In a tale that reminds us that IT organizations still haven't come to grips with the management of PDAs and other palm-sized computers, this Wired magazine article reports that the Blackberry of a former Morgan Stanley VP, chuck full of all sorts of corporate information, was recently purchased on eBay for $16. The VP had left the company several months earlier and the IT department failed to wipe it clean. Naturally, they want to make it his fault. Quoting from the article:
"We trust employees with a lot of sensitive information; that's why we have these procedures in place. Someone who is in mergers and acquisitions and is a vice president should be very aware of his responsibilities," [said Morgan Stanley's Quintero]. But Korn/Ferry's Steinbock said, "If they were vigorously wanting to protect their intellectual property, I would hardly think that's enough. "Since it's information that would harm them, not him, it's perplexing that they wouldn't be more aggressive about retrieving that information and follow up with him. The company obviously doesn't have controls in place to take care of its own intellectual property, and that's really their fault," she said. In fact, the VP said that when the company closed his e-mail account on his last day of work, he thought any data on the BlackBerry would be deleted remotely by the server. "I just assumed it was all taken care of," he said.
The BlackBerry belonged to the executive because Morgan Stanley has them buy their own. This policy seems shortsighted. Sure, the company saves a few bucks, but it makes it much harder to control the information. Furthermore, the IT department will never be able to get its arms around a collection of incompatible devices. Companies need to manage their IT and the data, not the employees.
I've heard companies brag about things like "zero-day start" where an employee is up and running with all the accounts, permissions, gear, etc. that they need to do their job the first day they show up. How many companies are good at turning everything off? I still had an email address over a month after I left the State of Utah (which gave the conspiracy theorists something to worry about). I'm sure if I'd checked, I still had access to all kinds of data as well. Not that I'm picking on Utah--they just happen to be my most recent experience. As I've said this sort of thing is common.