Reducing the Risk of Identity Theft in the Disposal of Computers and Digital Copiers (May 2010)

Would you leave a readable copy of your tax return in your trash can? Would you discard business records that prominently display your customers’ or fellow employees’ Social Security numbers (SSNs), credit card information or other sensitive personal details in your company’s dumpster? Of course not, you say. You would shred all of the above so that any personally identifying information was indecipherable. But what about the disposal of computers and digital copiers¹ which may contain the same information? You cannot say with certainty what types of information may be contained on the hard drive of a computer or on a digital copier which stores all the documents you print.² It is safe to assume, however, that there is at least some personally identifying information (PII) on that hard drive. Thus, the hard drive must be erased or destroyed when disposing of the computer or copier. If you fail to do so, you may be increasing the risk of identity theft for anyone whose PII is on the drive. If you run a for-profit business, you may also be violating New York State law.

Understand the Risks

As seen in the examples below, improper hardware disposal is a widespread problem triggering the risk of identity theft and other personal and business concerns:

• Recently, in New York, an investigator’s random purchase of used digital copiers led to the discovery on the copiers’ hard drives of thousands of pages of documents containing PII. The prior owners of the copiers included a health insurance company and a construction company in New York City and the Buffalo Police Department, among others. In the case of the health insurance company, the discovery caused the company to notify more than 400,000 New York residents of a possible security breach involving personal financial and health information. ³ The information on the hard drives was easily retrievable using a forensic software program available for free on the Internet. ⁴
• Last year, a research group purchased more than 300 used hard drives from EBay and from computer auctions and fairs in the U.S. and other countries. More than a third of these drives contained sensitive PII such as personal financial and medical records, confidential business information such as business plans and financial data and, in one notable instance, sensitive government data related to a missile defense system.⁵
• A few years earlier, a survey of 10 used hard drives purchased at resale by PC World magazine found 9 of the 10 contained PII. One hard drive from an accountant included four years of payroll and tax information and employee SSNs, and another hard drive from an attorney contained bank account numbers, draft legal documents, a stored password and account details for an online account.⁶

Consumers who fail to properly dispose of their own personal computers may increase their own risk of identity theft. Businesses that fail to properly dispose of their computers and digital copiers risk not only the identities of their customers and employees but also expose themselves to negative public attention, the loss of goodwill and trust and possible legal liability. While consumers are not liable under New York law, for-profit businesses are. Therefore, it is critical that businesses also know and understand the relevant legal requirements.

Know the New York State Law

In New York State, the disposal of records containing PII is governed by General Business Law 399-h (GBL 399-h). ⁷ Only for-profit businesses are required to comply with this law. Under GBL 399-h, PII may include a Social Security number, a driver’s license or non-driver ID card number, a mother’s maiden name or a wide range of financial services account numbers or other “personal identification numbers” (PINs). A PIN means any number or code which may be used alone or in conjunction with any other information to assume the identity of another person or to access the financial resources of another person.

When your business disposes of records (paper and digital) containing PII you must:

• Shred the record before disposal; or
• Destroy the PII contained in the record; or
• Modify the record to make the PII unreadable; or,
• Take action consistent with commonly accepted industry practices to ensure that no unauthorized person will have access to the PII contained in the record. ⁸

A violation of this statute may result in a fine of up to $5,000 as well as an injunction against any continuing violations.

Take Action

The next time you are preparing to discard an old computer or digital photocopier, you should first consider your options for mitigating the risk of identity theft represented by any PII, which may still reside on the hard drive:

1.       Erase

Before you discard or donate your hardware, you can erase all data including PII from the hard drive of your computer or digital printer with overwrite software. These are utility programs that use a special application to write patterns of meaningless data onto the hard drive. These programs, priced at about $50 for individual licenses and $500-2000 for professional licenses, offer reasonable assurance that the erased data, including PII, will not be recoverable. Also, overwrite software does not destroy the hard drive so it may be reused.

2.       Destroy

The most effective method for the average person to ensure that all hard drive data including PII is safe is to physically destroy the drive. You should wear protective gear if you plan on destroying the hard drive on your own and wrap the hard drive in a towel so the parts don't fly off and do damage. Whether its smashing the hard drive with a sledgehammer, drilling holes into the drive, tearing the drive apart and destroying the platters, the drive will be destroyed but the PII will be safe.

3.       Recycle

If your computer is more than five years old or is no longer in working condition, you may want to recycle it. Before recycling, you must securely erase all data including PII on the hard drive. See Step 1 above for details. Next, you will want to learn about recycling events and centers in your area. For further details in New York City, please visit the official website of the City of New York for recycling issues at http://www.nyc.gov/html/nycwasteless/html/recycling/electronicsrecycling.shtml. For all other areas, visit the New York State Department of Environmental Conservation at http://www.dec.ny.gov.

Consumers and businesses store a staggering amount of PII on hard drives in computers and digital copiers. Because this information is not visible, it is often a surprise to the hardware owner to learn what and how much PII is actually accessible. Even with the periodic deletion of files and purging of active databases, this information and the risk of identity theft it represents are still serious matters. Once the computer or copier is out of your control, you will have forgotten about all of the information on the hard drive and you will no longer be able to mitigate the risk of identity theft. Therefore, before you discard that old computer or copier, consider your options - Erase/Destroy/Recycle – and then exercise the option that works best for you. ⁹

Businesses should also review their document retention and destruction policies and procedures to ensure that they: (i) require that purchased or leased copiers utilize overwrite protection and encryption; (ii) require the removal of hard drives (for destruction) when digital copiers are removed or replaced; (iii) require the training of employees on possible data leakage from digital copiers; and (iv) include digital copiers in their periodic risk assessments. For further information on document retention and destruction policies, please review the New York State Department of State Division of Consumer Protection checklist.

---

 

---