Office of General Services


Skip to Content

Login   Subscribe   Site Index   Contact Us   Google Translate™

NYS Comptroller


Taxpayers' Guide to State and Local Audits

Office of General Services
Disposal of Electronic Devices

Issued: December 06, 2012
Link to full audit report 2012-S-4
Link to 90-day response

To determine if electronic devices being surplused through the Office of General Services (OGS) are permanently cleaned of all data, which may include personal, private and sensitive information, and whether State entities using this service have developed formal processes to minimize the risk of disclosure of information when disposing of devices storing this type of information. The audit covers the period of January 1, 2012 through May 26, 2012.

The New York State Office of Cyber Security's Policy requires all State entities to establish formal processes to address the risk that information may be improperly disclosed. One way information can be compromised is through careless disposal of electronic equipment. Agencies can dispose of electronic devices on their own; however OGS' Surplus Unit disposes of them for many State agencies. Agencies are required to remove all information prior to disposal and, if sending them to OGS, to certify in writing that the devices no longer contain any information. OGS' Surplus Unit does not accept any responsibility for clearing the data from these devices. However, OGS' Information Resource Management (IRM) bureau provides information technology support for some State agencies. In these cases, IRM is responsible for removing information from the devices prior to making them available to the Surplus Unit. At the time of our audit, the Surplus Unit had 429 electronic devices in its possession for disposal.

Key Findings

  • OGS IRM was responsible for removing information from 25 of the devices on hand, which had been previously assigned to the Division of Veterans Affairs. Of these, three did not have information completely removed (12 percent). One of the three devices still had sensitive information on a hard drive, including multiple social security numbers, medical records and
    confidential human resource information.
  • Through physical inspection and the use of forensic software, we determined the other agencies had used various means to properly eliminate all information from their devices, in some cases by physically removing the hard drives.

Key Recommendation

  • Work with the Office of Cyber Security to better safeguard information by requiring hard drives to be removed from all electronic devices prior to sale to the public.

Other Related Audits/Reports of Interest

Office for the Aging: Disposal of Electronic Devices (2012-S-39)

State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email:
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236