Should I keep my ex-employer's data?

Question

Following my brief reign as System Monkey, I am now faced with a dilemma:

I did successfully create a backup and a test VM, both on my laptop, as no computer at work had enough free disk space. I didn't delete the backup yet, as it's still the only one of its kind in the company's history. The original is running on a hard drive in continuous use since 2006. There is now only one person left at the company, who knows what a backup is, and they're unlikely to hire someone else, for reasons very closely related to my departure.

Last time I tried to talk to them about the importance of backups, they thought I was threatening them.

Should I keep it?

Pros:

• I get to save people from their own stupidity (the unofficial sysadmin motto, as far as I know)
• I get to say "I told you so" when they come begging for help, and feel good about it
• Nice clean conscience
• Bonus rep with the appropriate deities

Cons:

• Legal problems: even if I do help them out with it, they might just sue me for keeping it anyway, although given the circumstances I think I have a good case
• Legal problems: given the nature of the job and their security, if something leaks, I'm a likely target for retaliation
• Legal problems: whatever else I didn't think about
• I need more space for porn.
• Legal problems.

What would you do?

Update:

Thanks for all the replies, you've all been really helpful. I ended up with a recorded phone conversation confirming they don't want the backup, they don't want me to keep it, that they knew about me having it, and that they assume responsibility for not having a backup from now on. I have shredded my copy.

Answer 1

You have two options:

1. Copy it onto a USB key send it to them by courier, then erase it off your machine if you're worried about legal issues. Make sure it has a covering letter that says this is now the only copy in existence. Encrypt the data and send the keys in an envelope separately if you're worried about losing it in transit.
   
   If you really want to keep the data, make another copy on a USB key and put it somewhere safe from either loss or search-and-seizure. Anywhere but your laptop.

2. Delete the data and don't admit to ever having it. This covers your arse legally and they're no longer your problem. Their problem if they lose the data.

Anything else - holding a copy without telling them - does open you up to legal liability. Distressed companies are amongst the most vicious as they are more likely to clutch at straws and do something dumb like suing former employees.

Answer 2

The nice thing to do is to make a copy and send it to them.

You are under no obligation to the company now that you have severed your employment. In fact i would say you are OBLIGATED to destroy the data. It is not yours, it is the companies and since you no longer work for them, you have no right to have access to it.

To address your pro's:

• That may be nice and all, and I will go through hell and back to save people from thier own stupidity when I am being employed to do so. Otherwise there really is no reason to keep yourself as involved in a former company as keeping backups (with the exception of the former company being run by a lifelong friend ... and you parted on good terms)
• Yea saying I told you so is nice ... but a good enough reason to risk the association with that sentiment of "what did you do to make yourself right?"
• If someone i was interviewing said they kept the backups from their old company ... that would be a big warning sign and mark against.
• Always a good thing to strive for ... i find beer helps this along :-D
• I'll just leave this one alone...

Cons:

• LEGAL PROBLEMS You want nothing to do with this data if something goes wrong, or if it doesn't and they just feel like being jerks.

Me, if i departed on good terms, I'd put it on a disk and mail it to them... If I left on bad terms I'd probably just delete it and get on with my life.

---

Also i would NEVER put company data on a personal machine. If they refuse to ge the resources to do proper backups find, I'll document it and keep pushing them to get proper backups in place.

Answer 3

I would take another thing into account: The former employer are strange people. Strange people mean trouble. You talked to them about backups, repairs and faulty stuff like ups. They didn't understand about backups and the thought You were threatening. They seem to be crazy people. Crazy people guarantee trouble.

Can You prove that You weren't given permission and financial funds to create backups and make repairs or that they denied (read have signed voucher)? If not, they could always claim they had instructed You to do so and that You had claimed the assignments fulfilled before Your departure. I mean, this wouldn't be the first time I see crazy desparate people lying in court.

So if You're not sure about the way they might react how long their equipment might survive, and if financially viable (I don't know the rates at Your place), I would consult a lawyer (I'm no lawyer, really, so don't consider doing this on Your own, especielly without a lawyer's scrutiny on the matter) and if legally advisable, I would have him notify the company in writing of the following:

• as notified several times during Your employment, there were no backups made and there was no sufficient time to do so. Also lack of capable hardware and reliable hardware from a factual and professional point of view and lack of willingness to invest in reliable hardware stymied such attempts.

