Donating Old Equipment: Good to Do ... If You Don't Violate Privacy
Laws or Break the Public Trust
By Steven Lerner-Wright
Its nearing the end of year, a time when organizations and
individuals are encouraged to donate used computers and networking
equipment to charitable organizations. Making such donations may
not only garner tax deductions, its a good thing to do.
The demand for used computers is substantial. For instance, the
nonprofit Goodwill Industries of Orange County, California maintains
a computer outlet that sold more than $650,000 in used computer
and networking equipment last year. Each week the organization receives
nearly 30 truckloads of used goods, including used IT equipment
that Goodwill Industries refurbishes, recycles or resells.
According to Randy Taylor, Director of Facilities for Goodwill
Industries of Orange County, computers and computer hard drives
are among the donations received, representing nearly 16% of all
IT equipment donated.
In addition, Taylor estimates large- to medium-sized enterprises
and< government agencies contribute nearly 15% of the donations
Goodwill Industries receives.
Before an enterprise makes a donation, however, IT security managers
should make sure theyre not running into legal trouble.
State and federal privacy laws require businesses and government
agencies to make sure theyve protected data files stored on
computer hard drives -- even those they no longer possess. A growing
number of regulations spawned by HIPAA, the Gramm-Leach-Bliley Act
and the FACT Act include similar restrictions. Violations of these
laws could result in civil action, either to recover damages, secure
injunctive relief, or invoke other "remedies available under
In California, three relatively recent laws can have a big impact:
- AB 1950, signed into law September 2004 and effective immediately,
requires businesses that store or manage "private" information
of California residents to provide "reasonable security"
of that private information. Reasonable security is not spelled
out in the legislation.
- SB 1386, Californias Data Breach Notification Law effective
since July 2003, requires any businesses or government agencies
doing business in California to notify California residents when
unencrypted personal information is exposed. This legislation
specifically exempts encrypted data.
- AB 2246, effective January 1, 2001, requires businesses -- before
they dispose of data files -- to "take all reasonable steps
to destroy" records that contain "personal information"
of California residents by "(1) shredding, (2) erasing or
(3) otherwise modifying the personal information in those records
to make it unreadable or indecipherable through any means."
In each case, encryption eliminates the risk of accidental exposure.
Merely sending confidential files to, say, the Windows Recycling
Bin does not, because recycled data can be left behind
even when the bin is emptied.
The risks are genuine and often overlooked. In a demonstration
led by Simson L. Garfinkel, an MIT research team recovered sensitive
information on discarded hard drives. Data on the drives could be
easily recovered, frequently without requiring any sophisticated
The MIT teams observations and recommendations were as follows:
- Users and their administrators need to be educated about the
dangers of leaving information on old hard drives, and organizations
must develop policies and procedures for protecting sensitive
- Third-party vendors should encourage the use of encryption to
minimize the risk.
- Hard disk makers should integrate automated and transparent
cryptographic technologies that would automatically protect all
data stored on the hard drive.
To read the complete results and recommendations of the MIT study,
Also, if you are based in the US and want to donate your old Computer
and networking equipment to Goodwill Industries, please note this
advice offered by Christine Bragal, Director, Media Relations:
Not all Goodwill agencies accept computer donations -- it
is important to note that donors should contact their local Goodwill
before donating them. To find their local Goodwill, donors can either
call (800) 664-6577, or use the online ZIP code locator at www.goodwill.org.
Also at that web site, in the newsroom section, you'll
find a computer donor tip sheet which might be helpful as well.
Compliance: Data Security Regulations Do Include
By Steven Lerner-Wright
A recent editorial by Illena Armstrong, the USA Features Editor
for SC Magazine, claims that data security regulations work when
theyre backed by significant economic and legal consequences.
This prompts a question: Just what are the current penalties for
failing to follow current US data security and privacy regulations
A brief scan uncovered a few serious consequences. Fines and imprisonment
are possible under the Health Insurance Portability and Accountability
Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and Californias
Data Breach Notification Law, SB 1386.
In addition, however, we also found evidence that data security
breaches can hit shareholders -- in the wallet.
HIPAA specifies that organizations that are negligent about protecting
sensitive patient health information may face a penalty. The penalty
specified in the HIPAA legislation for negligent non-compliance
is $100 per incident, with the cumulative financial penalty not
to exceed $25,000 in a given calendar year.
However, the penalty for deliberate criminal theft and misuse of
sensitive patient health information is more severe. If a person
is convicted of accessing patient data with criminal intent, the
fine could be $50,000 to $250,000 depending on how the data was
meant to< be misused.
The enforcement agency is the US Department of Health and Human
Services, which would have to lodge a complaint against the offending
organization and initiate administrative hearings. To date, one
person has been penalized for violating the HIPAA Privacy Rule,
which took effect April 2003. The HIPAA Security Rule takes effect
For more about HIPAA penalties, see proposed text for 45 CFR Part
GLBA also specifies penalties for deliberately stealing sensitive
financial information for use in committing a crime. The law reads:
Whoever knowingly and intentionally violates, or knowingly
and intentionally attempts to violate, section 6821 of this title
shall be fined in accordance with Title 18 or imprisoned for not
more than 5 years, or both. In addition, stealing or knowingly
possessing stolen property that crosses state lines could result
in 10 years imprisonment.
