40% of Second-Hand Devices Found to Contain PII

The danger of failing to ensure mobile devices have all data securely wiped before being recommissioned or resold has been highlighted by a recent study conducted by National Association for Information Destruction (NAID).

In the largest study of its type to date, NAID analysed data on more than 250 devices that had been sold on the second-hand market. 40% of those devices were found to contain personally identifiable information.

It appears that companies are increasingly aware of the data security requirements regarding desktop computers, servers, and cloud computing platforms, they are still paying attention to mobile devices.

While it is perhaps reasonable to expect some users to fail to securely erase data on personal devices due to a lack of security awareness, NAID found that it was a similar story for organizations. Devices that had been used by corporations were also found to contain sensitive information.

It would be reasonable to expect a computer forensics firm to be able to recover incorrectly deleted data on old devices; however, for this study, NAID used data recovery tools that are available on the Internet. These shareware programs were able to detect PII on the devices, showing that an individual would not need to be a computer forensics expert to be able to recover incorrectly deleted data.

The types of information recovered from the devices included credit card details, usernames and passwords, contact information, personal user data, company data, tax information and much more.

The devices found to contain the most information were tablets. 50% of tablets had recoverable PII while 44% of hard drives had PII that could be reconstructed. Only 13% of mobile phones had data that could be recovered.

While companies and individuals attempt to wipe data on devices before they are sold or handed back to lease companies, in many cases the data deletion methods were ineffective. Robert Johnson, CEO of NAID said “We know by the ongoing audits we conduct of NAID Certified service providers that when overwriting is properly done, it is a trustworthy and effect process. The problem lies with service providers who are not qualified and, too often, with businesses and individuals who feel they can do it themselves.”

Failure to Securely Delete Data is a HIPAA Violation

The failure to securely erase data prior to devices being resold, recycled, or returned to lease companies leaves individuals and companies at risk of data being used for malicious purposes; however, for the healthcare industry the problem could be far worse.

If patients’ or health plan members’ protected health information is left on devices and is not securely and permanently erased, HIPAA Rules will have been violated. That could result in a significant fine for a HIPAA-covered entity.

Just as physical PHI must be permanently destroyed to ensure that it is rendered unreadable, indecipherable, and otherwise cannot be reconstructed, the same applies to ePHI stored on electronic devices.

HIPAA-covered entities must ensure that PHI is overwritten with non-sensitive data to ensure it cannot be reconstructed. Alternatively, data should be purged using degaussing or exposing the data to strong magnetic fields or the media should be physically destroyed.

If electronic devices are to be recycled or returned to a leasing company, HIPAA-covered entities should ensure that those devices are first securely erased by a professional company. That company, being a business associate, would also be required to sign a business associate agreement. Should any data be recoverable on the device, it would be the business associate and not the covered entity that would be subject to a HIPAA fine.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news