State of Montana Finds Confidential Information on Disposed PCs

Jun 09, 2005 By Corey McKenna

A recent legislative audit of the state of Montana's computer disposal policy found the policy in use was unclear and ineffective. Among the data recovered by the auditors were copies of permit applications, social security numbers, private financial records, state employment records and confidential information on the state's security processes and recommended the state clarify its policy on disposal of data on computers no longer needed by the state.

In conducting the audit, the staff of the legislative audit committee obtained 18 computers from eight state agencies using the same methods a member of the public or a school would acquire computers from the state. According to the report, six of the computers were purchased from the state's surplus property program, while 12 computers were acquired through the Montana Office of Public Instruction, the state agency responsible for providing schools with computers donated from state agencies.
Examining the computers, auditors found two thirds of the computers still contained data on them that was easily retrievable using readily available data recovery software, the report said. In addition to citizens' and state employees' personal information, the recoverable data included internal state communications, e-mails from citizens to state employees and unlicensed copies of software.

After the review, the legislative audit staff found that each of the eight agencies it contacted were aware of the policy requirements and were using one of the tools recommended in the current guidelines.

However, as the audit revealed, the state's guidelines on how to properly dispose of data were unclear and contradictory. According to the report, the state's current policy requires "all agency data must be removed from the computer in such a manner that it cannot be recovered from it," while at the same time requiring that "meaningful data" be erased in such a way as to not be recoverable. Another inconsistency the audit noted was that a policy issued in 1996 on which current policy is based required hard drives on computers being disposed of be certified that they do not contain any recoverable information.

The auditors also noted confusion in agencies about the need to wipe hard drives clean before disposing of them instead of merely reformatting the drives, as reformatting simply makes the data difficult for the computer to find, rather than erasing data.

In a letter sent to Montana's Deputy Legislative Auditor in response to the audit's findings, the director of the Department of Administration, Janet Kelly, said "the department will expedite the revision of this policy."

Changes to the state's computer disposal policy the director will implement include clarification of how data must be removed from disposed computers, a requirement that only the operating system remain on a discarded computer, a specific process for certification of discarded PCs and a list of approved hard drive cleansing tools.

The revised policy will be distributed through the Information Technology Advisory Council and the Network Managers Group for the state of Montana as well as through the policy section of the MINE Web portal. Non-IT senior department management will also be made aware of the updated policy, Kelly wrote in her letter to the Deputy Legislative Auditor.

Corey McKenna cmckenna@govtech.net