A six-week audit in summer 2013 that found confidential information on 11 of Washington's 177 computers slated for surplus has encouraged the state to take action -- going forward, it will fully utilize an existing built-in redundancy process and look for better ways to keep old information secret.
The audit, released in April, tested agencies' abilities to delete data on surplus computers, but more than half of those machines were re-wiped through Computers 4 Kids --a middleman program outside the audit's scope that processes and sends computers to school districts, according to Washington CIO Michael Cockrill.
The Computers 4 Kids program played a role in ensuring that hard drives that may not have been wiped in the official process were then not released to the public, Cockrill said.
Still, Communications Director Ben Vaught said the noncompliance findings of the State Auditor's Office were "11 too many."
The audit reviewed the computers and disposal procedures of 13 state agencies and found that four had data unlawful to disclose on computer hard drives, another four did not have documented procedures in place and two state organizations employed best practices, among other findings.
The four agencies that had the computers with confidential information had inconsistencies due to human error in how they were wiping the hard drives, Vaught said. To address this, he said, the goal moving forward is to increasingly take humans out of the picture.
"Like all processes, ours was subject to human error," Cockrill said. "We are updating our procedures to reduce the chances of human error."
The leading practice of the private sector is to shred or destroy computers' hard drives. Although the process is faster and cheaper, new hard drives must then be bought.
In Washington, it has been the historical practice of the state, Cockrill said, to get the most value out of its assets -- in this spirit, the state has chosen to recycle its computers.
However, he said the Computers 4 Kids program recognizes the move toward shredding and is exploring this and other options as an effort to keep the program alive and the state as a partner, he said.
For now, because of its level of standardization, the Office of the CIO has asked the program to step in and do the redundant wipe on all the state's old hard drives. The state has also halted all surplus operations until the office is confident that "all PCs were being wiped to our standards," Vaught said.
"That's our short term fix to ensure no data from the state has even a chance of getting out there," he said.
As for rehabilitating the state's formal process, a cross-agency work group has formed to update how the state handles data disposal, including setting the right level of standards to match those set by the National Institute of Standards and Technology and updating disposal methods, Vaught said. One immediate change is giving more guidance to agencies, he said, such as making the tools for wiping hard drives available through Office of CIO.
The program, which was created in 1998, follows the recommendations for purging hard drives for reuse published by the NIST, according to Michael Whelan, who oversees the computer production process at the Airway Heights Corrections Center.
Correctional Industries employs up to 12 offenders to refurbish the computers, though the hard drive re-wiping is performed only by state employees, Vaught said. The program is a partnership among the Department of Corrections, the Office of the Superintendent of Public Instruction and the Department of Enterprise Services.
Whelan said the program uses the software Wipedrive to complete the NIST's recommended three-part process, concluding with a data-scrubbing verification. This is important because the audit revealed that 10 agencies were not completing this final verification step, which the state described as a best practice, but did not require agencies to perform.
In 2013, the Computers 4 Kids program accepted and turned around just under half of state agencies' 12,181 surplus computers. Though Vaught noted that most of the computers that were donated or sold -- just over 6,000 -- had no hard drives, and thus did not pose a risk for exposing confidential information.
Washington is not the only state to find that safe data disposal is far from a sure thing. In 2011, New Jersey released an audit that found that 79 percent of the surplus computers tested contained sensitive information. In early 2007, auditors in Utah found 17 of 23 computers waiting to be sold contained sensitive information.
This end-of-life information disposal process is important, but can be overlooked, Vaught said. Additionally, deleting files is not enough to keep individuals and organizations secure, he said. Hard drives must be wiped or destroyed.
"All businesses, governments and individuals have to be vigilant when it comes to protecting their personal data," Cockrill said, adding that the state is updating its procedures to reduce chances of human error, and he encourages others to securely delete data before getting rid of an old computer.
"The audit really helps not just with the state," Vaught added, "but cities, counties and even individuals to focus on how they throw away their hard drives."