- The Washington Times - Wednesday, September 5, 2012

High-tech thieves don’t have to dig through your garbage to find sensitive files like bank statements and credit card bills. Nowadays, they can steal private information from old laptops, smartphones, fax machines, copiers, servers and pretty much any electronic device.

This poses a big problem for companies that get rid of old technology when they upgrade every two to five years. If hackers can gain access to the personal information of their customers, it opens the door to identity theft, harming the company’s brand and leading to expensive fines.

The worst data breeches involve health records, bank statements, credit card bills, Social Security numbers, welfare records, child custody court case records, and customer lists.

But even something as insignificant as a leaked email address can embarrass the company.

On average, data breeches can cost a company an estimated $225 per leaked record — so losing control of information can add up to millions when it comes to hospital or bank computers with databases that hold thousands of client files.

A recent study from U.S. Micro, a data security firm, found that eight out of 10 old devices that are resold online at sites like Craigslist and eBay still contain some amount of private information simply because most companies don’t know how to properly destroy the data.

“In today’s world, data is everywhere, and it’s certainly become a lot more mobile. A lot of large companies, they’re not aware of where exactly the data resides,” U.S. Micro CEO Jim Kegley said. “Those companies are pretty naive to think the data’s gone. If you can’t know for sure the data’s been destroyed, you should never try to resell it.”

That’s where U.S. Micro comes in. Corporations hire the data security firm to wipe the hard drives of their old devices, destroying data on more than 1 million devices a year. So far, the company has never had a breech.

To ensure security, U.S. Micro goes to the company’s office and wipes the data there before leaving, so that the company can be sure it was destroyed.

Some devices, particularly those from the Defense Department, must be destroyed altogether to protect national security, but others can be preserved for resale through processes such as a “three pass wipe” or “seven pass wipe,” which means the data is erased, then the devices are filled with new data and it is erased again. That process is repeated a certain number of times.

“We have to guard against even one single device being resold in the marketplace with one of our customers’ data,” Mr. Kegley said. “We never want to leave our customers locations with their data. A lot of bad things can happen in the transportation process.”

Unfortunately, many companies ask regular employees without an expertise in technology to wipe their devices, which can lead to problems.

“Oftentimes, banks will ask non-IT guys to do this,” Mr. Kegley said. “That’s where we typically see mistakes made, because non-IT people won’t have the specific knowledge for every kind of device.”

Blue Cross Blue Shield of Tennessee earlier this year agreed to pay $1.5 million in fines to the U.S. Department of Health and Human Services, after 57 hard drives were stolen while waiting to be shipped to a data sanitization vendor. More than a million customers were impacted.

“It’s a lot easier to lose your keys than your car,” Mr. Kegley said. “It’s very, very expensive when these things happen.”

In New Jersey, the state government nearly auctioned off computers with Social Security numbers and confidential child abuse reports.

“It’s essential to protect private information that is protected by law,” said Bill Long, a board member at the Institute of Scrap Recycling Industries, a D.C.-based trade association. “It’s really a matter of balancing the measures taken with the risks of the particular data in question.”

After the data is wiped, U.S. Micro pays a fee to take the old devices and resells them for a profit. The resale market can make for good business. “The resellers make much more money than the original manufacturers as far as profit,” Mr. Kegley said. “The margins for selling a new product are really, really slim.”