Audit of State University of New York at Albany reveals to-be-surplussed devices certified as “clean” still contained PII
I periodically post audits from the NYS Comptroller Thomas DiNapoli’s office pertaining to data protection. A recently released audit of SUNY-Albany reminds us that we need to continue to be concerned about inadequately wiped devices or drives that are to be surplussed. The audit period covered January – May 2012, and during that time, SUNY-Albany had 36 electronic devices ready for disposal through the state’s Office of General Services’ Surplus Unit. OGS is not responsible for wiping the data on devices sent to them – the originating entity (in this case, SUNY-Albany) is and is required to certify that there are no retrievable PII on the devices.
So what did the audit reveal?
- Seven of the 36 computer hard drives readied for surplus still contained data, even though University at Albany had provided OGS with certifications indicating all information had been removed.
- Two of these hard drives contained personal, private and/or sensitive information including social security numbers, dates of birth, home addresses and financial information. One of these two hard drives also contained potentially inappropriate photographs that could be considered offensive for the work place.
- The other five hard drives also contained retrievable data that included resumes, personal vacation photos, research information and student term papers.
- One of the seven hard drives was taken from a laptop computer, which should have required more stringent security controls and been encrypted.
You can access the full report here.