Disposing of old computer hardware by auction or donation is a good way to get rid of older personal computers (PC) and provide them with a second life, which is also good for the environment. These are two noble ways to dispose of an old PC; however, something to keep in mind is that the hard drive on that PC could contain a treasure trove of information. A few examples of information that could reside on the hard drive are:
- Billing information;
- Credit/Debit Card Numbers;
- Driver License;
- Passwords; and
- Wireless Network Access Codes.
There are data thieves who purposefully mine places such as public auctions, flea markets and garage sales. These data thieves purchase old hard drives with the intent to find personal information to sell on the Internet. Not only do these thieves seek information on personally-owned equipment, they also look for public auctions of equipment such as PCs, printers, fax machines, copiers, etc. as all of this equipment contains hard drives and bits of electronic information that can be mined for profit.
According to the Tennessee disclosure statute (T.C.A. § 47-18-2107) releasing unencrypted personal information in this manner would most likely be considered a data breach. This, at the very least, would incur the notification section of the statute but could also go as far as a civil action against the information holder. In addition, the Fair and Accurate Credit Transactions Act (FACTA) contains a specific rule specifying the proper disposal of consumer information, which includes electronic records. FACTA also outlines penalties for “willful noncompliance” that also could include civil liability and punitive damages. Outside of what is required by law or statute it makes good cyber security sense to assure you do not have data left on an old PC.
For example, you have audited all your municipal PCs and know that you do not have any business processes that require you to gather and store consumer information, therefore not calling into effect either of the above instances. However, a PC might have an unencrypted file containing all of the user’s passwords, compromising that user or wireless network settings and puts the municipality’s wireless network security at risk, allowing someone access to municipal information technology (IT) resources.
A municipality should establish a written policy or procedure outlining the disposal process from start to finish, including methods of removing all data from existing PCs. The two options for removing the data from a hard disk are either a software tool to wipe (erase/overwrite) the data or physical destruction of the hard disk. Just deleting the files on the hard drive or reformatting and reloading the Operating System are not sufficient means to completely remove the data. If this has been your chosen method, the files can be recovered fairly easily.
A simple Internet search will help you find a number of good data recovery tools to retrieve files that have been deleted from the hard drive or other removable media. Some recovery tools will even work on drives that have been reformatted. I have used a few to recover photos and other files that have inadvertently been lost or deleted from PCs, memory cards, USB drives, etc. Most recovery tools have graphical user interfaces to make recovery as simple as possible. Most of the tools were not designed for nefarious reasons but could easily be used in such a manner. More sophisticated tools exist, but have a difficult time recovering data when using either of the data destruction methods discussed.