What should we do if an employee leaves and we discover classified or CUI records on their personal laptop or home network?
Treat it as a spillage, not a routine cleanup
Discovering classified national security information or Controlled Unclassified Information (CUI) outside an authorized system is a security incident, often called a “spill.” The instinct to quietly delete the files or hand the laptop back is exactly the wrong move. Deleting, copying, or emailing the material can destroy evidence, create new unauthorized copies, and worsen the exposure. The records also remain federal records or agency information regardless of where they physically sit.
Contain first, then report
- Stop further access. Do not open, forward, print, or copy the files. Isolate the device or network segment if you can do so without altering its contents.
- Limit who knows. Discuss the incident only on approved channels with people who have a need to know. Talking about classified content on unclassified email or chat is itself a spill.
- Notify the right officials promptly. Contact your security officer, the agency’s information security or insider-threat program, and your records manager. Classified spills typically follow your agency’s incident-response procedures and may require reporting up the chain and to oversight bodies.
Preserve, don’t destroy
The departed employee’s possession of the material may raise legal, counterintelligence, and human-resources questions. Sanitization or destruction must be done only by authorized personnel using approved methods, and only after responsible officials decide it is appropriate. Until then, preserve everything so investigators can determine scope, classification level, and whether any records must be recovered into official systems.
Why classification matters here
The marking on a document does not determine whether it is currently classified — original or derivative classification authority does. So even if the files look outdated, do not assume they can be released or discarded. Questions about whether information remains classified, or is eligible for declassification, are handled through formal review channels, not by individual judgment in the field. You can learn more about that process on the declassification topic hub.
Build the lesson into offboarding
Use the incident to tighten controls: confirm that separation checklists verify return and sanitization of all devices, that CUI handling rules are trained and enforced, and that personal devices are never used for protected information in the first place.
Sources & further reading
Authoritative government and non-profit references.
- Information Security Oversight Office (ISOO) — National Archives (NARA)
- Controlled Unclassified Information (CUI) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). What should we do if an employee leaves and we discover classified or CUI records on their personal laptop or home network?. Records Management University. https://www.recordsmgmt.org/questions/what-to-do-if-employee-leaves-with-classified-records-on-personal-device/
MLA
RM University Editorial. "What should we do if an employee leaves and we discover classified or CUI records on their personal laptop or home network?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-to-do-if-employee-leaves-with-classified-records-on-personal-device/.
Related questions
- Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?
- Can a law firm representing a government client retain classified discovery, and who declassifies it after the case?
- Can a multinational company use ISO 15489 as a single recordkeeping standard across all of its countries?
- Can a private citizen request that a specific classified record be declassified?
- Can AI and machine learning reliably assist with declassification review of classified records?