• Backups are no threat but a mandatory best practice in the business because they offer improved protection for the company assets constituted. Many desaster scenarios like virus infection, hardware failure due to ageing, natural forces or the elements for examples, data might and will be completely or partially lost which means that it might not be completely or not at all recoverable from the original locations or devices. Also the cost of backup infrastructure is cheap in comparison to the cost for data recovery, the success of which can't even be guaranteed. Also there is a permanent statistical likelyhood that devices break down due to ageing or other environmental factors which can't be mitigated in the usage of electronics and computers.

• This is why, apart from other reasons, their lack of willingness to invest in mandatory repairs, updated or reliable hardware and data safeguarding measures, which were brought up severa ltimes and denied by them, made further employment with them impossible from a professional point of view.

• No liability whatsoever can be assumed on Your side whatsoever, given the facts and considering the termination of the employment.

• However, as there might not be a successor to Your post, You offer them, for a premium rate, running a one time backup or implementing a backup solution, and are willing to sign a non disclosure agreement if they are willing to do so, too. However, no liabilities can be assumed after the creation of the backup or the implementation of the solution, especially if no service agreement is made.

• They have 14 days to react to this letter or state anything concerning the matter, oterhwise the matter is to be considered concluded after this time.

And whatever the lawyer might want to have added.

If this is applicable legally, wait for the reaction (especially any claims for damages) and delete Backup after a month.

This is not to say that I didn't like the other suggestions. They are good, really. Going the easy way, keeping mum about the backups and deleting them would be my usual bet. But if I have to do with potentially crazy people, I like to confront things because they tend to get back at You at times when it's too late.

Also think about the NDA forms. I'd have terms and conditions requiring customers to do backups and no obligation on Your side to do backups on Your side be assumed except having ordered Backups to be done and received an autographed copy of their backup order from You.

Also, I would't be shy to write my employer a validated letter even during employment confirming his unwillingness to adhere to stated mandatory or advisable best practices and no liability on my side. Also requiring them to have written confirmation for any kind of order to now implement said formerly denied best practices, just to make sure there will be no misunderstandings if they changed their mind. (Anything where You get a copy of Your letter with a signing it was delivered containing this text should do.) This might be a bit picky but can save a lot of hassle.

But never forget: this is not the way it usually works, as employers most often understand, given the proper explanation. I never had to go that way.

Edit: It just appeared to me that I skipped half of the idea about when to delete the data:

If this is applicable legally, wait for the reaction (especially any claims for damages) and delete Backup after a month.

By that I meant that if there is a legal option of setting a deadline for claims to be made, You can keep the data as some kind of insurance for worst case (complete server self destriction on Your first day off) . If no claims surface until that deadline (plus a considerable safety margin) You can delete the data as nothing can happen to You any more.

Answer 4

I don't know. My gut says wipe it, and pretend it never existed. If they know you had it, they may make a stink over it, regardless of how often you say they have the only copy.

As a freelancer you need to keep a very strict separation between your systems and their systems, especially where things like backups are concerned. In the future, make sure they know what you're going to do with their data before you actually touch any of it. Tell them your retention policy, and when your contract is up, dump it on 'em and delete the traces. Write it up, and make 'em sign it.

You can buy cheap boilerplate NDA forms at various places online. It's worth it, and it tends to calm down the people you're working with.

Answer 5

"Backup? What backup?"

Of course you delete it.

You have no case for keeping the data, it doesn't belong to you. Would you hold on to critical paper business records that your boss kept under a leaky sink? No.

Answer 6

Short and sweet: Consult an attorney.

Answer 7

My friend, don't let your inclination to do good lead you to doing the wrong thing.

At a certain point, going out of your way to HELP someone becomes getting INTO their way.

As noble as your example seems, deciding for someone else what's best for him is a very dark ally to be in. Can i please decide what's best for you? I'll decide case by case, i promise! Pretty Please??

So, how do you decide when to offer unsolicited help? to me it's a simple equation:

• Using: my time, my property, my reputation, my freedom = Good
• Using: his time, my property, my reputation, my freedom = Evil
• Using: my time, his property, my reputation, my freedom = Evil
• Using: my time, my property, his reputation, my freedom = Evil
• Using: my time, my property, my reputation, his freedom = VERY EVIL

I think you have a case of "my time", "his property", which if it leaks could damage "his reputation" or worse, if he didn't pay his taxes, "his freedom" = Evil to Very Evil.
Return his data to him on disk (securely) as others have suggested and delete it from your laptop.

Answer 8

I can only address the moral aspect. The legal side is a matter you need to take up with a lawyer. Laws vary greatly across the world and you need to get the advice that is correct for you, not what applies to me.

