What should we do if an employee leaves and we discover they have customer PII stored on a personal laptop or phone?
Discovering customer personally identifiable information (PII) on a former employee’s personal device is both a records control failure and a potential privacy incident. Treat it as one: contain the exposure, recover or destroy the data, and close the gap that allowed it. Move quickly, but document every step.
Contain the situation first
- Notify the right people immediately. Loop in your privacy officer, security/IT, legal counsel, and records management. Do not let one person handle it informally.
- Preserve evidence. Do not wipe or alter the device until counsel and security confirm it is safe to do so. You may need to know what was stored, for how long, and whether it was accessed or copied.
- Identify the data. Determine what categories of PII are involved (names, financial data, health data, government identifiers) and how many individuals are affected. The sensitivity drives your next steps.
Recover, then verify destruction
Work with the former employee through HR and legal to recover the data and confirm its removal. Recovery is not complete until you have:
- A defensible copy of any records that are official business records subject to a retention schedule (so you do not destroy something you are required to keep).
- Verified, documented deletion of the PII from the personal device and any cloud backups or sync services tied to it.
- A signed attestation, where appropriate, that no further copies remain.
Assess breach and notification obligations
Determine whether this qualifies as a reportable breach. Many privacy laws and contracts require notification to affected individuals, regulators, or customers within set timeframes when sensitive PII is exposed. Apply your incident-response and risk-assessment process rather than guessing; a structured framework helps you evaluate likelihood and impact consistently.
Prevent recurrence
This incident usually signals a control weakness, not just one bad actor. Strengthen:
- Offboarding: a checklist that confirms data return and device wipe before access is revoked.
- Acceptable-use and BYOD policy: clear rules that PII may not reside on personal devices.
- Technical controls: encryption, data-loss prevention, and limits on copying records off managed systems.
- Records governance: ensure PII lives only in approved, retention-managed repositories.
For related guidance, see our privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). What should we do if an employee leaves and we discover they have customer PII stored on a personal laptop or phone?. Records Management University. https://www.recordsmgmt.org/questions/what-to-do-employee-leaves-with-pii-on-personal-device/
MLA
RM University Editorial. "What should we do if an employee leaves and we discover they have customer PII stored on a personal laptop or phone?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-to-do-employee-leaves-with-pii-on-personal-device/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?