You got a new job (congratulations!), and now it’s time to return your company-issued devices, from laptop to phone. Download your data, wipe it clean, and turn it in, right?
Not so fast, says Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society. Many employees regularly co-mingle their personal life with their professional devices—using their work-issued laptop or mobile phone to log in to social-media accounts, correspond with family and friends, and shop online for the holidays, for example. Corporate-owned devices, she says, are often chock-full of personal data—and removing it isn’t as straightforward as it seems.
“Deleting your personal information is a very perilous undertaking,” Pfefferkorn says. “You need to be careful that you only remove or download your personal information—you don’t want to download or delete company materials without their consent. Scrubbing your personal information, if done incorrectly, can make you seem more suspicious than you are.”
Because each company may handle device reissues differently—some IT departments may completely scrub machines, while others may simply delete and create new user accounts—it’s in everyone’s best interest to be proactive in removing your personal data, says Jeremiah Grossman, chief of security strategy at cybersecurity software company SentinelOne.
Before you copy, download, or delete any data, consult your employee handbook for details on dos and don’ts as a departing employee, Pfefferkorn advises. She also suggests consulting with the company’s IT department for guidance and advice on deleting and transferring personal data to ensure that you’re legally in the clear.
So where is your personal data hiding? Here’s what you need to do before turning in your company-issued devices.
- Back up your data
Before you return any devices, copy your data—and only your data—to an external source, such as a USB drive or a cloud storage service. The “your data” part is key, Grossman says.
“You want to back up only your stuff, and not the company’s intellectual data. Don’t just clone the whole machine,” he says.
Working with the IT department to help you copy personal files to an external source will help avoid confusion and problems. That way, Pfefferkorn says, it won’t appear like you’re trying to steal company materials.
“The company could perform forensics on the device to determine what you copied or sent yourself,” she says. “You don’t want to cast doubt about why you may have copied sensitive information, so it’s best to work with IT from the start.”
A good rule of thumb, moving forward, Grossman says, is to keep your personal and work data separate from the start. He suggests using work email only for work purposes, and personal email only for personal purposes. Creating encrypted disk images of your personal files is a good idea, too.
“Let’s say I don’t format the disk: I can unmount those drives, and the files are on encrypted disk volumes. An admin can try to gain access to my files, but unless they have the password that’s in my head, they can’t—they’ll just have the encrypted data.”
- Transfer or delete personal accounts
If you used your company email address to sign up for services or applications that you need to access after you leave, transfer these accounts to an alternative email address, Grossman says. These might include-social media or frequent-flier accounts, for example.
When Grossman changed jobs, “I did my best to transfer all my work accounts to my personal email address, but forgot to change the information on my Uber account,” he recalls. “I went to use it one day but couldn’t because I no longer had access to my work account.”
If you signed up for personal services or applications using your work email address, and you no longer want those accounts—or you don’t want your company to access them—it’s best to delete them before you leave, Grossman adds.
- Wipe browser history
Finding where your personal data lives is a tedious process, Grossman says. One simple—but often forgotten—step in securing your data before you leave is wiping your browser history. This includes deleting your bookmarks, cache, cookies, and browser settings.
If you enabled autofill forms or passwords, give the company a copy of your passwords for all company-owned applications, websites, and tools, Pfefferkorn adds. “Even if you’re a disgruntled employee, don’t change or delete passwords. There’s no need to look more suspicious than you are,” she says.
- Delete app data
Applications you may have used on your work device, such as iMessage and Skype, hold boatloads of personal information, like the contents of texts and call logs, Grossman says. To delete this data, search your device for the folder that contains application support, and delete its contents, he says.
- Overwrite the device
Not all companies will allow you to reformat a device before returning it, so consult your employee handbook or the IT department before you proceed, Pfefferkorn says.
Overwriting the device, of course, isn’t foolproof, Grossman warns. “What many people don’t realize when you overwrite a device is that the data is still there—it’s just harder to find.” Other options include using formatting applications, which zero-out the data and are a bit more secure, he says. You could also microwave, drill holes in, or burn the device—methods with which the company would likely take issue.
“If you go to eBay and buy used disks, you’ll find a whole lot of data, whether it was reformatted or not,” Grossman says. “Frankly, I don’t want an employee’s personal data returned to me, so if the employee can help scrub their data, it’s a huge help. But again—check with your company for best practices before you go through with any of this.”