Although saving them from their own stupidity is part of being an admin, that only applies while you are working for them. Once you leave their employ you no longer have that obligation. Nevertheless, in some parts there may conceivably be legal concerns because of what the employer might reasonably have expected you to do while in their employ. Again, get legal advice.

Now for the really hard part - Dealing with the knowledge that if it all goes pear shaped for them innocent employees may well lose their jobs and you are possibly in a position to prevent that from happening. This is not because we're admins. It's because, despite comments to the contrary, we're fellow humans. Morals and ethics are fluid concepts and we each have our own, so we each need to make our own decision.

I think I know what I would do but cannot in good conscience tell you what you should do.

Answer 9

Personally, I would send them a copy of the data along with a letter instructing them that this is the only backup of their critical data and the importance of their implementing a backup scheme that suits their needs. Then I would delete the data and sleep peacefully at night. Years from now, regardless of what happens to the company, you'll know that you did the appropriate thing. Integrity and the ability to unashamedly look at yourself in the mirror is more important than revenge or being able to say "I told you so".

Answer 10

Delete it, securely, with Shred (Linux) or sdelete (Windows). Today. If you have any of your own backups that contain it, destroy them or remove the file from the backups.

Nothing good can come of having this data. No matter how nicely you try and couch it, you have stolen their data. It was unwise when you worked for them .. having it now is just illegal. And, by sending it to them, you are admitting it.

If they don't have the backup religion, you aren't going to talk them into it. Sending it to them now will do no good at all, and will be admitting that you have taken it.

If the subject comes up, play dumb, take the 5th or refer them to your attorney.

Answer 11

Destroy the data. You shouldn't be in possession of it. If/when asked by your former employee for said data the only correct reply is: "I do not have a copy." You tried to get them to engage in backups, your duty and responsibility is done.

Answer 12

Having been in a vaguely similar situation [1], I had a copy of many things for some time [2]. After leaving, as things went wrong at the old place [3], I'd pull stuff off older hard drives and head down there to fix stuff. Eventually, I'd end up replacing and discarding the older computers at my home.

Years after throwing out the last computer and last hard drive with any of the source for the inventory control application, and moving to another state, I ended up getting a nastygram from a lawyer. It appears that nothing was backed up, the UPSes didn't get their batteries replaced (so they were essentially surge suppressors), the source code was deleted, and the lawyer wanted me to fix the problem and to pay for fixing the problem.

My recommendation is based on one question. Did the employer give the approval to make this VM at home?

Yes: burn it to a disc, then give the disc to the ex-employer and then delete all copies of it at home.

No: delete it and say nothing.

Notes:
1 - I was the sole developer and until I left, was the only network admin. I'd build the computers, install software and pull wires in the building. Many times, our hardware was upgraded only by dumpster diving in the business park.
2 - When the Netware server was rebuilt, the company was broke so I bought a 2nd computer that was identical hardware and we set it up as a "hot spare" at my home. To keep track of inventory, I ended up writing an inventory application.
3 - The computer I had originally used for development was issued to the receptionist, who deleted visual studio and the source code because she wanted more room for games.

Answer 13

In the future, I would do my best to have them buy an external drive, USB stick or something similar. If you have to use your machine, keep their data on the external device. When you no longer work for them, give them the drive.

If you think you'll have a problem getting them to spend $50 on a drive, bump your hourly/monthly/whatever rate up $1/hour or whatever will let you include that in your services at no additional cost.

Answer 14

For one thing if you created the only backup AND you took it with you, you were not a very good system monkey .

The problem with "saving people from their own stupidity" is that they may procreate and unfortunately many already have. When you accept money from them, you still have to do your job ( and hope they don't procreate :) )

If the only "backup " you have is on your laptop then it's not a backup, its a copy as in stolen data. A big problem if they know where you live!!

I believe you should put the data/VM or whatever it is you have on a USB stick or DVD or whatever it will fit on Then you'll have a backup.

Send it/deliver it to whoever has a faint notion of what a backup is after you have it wiped from you laptop and you system(s) are clean from it.

Answer 15

What did the terms of your employment (contract, employee handbook, etc) say about the disposition of company assets when your employment ended? Did they say that you needed to return everything? Destroy copies of files and programs? The terms of your employment may suggest to you the appropriate course of action.

If you remain worried about the legalities of the situation and what you choose to do, consult a lawyer with expertise in the area of employment law.