Of the machines sampled during the audit, 79 percent still contained various forms of data and one-third of those contained items such as Social Security numbers, child abuse case files, personnel reviews and personal files of a state judge. The computers were located at New Jersey’s surplus property warehouse.
State guidelines require that agencies remove all data from computer hard drives before they are sent to the warehouse.
Pete McAleer, spokesman for OSC, said that staff turnover at the warehouse spurred the investigation.
“There had been previous arrests at the warehouse, including five employees charged with theft-related and official misconduct offenses,” McAleer explained. “Four of the people pleaded guilty and there are charges pending against the fifth. The four that pleaded guilty were terminated,” he said.
Although the arrests were unrelated to this particular incident, it helped bring the situation into the spotlight. Once the audit began, OSC discovered that various state agencies had been advised to remove information from their computers, but some hadn’t followed through.
“At a time when identity theft is all too common, the state must take better precautions so it doesn’t end up auctioning off taxpayers’ Social Security numbers and health records to the highest bidder,” said New Jersey State Comptroller A. Matthew Boxer, in a statement.
New Jersey isn’t alone in its computer end-of-life data security issues. A June 2008 report by the KansasLegislative Division of Post Audit showed 10 of 15 surplus computers sampled by auditors had recoverable data on them.
The report stated:
“We found that the data weren’t properly removed from the computers because agencies lacked policies, thought that Surplus Property was removing the data, or did a poor job of keeping track of their computers. … In general, it didn’t appear that much had been done to most of the computers to remove the data.”
Best Practices
Dan Fuller, president of EPC Inc., a company that offers a mobile hard drive destruction service, believes the challenges that end-of-life data security present to governments could be better met by establishing more thorough procedures.“It is a big problem because most legislative bodies have rules in place about [what happens to] equipment, but not about protecting the data on that equipment,” he said.
Ed Stukane, chief marketing officer of PlanITROI, an IT asset disposition company based in New Jersey, encouraged IT staff to erase the data from each hard drive seven times.
“The security component is paramount and it is not a costly process to do that,” Stukane said. “The money you get back from the resale of those [computer] assets is pointless if data security isn’t done properly. Close enough is not acceptable.”