Audit of surplussed state computers finds some confidential data

From Troy Kelley, Washington State Auditor 

Today our Office published a performance audit of the state’s system for removing confidential data from surplus computers.

State laws require state agencies to erase all data, including confidential information such as Social Security numbers, medical information, and IT system and security information, before a used computer is sent to the state’s surplus warehouse for donation or sale to the public. We checked a sample of computers sent to the warehouse and estimate that 9 percent of the computers scheduled for surplus during our review period contained confidential data that should have been removed.

The Office of the Chief Information Officer and state agencies responded swiftly to our findings, stopping the release of surplus computers and improving data removal policies. In our audit, we recommend all state agencies follow a national best practice to conduct a final check to verify all data has been removed before releasing computers. We also recommend the OCIO improve its policies and oversight for agency data disposal practices.

Washingtonians share personal information with state agencies under the expectation that it will be kept confidential. It is the duty of the government to honor that expectation. While we detected gaps in the system, I am pleased that this performance audit has and will continue to improve the way agencies safeguard confidential information in our state.

We welcome comments and suggestions for future reports. You will find this report here at our website.