Enforcement agencies include the Federal Trade Commission, Federal
Deposit Insurance Corporation, Office of the Comptroller of the
Currency and the National Credit Union Administration.
The law concerning Criminal Penalties under GLBA can be found
An interesting side development took place this summer. President
Bush signed the Identity Theft Penalty Enhancement Act into law.
The new law mandates increased prison terms of two to five years
for aggravated ID theft violations, including violations
of GLBA. The new law does not impose any new requirements on companies
to increase their protection of Social Security Numbers or other
See also White House reaction to consumer questions at: http://www.whitehouse.gov/ask/20040715.html
SB 1386 Penalties
This law, which requires businesses to notify California residents
whenever unencrypted personal information has been breached, offers
no specific penalties. The law reads:
1798.84. (a) Any customer injured by a violation of this title
may institute a civil action to recover damages. (b) Any business
that violates, proposes to violate, or has violated this title
may be enjoined. (c) The rights and remedies available under this
section are cumulative to each other and to any other rights and
remedies available under law.
With this law, however, the potential financial costs of having
to comply with the notification provisions may be the real source
of pain. For instance, the editors of The StrongAuth, Inc. Newsletter,
attempting to estimate possible costs to Wells Fargo & Company
when a laptop containing unencrypted sensitive data on 200,000 Californians
was stolen, pegged the losses to the bank (and its shareholders)
at $1.5 million to $1.8 million.
The text of SB1386 can be found at: http://www.privacy.ca.gov/code/cc1798.291798.82.htm
The StrongAuth Inc Newsletter article can be found at: http://www.strongauth.com/newsletters/2003Dec05.html
Reduced Market Valuations
The impact of data security breaches on shareholders is another
angle to consider, especially in light of the penalties and cost
impacts of failing to protect sensitive data.
A study by Professors Martin Loeb and Lawrence Gordon of the University
of Marylands Smith School of Business demonstrated that theft
of sensitive private customer data -- credit card numbers, Social
Security Numbers, health information and the like -- can hurt shareholders.
Loeb and Gordon examined the impact of data security breaches on
stock market values. The study results showed that stock prices
were not significantly affected by most computer security incidents
-- except one.
When a security breach involved the disclosure of personal, private
data, such as credit cards or health data, the effect had a marked
negative impact on the companys shareholders. Their
research demonstrated a reduction in market value of more than 5%
once the word got out that confidential customer information had
Loeb wrote about the results of his research in the article The
Indirect Cost of Cybercrime, which was published in the April
13, 2004, edition of Bank Systems and Technology. An electronic
version appears here: http://www.optimizemag.com/article/showArticle.jhtml?articleId=18700435&pgno=4
The SC Magazine editorial that started this discussion can be
So Why Arent You Using Encryption Yet?
As the above articles suggest, organizations should pay careful
attention to data in their control -- especially the financial,
personal, and health data of their customers and constituents -
or they could face serious consequences.
Encryption is an inexpensive way of controlling access to sensitive
For instance, donate 50 laptops to charity and if all sectors on
hard drives are encrypted by default, then it doesnt matter
who has physical control of the drives. What matters is who controls
the access control parameters to the encryption program.
In addition, although some organizations use secure delete
programs that overwrite used sectors of a hard drive, encryption
offers a much stronger and frankly an easier method of guaranteeing
data protection because encryption works while the drives are in
use and after they have been retired. Simply encrypt the entire
disk itself, including space marked as free by the operating
system. Then, before discarding the drive, destroy the encryption
If you do this for every laptop and desktop in your organization,
you will be in compliance with the growing body of legislation focused
on mitigating and punishing identity theft and improper care and
management of sensitive third-party data.
What is more, if a computer -- or just the hard drive -- is either
lost or stolen, youll never have to worry about implementing
a costly customer notification program.
Encryption Plus Hard Disk provides this simplest of solutions.
The software protects data on drives still being used by an organization
and provides a built-in "default" method of secure deletion.
Its also specifically designed to protect -- and recover,
if needed -- enterprise data.
A number of enterprises are using Encryption Plus Hard Disk to
protect data on hard drives and to remain in compliance with state
and federal privacy laws. These include Humana Inc., a leading healthcare
organization based in Kentucky, and Lincoln National Financial Advisors,
a leading financial planning organization based in Connecticut.
These are two of hundreds of firms making smart use of encryption
technology to avoid paying unnecessary penalties and costs, harming
their shareholders, or alienating their customers.
If youre planning on attending the RSA Conference this February
in San Francisco be sure to visit the PC Guardian Technologies booth
for a hands-on demonstration of Encryption Plus Hard Disk.
For more about the RSA Conference, visit:
Until then, keep your guard up!
ABOUT THE AUTHOR
Steven Lerner-Wright is the Marketing Communications Director at