Audit finds confidential information left on surplussed state agency computers

Washington state agencies face the same issue that confronts private citizens when it’s time to update their personal computers. How do you safely dispose of your old computer in an environmentally sound way that does not leave your confidential information stored on the computer’s hard drive?

A performance audit we released in April revealed some problems with the way state agencies were disposing of used computers.

We took a look at how well 13 state agencies were doing by examining used computers they had sent to the state surplus program for distribution or resale to the public. Most of the agencies had removed the information stored on the hard drives of computers they had surplussed. Most had policies and procedures in place to comply with state requirements for safe data disposal.

Four agencies, however, had left confidential information on the computer hard drives they sent to surplus. Among the confidential data we found were: applications for public assistance, medical records, personal financial statements, employee performance evaluations, IRS tax forms, Social Security numbers, claims records, employment applications and information technology security information.

State laws require agencies to remove all data from this equipment. The presence of confidential information left on these devices is doubly troubling, as it represents a risk to the state and the individuals whose information could have been compromised through potential identity theft, fraud or IT security breach. You can read the report, “Safe Data Disposal – Protecting Confidential Information,” at www.sao.wa.gov/state/Pages/RecentReports.aspx#.U2kRP_ldV8E.

During a six-week period, we checked 177 computers sent to surplus and found there was still confidential information on 11 of those computers. Based on our stratified sampling, we estimate that there was confidential information on 109 of the 1,215 computers scheduled for surplus during that time. With the state sending nearly 10,000 computers a year to surplus, that sampling represented a strong potential risk for the inadvertent release of confidential information.

Beyond checking for data on hard drives, we also looked at what rules, procedures and practices these 13 agencies had in place to prevent the release of confidential data on computers they sent to surplus. Of the four agencies on whose computers we found confidential data, one of them did not have documented procedures in place and none of them followed the recommended leading practice of verifying that all data had been erased before disposing of their hard drives.

Even among the agencies on whose computers we did not find confidential information, we found some of them lacked documented procedures and failed to follow leading practices.

When presented with our findings, state agencies and the state’s Chief Information Officer responded quickly and responsibly. The OCIO immediately quarantined computers at the surplus store, halted sales, provided agencies additional guidance, and began evaluating its computer disposal standards. The agencies on whose computers we found confidential data have taken immediate steps to resolve the problems and review their procedures.

It’s an example that cities, counties, school districts — and all of us — should follow. Whether you trade in or donate your old computer, consult an expert on how to best recycle your equipment without revealing confidential information.

Meanwhile, we will continue to review these and other cyber security issues confronting government agencies in Washington.

Troy Kelley is Washington State Auditor. He is a former state legislator and member of the Washington State Bar.