You can see it everywhere you look: people just ain’t no good

Hmm…

A study by the Ponemon Institute found that more than 59 percent of those surveyed kept corporate data after leaving their jobs. The survey, which was sponsored by Symantec, included responses from 945 adult employees who had lost or left a job in 2008.

The most commonly stolen pieces of information were e-mail lists and non-financial business information, taken by 65 and 45 percent, respectively, of the respondents who took something. Thirty-nine percent admitted taking customer information such as contact lists.

Well, I can honestly say I’ve never walked off with email lists, or customer contact lists. I’m not sure what “non-financial business information” is, but it sounds non-specific enough to cover nearly anything written down.

What I have seen done–but which I, of course, would never, never do, because it would be wrong–is for people to walk out of a software job with a whole lot of source code. I can imagine how people would see some value there; not in a cliched “commercial espionage” sense–there’s really no reason to buy a competitor’s source code in practice for most software domains–but in a “hey, I spent a long time figuring out how to X a Y, and when I need to do that again in my next job I’d like to have this to refer to” sense. Even then, though, I suspect that the amount of applicability to any other employment would be on a steeply declining exponential curve in time.

Although, now that I think of it, I do know of at least one case of a company formed by ex-employees of a development team, who wrote a product that was an add on to the product they had formerly worked on… which they subsequently sold back to the company that had let them go for a decent amount of money. I bet that’s one case where having walked off with the source paid off. I bet those guys feel dirty, though.

Of course companies trying to stop this stuff are pretty much wasting their time. Whether it’s source code or a customer list or whatever, you can’t really control it by any means other than legal restriction–there’s no practical way to enforce physical control of this stuff unless you’re going to adopt NSA-level controls, despite lots of companies and IT department wasting a ton of money and time on it: it goes on a USB stick, or gets emailed to an outside account, or uploaded to GMail, or read over the phone, or printed and slipped into a backpack, or whatever–and with the legal restrictions you’ve got to be willing to enforce it, and your restriction has to be, you know, legal.

I do note, though, that the article also found that 32% of the people they talked to said they still had access to systems and data after they were supposed to be terminated. That’s a ridiculously high number. Have none of their employers heard about provisioning?