State agencies failed to remove private information before retiring outdated state computers, risking public disclosure of Social Security and credit card numbers, medical records and income taxes, a new report discloses.
The legislative audit, obtained Tuesday, blamed unclear state policy for the computer hard drives not being properly "scrubbed" before the machines were donated to school districts, given to other state agencies or sold to the public.
"The state lacks a single clear policy instructing departments on information removal, assigning responsibility for defining sensitive data, and assigning responsibility for performing data removal and certifying the task has been accomplished," the auditors said.
Warning issued
Janet Kelly, Department of Administration director, said in a written response that her agency immediately began crafting a more concise policy to ensure private information held by the government is not made public.
"The resulting language will require that all data must be irretrievably removed from the hard drive," she said.
Jeff Brandt, acting chief information officer for the state, said Tuesday the new policy should be complete by mid-July. In the meantime, he said, a warning has gone out to all information technology officials throughout state government.
"We're telling folks to not make any assumptions about options for scrubbing disks," he said. "Err on the side of making darn sure they are scrubbed."
Brandt said the information discovered by the auditor's office was never divulged, so the people to whom it pertains need not be concerned. However, he acknowledged the state has no way of knowing if other data on other computers discarded by the state was disclosed over the years as the machines changed hands.
The state has about 11,000 desktop computers and regularly disposes of aging machines. Last year alone, 51 agencies got rid of more 2,300 computers. Most are given to school districts.
Inconsistent policy?
State policy requires all agency information be removed from the computers "in such a manner that it cannot be recovered" after the machine leaves a department. But the audit noted that part of the policy also refers to removal of "meaningful information," wording that appears to make the policy inconsistent.
A 1996 policy mandated each computer be certified that removal of all data has occurred, but that same requirement is not contained in the current policy, the report said.
Mark Athearn, who heads the state surplus property office, said his office has stopped collecting computers until the revamped state policy is in place.
Auditors obtained 18 discarded state computers and found 12 of them contained information related to the department that had used them. The hard drives contained software that should have been removed, legal hearing notes, meeting files, citizen e-mails to department staff, and permit application information.
Eight of the machines also held confidential data, including 386 Social Security numbers, financial records for 182 people, 84 business files and job applicant information.
The audit said all agencies contacted were aware of the policy requiring hard drives be cleaned before computers are discarded, but some departments were using tools that did a poor job of completely removing the information.