Audits of Local Governments and School Districts
Protecting Personal, Private, and Sensitive Information (PPSI) When Disposing of or Reusing Electronic Equipment (2011MS-2)
We also released eight letter reports to the following: Fulton [pdf], Oneida [pdf], Steuben [pdf], and Westchester [pdf] Counties, the Cities of Port Jervis [pdf] and Syracuse [pdf], and the Dansville [pdf] and Shenendehowa [pdf] Central School Districts.
Released: February 17, 2012 -- [read complete report - pdf]
Purpose of Audit
The purpose of our audit was to determine whether municipalities and school districts adequately protected PPSI when disposing of or reusing electronic equipment for the period January 1, 2008 to May 12, 2011.
PPSI is any information to which unauthorized access, disclosure, modification, destruction, or disruption of access or use could severely impact critical functions, employees, customers or third parties, or citizens of New York, in general. When users purchase new electronic equipment, they often dispose of older items or sometimes reuse them. It is important to recognize that PPSI could still be stored on, and could be retrievable from, old electronic equipment.
- Only two of the eight entities, Fulton and Steuben Counties, had written policies covering the removal of PPSI from computers and related electronic equipment before it is discarded or reused; only one entity, Steuben County, had written procedures detailing the steps to take to protect PPSI on such equipment. At the start of our audit, none of the entities had written procedures for removing PPSI from the hard drives of copiers before they are discarded.
- None of the entities had implemented a written method of classifying the security risk of all the types of electronic data they store.
- While five entities had adopted breach notification policies, staff at three of these entities told us they did not know the steps to follow if a breach occurred. The other three entities had not developed a breach policy at all.
- Establish written policies and develop procedures to ensure that all PPSI on electronic equipment is removed prior to reuse and disposal.
- Establish a data classification scheme.
- Establish a breach notification policy, notify and train employees and regularly audit compliance with the plan.
Local Government and School Accountability Contact Information:
Phone: (518) 474-4037; Email: firstname.lastname@example.org
Address: Office of the State Comptroller, Division of Local Government and School Accountability
110 State Street, 12th Floor; Albany, NY 12236