A significant percentage of “recycled” computers were found to still contain personal information, according to a study conducted by the National Association for Information Destruction (NAID). As reported in e-Place Solutions, the NAID-ANZ Secondhand Hard Drive Study, found that “15 of 52 hard drives randomly purchased contained highly confidential personal information.”
What kind information: “spreadsheets of clients’ and account holders’ personal information, confidential client correspondence, billing information and personal medical information.” In one case, the computer included an “entire email box with numerous emails and attachments relating to the inner most workings of a medical facility.”
Some of the recyclers of these computers, which were randomly purchased on e-Bay by NAID, included law firms and a government medical facility. Further, according to the report, the methods used to locate the personal information on the devices were not highly sophisticated.
According to the National Conference of State Legislatures, “at least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” On top of those generally applicable requirements, many businesses are also subject to specific federal and state requirements to safeguard personal information, which include destroying personal information that is no longer needed. These include, for example, the HIPAA privacy and security regulations and the Federal Trade Commission’s Disposal Rule.
As mobile devices continue to proliferate, it is critical for businesses and individuals to ensure that before discarding, reissuing, or “recycling” such equipment, at least personal information is removed/destroyed as required under applicable law. Of course, there is other information, such as company proprietary and confidential information that, even if not subject to these data destruction laws, should be removed for obvious reasons.