Office of General Services
Disposal of Electronic Devices
Issued: December 06, 2012
Link to full audit report 2012-S-4
Link to 90-day response
Purpose
To determine if electronic devices being surplused through the Office of General Services (OGS) are
permanently cleaned of all data, which may include personal, private and sensitive information,
and whether State entities using this service have developed formal processes to minimize the
risk of disclosure of information when disposing of devices storing this type of information. The
audit covers the period of January 1, 2012 through May 26, 2012.
Background
The New York State Office of Cyber Security's Policy requires all State entities to establish formal
processes to address the risk that information may be improperly disclosed. One way information
can be compromised is through careless disposal of electronic equipment. Agencies can dispose
of electronic devices on their own; however OGS' Surplus Unit disposes of them for many State
agencies. Agencies are required to remove all information prior to disposal and, if sending them
to OGS, to certify in writing that the devices no longer contain any information. OGS' Surplus
Unit does not accept any responsibility for clearing the data from these devices. However, OGS'
Information Resource Management (IRM) bureau provides information technology support
for some State agencies. In these cases, IRM is responsible for removing information from the
devices prior to making them available to the Surplus Unit. At the time of our audit, the Surplus
Unit had 429 electronic devices in its possession for disposal.
Key Findings
- OGS IRM was responsible for removing information from 25 of the devices on hand, which
had been previously assigned to the Division of Veterans Affairs. Of these, three did not have
information completely removed (12 percent). One of the three devices still had sensitive
information on a hard drive, including multiple social security numbers, medical records and
confidential human resource information. - Through physical inspection and the use of forensic software, we determined the other agencies had used various means to properly eliminate all information from their devices, in some cases by physically removing the hard drives.
Key Recommendation
- Work with the Office of Cyber Security to better safeguard information by requiring hard drives to be removed from all electronic devices prior to sale to the public.
Other Related Audits/Reports of Interest
Office for the Aging: Disposal of Electronic Devices (2012-S-39)
State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email: StateGovernmentAccountability@osc.state.ny.us
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236