What are an employee's legal obligations when they discover a classified records spill?
A “spill” (also called a contamination or spillage) occurs when classified information is placed onto an information system, network, email account, or storage medium that is not accredited to hold it — for example, classified content sent over an unclassified email system. Because the destination is not authorized for that level of information, the data is considered exposed, and an employee’s response is governed by security policy, agency directives, and the broader framework that protects national security information.
Report Immediately
The first and most important obligation is to report the spill promptly through the proper channels. This typically means notifying your security officer, the information system security manager, or a designated incident-response contact — not waiting, investigating on your own, or hoping the problem resolves itself. Most agencies require reporting as soon as the spill is discovered, regardless of who caused it.
Do Not Make It Worse
While awaiting guidance, an employee generally must:
- Stop further distribution. Do not forward, reply to, copy, print, or open the affected material again.
- Avoid deleting or “cleaning up” on your own. Premature deletion can destroy evidence needed for the cleanup and damage assessment, and improper handling may itself violate policy.
- Secure the affected system or device as instructed, and limit access until trained personnel can respond.
- Discuss the incident only through approved, secured means — never describe the spilled content over the unauthorized channel.
Cooperate With Remediation
After reporting, security personnel direct the formal cleanup: containment, sanitization or destruction of affected media, and a damage assessment. Employees are obligated to cooperate fully and follow instructions exactly. The same principles of careful handling and prompt reporting apply to incidents involving Controlled Unclassified Information (CUI), even though CUI is not classified.
Why It Matters
Mishandling classified information — including failing to report a spill — can carry administrative, civil, or criminal consequences, and can compromise national security. Acting quickly and transparently protects both the information and the employee.
For broader context on classification and declassification, see the declassification topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Information Security Oversight Office (ISOO) — National Archives (NARA)
- Controlled Unclassified Information (CUI) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). What are an employee's legal obligations when they discover a classified records spill?. Records Management University. https://www.recordsmgmt.org/questions/legal-obligations-when-discovering-classified-records-spill/
MLA
RM University Editorial. "What are an employee's legal obligations when they discover a classified records spill?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/legal-obligations-when-discovering-classified-records-spill/.
Related questions
- Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?
- Can a law firm representing a government client retain classified discovery, and who declassifies it after the case?
- Can a multinational company use ISO 15489 as a single recordkeeping standard across all of its countries?
- Can a private citizen request that a specific classified record be declassified?
- Can AI and machine learning reliably assist with declassification review of classified records?