Think Twice Before Donating Any Old Computers

FREDERICK, Md. - Dec. 23, 2014 - PRLog -- Before making the decision to donate an old PC or laptop to a charity, just remember the tax deduction may be worthless compared to the potentially costly fines (and even jail time) that may be handed down -- That is unless you are 100% certain the data on these devices is removed before donating.

“Most corporate officers and business owners are not aware that there are numerous federal regulations requiring them to protect sensitive information relating to their customers, employees, patients, and business clients. Failure to do so is subject to large fines and/or imprisonment if this information is disclosed,” says data security expert Steve Chafitz.  “These regulations apply to a single person office as well as major corporations, which is why every business must protect themselves from the consequences of a data breach.”

Chances are good that there are stacks of old computers and electronic equipment that have been sitting around the office for months. The longer the equipment sits unused, the greater the risk for equipment theft, along with the data. Most likely, this equipment contains large amounts of confidential and Personal Identifiable Information (PII) data, such as account numbers, credit card numbers, social security numbers, health records and other information that buinsesses are required to protect.

As President of e-End, a Maryland-based firm specializing in secure data destruction and electronics recycling, Chafitz has worked with many companies who at one time would donate these data-containing PCs, give them to their employees, or even sell them online.  “In addition, printers, fax machines, copy machines, medical equipment, cell phones, PDAs and many other electronic items also retain data that should not be disclosed. That’s why no matter what the device is, unless there is absolute certainty there is no data remaining on a piece of equipment, non-secure methods of disposal are extremely risky,” he added.

While many people feel that formatting a hard drive is good enough for destroying data, the fact is there are plenty of methods easily available to get the information back. Plus there are also newer storage technologies, such as SSD drives, that require specialized equipment and trained personnel to keep digital secrets from being recoverable.

With companies such as Target, Sony and Home Depot being in the headlines, the threat of data breaches must be taken seriously because the fines and jail time is real. Among the many examples provided by the U.S. Department of Health and Human Services¹, in April, 2010 a California man was sentenced to serve jail time² for accessing unauthorized Personal Health Information. Also, a recent law allows the Attorney General (AG) of each state to sue health care providers if the AG feels personal data was compromised.  The AGs of Connecticut and Massachusetts were successful in fining state businesses to the tune of $275,000 and $1,500,000 respectively.  There's great incentive for the state to sue since the state gets to keep the money!

Along with the disastrous PR, the total financial loss can be extremely unhealthy for businesses. A study released by the Ponemon Institute in May of 2014³ determined the average cost of a data breach in the US in 2014 was $3.5 million, or $201 per file breached.

So before making any kind of equipment donation, Chafitz provides these suggestions for making sure information on old equipment is protected from leading to a data breach:

-Establish written policies and procedures in place for the handling of end-of-life electronics

-Be familiar with the privacy laws -- such as SOX, GLB, FACTA and HIPAA -- that MUST be abided by or be prepared to face fines and penalties

-Since IT departments cannot self-certify data destruction, seek an outside vendor whose primary business is proper and secure sanitization of data and proper recycling of the equipment the data resided on. Have them certify the data is 100% unrecoverable.

-Check all of a vendors’ references, visit their facility and verify they have the proper Certifications to assure they meet the specific and acceptable standards to perform the services they offer.

-Make sure to receive proper documentation that will provide an independent, verifiable, defendable and auditable trail to demonstrate that data was properly destroyed.

“Don’t become complacent and think a data breach can’t happen to you,” concludes Chafitz. “Taking a gamble on a year-end tax deduction isn’t worth the potential fines or jail time.”

Steve Chafitz is the President of e-End and is an expert on the secure sanitization of electronic media.  Steve has briefed many federal agencies, including Pentagon officials, plus corporations, healthcare providers and others on secure data destruction and Ecycling techniques.  To contact him, call (240) 529-1010 or send an email to steve@eendusa.com.

References

¹ http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

² http://journal.ahima.org/californian-sentenced-to-prison-for-hipaa-violation

³ http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis