporate information or company assets such as laptops after being handed a pink slip.
Jon Heimerl, director of strategic security for Solutionary, a provider of information security services, says departing employees can get in big legal trouble if they take corporate information or physical assets without their employer's permission. Depending on what the employee takes, the employer can sue the employee or press theft charges against the employee through the police.
"I know a company that had an ex-employee that it had laid off walk into a competitor's office with proprietary information on a big R&D project," says Heimerl. "The company sent a letter to the competitor from a lawyer that said, 'We know you hired this employee. We have proof that he took proprietary information with him, and we are going to sue you and the employee.' The competitor withdrew its employment offer, and it took the ex-employee 12 months to find another job."
Here, Heimerl explains what you can and can't take from an employer when you leave a job.
What You Can Take
Employees can take any personal items that they brought into their offices from home upon leaving an employer, says Heimerl. Examples include photos, diplomas, coffee mugs and personal electronic devices (e.g. cell phone, iPad). Employees can also leave with items that they bought for work but that they didn't get reimbursed for, says Heimerl, such as an ergonomic keyboard.
The only exception that might prevent employees from leaving with their own loot is if an employer has a clear policy stating that employees cannot bring any personal property into the office, says Heimerl. (Some employers maintain such policies so that they're not liable for lax security if employees' personal property gets stolen from the office.) Then, if an employee had ignored that policy and brought in trinkets from home anyway, the employer could claim those items as corporate property, but Heimerl doesn't see many companies go that far.
Employees often also take along work that they created or helped create for the company, such as contact lists, project plans, code snippets or marketing collateral, so that they have examples of their work, says Heimerl.
"In and of itself, there's nothing really wrong that," says Heimerl, unless the documents contain client information or internal information such as strategic plans or product pricing. In those cases, the employee should ask the employer for permission to take such documents or samples of work, adds Heimerl. The employer may very well give permission to do so, provided that the employee removes proprietary information from the document.
If an employee takes such documents without his employer's permission, having previously signed an employment contract or severance agreement that specified that any documents or code he developed for the company is company property, the employer could sue the employee for breach of contract, says Heimerl.
The employer could also withhold the employee's severance pay, or require that the employee return severance pay already disbursed, if the severance pay came with a condition related to taking any corporate information upon leaving the company.
What You Can't Take
Some employees, especially those who have been caught in a layoff, might feel emboldened to take whatever they can from an employer--including office supplies, furniture and laptops. But pilfering corporate property is stealing.
"If you take an asset, even a mouse, without company permission, that is theft," says Heimerl. "If you take a $3,000 laptop loaded with software, that's grand larceny."
Theft and larceny are punishable in a number of ways. A company can file a complaint with the police saying it wants the ex-employee prosecuted for theft. Usually a sheriff or police officer goes to the thief's house or sends him a registered letter saying a charge has been filed, and the individual has a certain number of days to respond, says Heimerl. Or, an arrest warrant could be served for theft of property. If the police don't handcuff the individual and bring him to jail, the person will get a summons to appear in court, he adds.
"In every case I know of," says Heimerl, "the employee has given back the laptop or paid restitution."
Instead of calling in the cops, other companies will tally the value of the stolen property and will report that value to the IRS as taxable income that the company paid to the employee. The employee will then be obligated to pay taxes on that stolen property, says Heimerl. (For a fully loaded laptop valued at $4,000, an employee can expect to pay in the neighborhood of $1500 in taxes, he adds.)
If an employee stole a computer that contained sensitive customer financial information or healthcare information, Heimerl says, there's a good chance the employee could be charged in a federal court for violating federal privacy and information security laws.
When Personal Property and Corporate Information Collide
There are times when what employees can and can't take from their employers isn't clear cut--such as when they used their personal smartphone or home computer for work and they have business contacts, files or applications on those personal devices.
When an employee has work-related information on his personal smartphone, and it's time for the employee to leave his employer, he must remove all work-related information from his smartphone, especially if the company had a policy prohibiting the use of personal devices for work, says Heimerl. But the employer cannot seize the employee's personal smartphone to inspect or keep.
"The company has no recourse other than to ask me [the employee] if I deleted the information," he adds.
But what does an employee do when his work computer kicks the bucket and he has to work on his home computer for several weeks while the IT department procures a new computer for him? During that time, the employee no doubt has amassed a significant amount of corporate information on his home computer. What are the employee's rights and responsibilities vis à vis his computer and the corporate information stored on it if he leaves his employer?
"In most jurisdictions, the company has no good claim to any of that information and no claim at all on the personal property (the computer)," says Heimerl. "The employer can demand that the employee remove all of the corporate information from the personal computer, but they cannot actually make the employee take any extraordinary efforts to find all the files, including temp files and stray copies, and delete everything in a secure manner--unless, of course, the employee agreed to do so at the beginning of all this."
If the employee had customer credit card information, healthcare information or other highly sensitive information on a personal computer he used for work, the employer may want to wipe those files from the employee's home computer and then perform a secure overwrite to ensure that those files can't be recovered, says Heimerl, but the employer can't force an employee to do that on the employee's own personal property. The employer could, however, have another employee perform the secure overwrite or hire a contractor to do it.
The bottom line: In all likelihood, the employee will retain at least some corporate information on their home computer, says Heimerl.
"Without the employee signing an agreement stating that they will not use any information that they retain access to or gain access to in the future, the employer has little ground to stand on," he says. "Some states, such as California and Massachusetts, have privacy laws that help the employer, but many states, including Minnesota and Massachusetts, have 'right to work' laws and personal privacy laws that make enforcement very hard."
Meridith Levinson covers Careers, Project Management and Outsourcing for CIO.com. Follow Meridith on Twitter @meridith. Follow everything from CIO.com on Twitter @CIOonline. Email Meridith at firstname.lastname@example.org.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.