I am the user in this case. I understand Atlassian's position in this case but this is so hard to track over such a long period of time. I left this workplace almost 5 years back and the account worked fine. Then it suddenly stopped working without any notification from their side.
> this is so hard to track over such a long period of time.
But you created the problem in the first place by adding your work email to an account that had your personal boards in it. By doing that you gave your employer a means of controlling that account. You basically planted a time bomb that could go off at some unpredictable time in the future. And it went off.
Your reasoning feels truly bizarre. He added that work email as a SECONDARY mail. As soon as it stopped working, he could no longer access the boards associated with that particular mail, only his personal ones that were NOT associated with it. His personal boards continued NOT being associated with that work email for years afterwards, and he never in any way indicated, asked for, or allowed that they should be.
HE didn't “plant a time bomb”; Atlassian ripped him off, plain and simple.
(Oh, sure, you could argue that he “planted a time bomb” by giving Atlassian the means — that email address — to rip him off... But please don't. That would be like arguing that a rape victim “planted a time bomb” be dressing too provocatively.)
Attaching a secondary email to an account does not grant ownership of content or IP owned by the account holder to an entity associated with the secondary email. At best it provides evidence that the account holder has [or had] a relationship with the email domain owner.
Depending on the jurisdiction, if one suffers money damages as a result of the unapproved transfer Trello or its business clients may be exposed to liability. Also, I imagine there may be privacy or consumer protection laws that could apply too even in the absence of money damages.
May be you can say that "Trello handed over the only account you had to the previous company".
While I understand, the pain - I sympathize: please note that no permissions management system (or identity and authentication is so perfect that every case can be handled perfectly). As others say, you should have verified spent a bit of time to cleanup - because at the end - you lose time/money/whatever.
In the worst case, any company or even govt can just say sorry or some credits.
Even if the company is to blame 99 % you need to take 1 % responsibility.
Every year, audit yourself for things like this. I compulsively check my own security... security is a frame of mind. Delete unused oauth apps, dead emails. Flipside - offboard people quicky and completely when they leave your team.
