Disposal of Electronic Devices

Issued Date
September 04, 2013
Agency/Authority
State University of New York

Purpose

To determine if electronic devices being surplused by the State University of New York at Albany (University at Albany) through the Office of General Services (OGS) are permanently cleaned of all data, including personal, private and sensitive information. The audit covers the period of January 1, 2012 through May 26, 2012.

Background

Office of Cyber Security Policy requires all State entities to establish formal processes to address the risk that personal, private or sensitive information may be improperly disclosed. One way information can be compromised is through careless disposal of electronic devices. This policy also requires that all laptops containing, or with access to, State information must be encrypted. Agencies can dispose of electronic devices on their own; however, OGS' Surplus Unit provides this service for many State agencies. Agencies are required to remove all information prior to disposal and, if sending them to OGS, to certify in writing that the devices no longer contain any retrievable information. OGS' Surplus Unit does not accept any responsibility for clearing the data from these devices. At the time of our audit, the University at Albany had 36 electronic devices ready for disposal through OGS' Surplus Unit.

Key Findings

  • Seven of the 36 computer hard drives readied for surplus still contained data, even though University at Albany had provided OGS with certifications indicating all information had been removed.
  • Two of these hard drives contained personal, private and/or sensitive information including social security numbers, dates of birth, home addresses and financial information. One of these two hard drives also contained potentially inappropriate photographs that could be considered offensive for the work place.
  • The other five hard drives also contained retrievable data that included resumes, personal vacation photos, research information and student term papers.
  • One of the seven hard drives was taken from a laptop computer, which should have required more stringent security controls and been encrypted.

Key Recommendations

  • Reinforce policies and procedures to ensure that all information is removed from electronic devices prior to authorizing the equipment for surplus.
  • Ensure that all data on laptop computers is encrypted.

Other Related Audits/Reports of Interest

Office of General Services: Disposal of Electronic Devices (2012-S-4)
Office for the Aging: Disposal of Electronic Devices (2012-S-39)

John Buyce

State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236