A recent article by Kevin Townsend picks up on a report by Blancco Technology Group suggesting that '78% of second-hand hard drives purchased from eBay and Craigslist now contain recoverable corporate or personal information'. Blancco's conclusions are based on the examination of 200 randomly selected drives they bought and examined in the first three months of 2016. Blancco's business is the certified destruction of data and the management of reused computers and devices, so the company's interest in the issue is unsurprising. It's not surprising, either, that it was easily able to recover data that the owners believed to have been erased. In fact, 40% of the drives were apparently erased by quick format, which leaves data easily recoverable, and 36% seemed to have been deleted by simply using the recycle bin or delete button.
Unsurprisingly – given the services the company provides – the Blancco report lays stress on the exposure of company data and the risk of loss of intellectual property and competitive advantage. But the company also claimed that 67% of 'residual data' consisted of PID (Personally Identifiable Data). Kevin cites a report from the Information Commissioner's Office in 2012 that spells out implications for companies that don't take sufficient care to remove information about 'employees and clients'.
Kevin rightly observes that:
'Sensitive personal information can lead to identity theft and serious financial issues for the people concerned. But it can also put the company in jeopardy of both federal and state privacy laws - and of course the upcoming European General Data Protection Regulation (GDPR).'
Like the European Commission's Directive on Security of Network and Information Systems, such requirements affect countries that have commercial ties with the European Union and its member states, as well as those member states.
It can’t be denied that personal data do have identity theft implications when organizations don’t look after those data adequately. But while most of the GDPR commentary I’ve seen focuses on breach notification, the Regulation addresses accountability for protection of data as well"
'Technology has transformed both the economy and social life, and should further facilitate the free flow of data within the union and the transfer to third countries and international organizations, while ensuring a high level of the protection of personal data.'
In fact, the UK's Data Protection Act (in both its 1984 and 1998 incarnations) and the European Union's Directive 95/46/EC already specifically address the need to preserve personal data from potential misuse, unlawful processing, loss of data, and so on. I don’t think that organizations that don’t ensure that personal data aren’t removed from equipment sold on, can claim not to be in breach. There’s a clear threat to the privacy and wellbeing of the individuals to whom the data appertain.
If companies don't have the resources to ensure that no personal data can be recovered from discarded media before selling it on, then selling it on is not an acceptable option. Even if they're not sold on, and even where there's no explicit legal obligation to ensure that data are not safely disposed of, there is an ethical obligation that can be met either by physical destruction or by a truly secure wipe of the data, using a reputable third-party service if necessary. Or you could follow up on Lysa Myers' suggestions for 'therapeutic, fun and creative' solutions, if you're brave enough. You might want to discuss some of those with your legal department first, though.