When you got rid of those old computers, whether sold, given away or chucked in the rubbish bin, do you know what happened to the information on them? Your business tax and financial records? Your customer’s names and addresses?
Unless you have in place proper compliance systems, few people when getting rid of old computers bother to consider what sensitive information is on them, and take the appropriate steps to wipe it before the computers leave their control.
Which means: Out there some where, there is an awful lot of confidential and proprietary information, just waiting to fall into the hands of your competitors, or for some people (not readers of Access), government bodies such as, the Tax Office, ASIC, or the ACCC.
On 19 February 2014 NAID ANZ (the National Association for Information Destruction of Australia and New Zealand) a non-for-profit data protection body, reported on its investigation of 52 second hand computers it bought.
NAID CEO Bob Johnson said in a statement: “We randomly purchased 52 recycled computer hard drives from a range of publicly available sources, such as eBay. We then asked a highly reputable forensic investigator, Insight Intelligence, to determine whether confidential information was on those drives. The procedure used to find the information is intentionally very basic and did not require an unusually high degree of technical heroics. Had the data been properly erased, it could not have been found.”
The report “showed that 15 of the 52 hard drives randomly purchased, …contained highly confidential personal information.” (The full report can be read at www.naidonline.org/naus/en/consumer/news/5163.pdf )
Eight of the 15 computers came from law firms, a government medical facility and a community centre.
Be afraid, be very afraid, with the changes to the Privacy Act starting 14 March 2014, the new rules place significant responsibilities on many businesses, requiring them to protect customer’s information. Business owners who are found to have breached the rules face potential jail time.
Etienne Lawyers provides its clients with a 5-step check list to decommission a computer before it is sold off, given or thrown away:
1 Decommission immediately
Don’t store computers to be decommissioned later or leave old computers running to be compromised by a hacker. You can forget to decommission equipment if you do not do so immediately the decisions to upgrade is made If you wait the information might find it self out in the world and not secure as it should be.
2 Eliminate access
Remove/delete any accounts or access control facilities installed on the computer. You don’t want network access accounts allowing others to get into your network.
3 Destroy all information
If there is sensitive information on the hard drive destroy the hard drive. Do not sell, give or throw away the computer. Physically destroy the hard drive. F what is left is of use deal with it otherwise send the remainder to land fill.
4 Keep records
Be methodical by keeping records to track which computers and devices have been decommissioned, when and by whom and what happened once the computer was decommissioned. Was it sold on ebay, given to an employee or a relative or church or community group, or added to land fill.
5 Destroy the Computer
If in doubt physically destroy the device. Use an expert if the information is sensitive to your business. Do not sell it, or give it away until the device is physically and completely destroyed.
Contact Steven at: sbrown@etiennelaw.com
