Is Your Computer Leasing Company Responsible for Data Security?

Picture this scenario: You are the owner of a small to mid-sized business and have decided that it is in your best interest to lease your company's computer equipment. This may be because prudent financial planning dictates a lease versus buy decision; or you may want to be able to run the most current, up-to-date applications and the short time span of a computer lease allows you to do so. Whatever the case, when you make this decision, you have just assumed a very important responsibility ' one that should not be taken lightly. You have just become personally responsible for the security of your own and your clients' personal data. It is your responsibility to personally safeguard the social security numbers, banking information, healthcare data, credit information, or anything else that could lead to catastrophic consequences if found in the wrong hands.

Of course, you know it is in your best interest to protect the personal information of your customers [as well as your own business ' marketing, business development plans, proprietary information, etc.] However, the company you're leasing your computer from most likely isn't, nor has to be, as concerned as you are. While ideally the computer leasing company would employ a secure method to purge the computer of any personal information found on the hard drive when it is returned, many companies are not taking these proper measures to do so. Much to the surprise of anyone who doesn't read the terms of the lease very carefully, the language of most standard computer lease agreements would suggest that the entity leasing the computer is responsible for removing any personal or proprietary information from the hard drive ' and merely dragging and dropping in the trash can or deleting the files DOES NOT accomplish this task. As any computer expert will tell you, information that has been deleted can still be found on the machine's hard drive.

As leasing companies typically resell the returned equipment back into the international marketplace, if not properly and thoroughly audited and erased (not just reformatted), they could be exposing tremendous risk to corporations and consumers since the hard drive data can be easily reconstructed with readily available software from the Internet. Again, sensitive hard drive data that could otherwise be reconstructed includes bank account information, social security numbers, health records, customer records and the like. That is why it's your responsibility to employ a tool that provides a tested and guaranteed means to purge your leased equipment of both yours and your customers' personal information.

Not only are the consequences of having personal data compromised severe, due to various laws I will later address, but having that information out there can also lead to identity theft. Most people automatically associate identity theft with online identity fraud, or other more obvious causal relationships; however, a discarded or donated computer can still be a treasure trove for someone who is criminally minded and could use the information for some ill gotten gains.

Gartner, Inc. estimates that businesses refresh their computer technology an average of every 3 to 4 years. Most PC users recognize that a computer contains toxins that are regulated by the Environmental Protection Agency and they prefer to recycle their old PC to prevent it from being tossed in a landfill. However, some small businesses still choose to leave their old PCs on the curb with the rest of the trash. Identity theft stemming from a discarded PC is the most overlooked and often forgotten way to have your personal information stolen. The average identity theft victim will spend $3000 repairing credit history. Good people with a solid credit report are spending months and sometimes years to clean up the mess caused by identity theft.

Currently, the Federal Trade Commission (“FTC”) recommends businesses implement measures such as those outlined above to ensure that consumer data does not fall into the wrong hands. Last year, there were more than 240,000 cases of identity theft reported by the FTC. The majority of these were related to credit card fraud ' information that can easily be recovered from a PC that has not been properly sanitized. Although mandated by law, there is no consistent standard for the destruction of data by small businesses, thus no guarantee that there is actual compliance. If not properly removed, data on obsolete computers can be easily compromised, jeopardizing the financial and legal standing of a small business, including doctors' offices, brokerage houses and insurance agencies.

Once a criminal has gained access to your personal information, identity theft can take on many forms. According to the Federal Trade Commission, the following nationwide statistics show how victims' information was misused in 2004.

Total number of victims reporting: 246,570

• Credit card fraud: 28%
• Phone/utilities fraud: 19%
• Bank fraud: 18%
• Employment-related fraud: 13%
• Government documents/benefits fraud: 8%
• Loan fraud: 5%
• Other identity theft: 22%
• Attempted identity theft: 6%

The recent instances of data being lost in transit raise concerns for companies looking to safely upgrade their IT assets and retire older systems. In April, Ameritrade Holding Corp. told 200,000 current and past customers that a tape containing confidential account information had been lost or destroyed in transit. Time Warner Inc. reported in May that 40 tapes containing personal data on 600,000 current and former employees had been lost en route to a storage facility. In June, Citigroup Inc. said that a box of tapes holding personal information on 3.9 million customers had disappeared on the way to a credit bureau. These mishaps place an emphasis on protecting data being transported, whether in transit to be stored or destroyed.

When files and data are not properly deleted, computer-savvy criminals will be able to recover your personal data and subject you or those who have depended on you to the pains and expense of identity theft. Finding a tool that follows the Department of Defense's standard set forth for data destruction, a three time data overwrite, is key to ensuring a successful data erasure. It is also a good idea to enlist the services of an independent third party that provides an automatic certificate of destruction, lending further peace of mind that the tasks have been effectively completed.

That said, if your leasing company isn't already doing so ' and you should wisely ask ' you should partner with an independent third-party provider of data erasure services. You should pick one that can generate a comprehensive, fully automated audit report that tracks each piece of equipment and documents that all stored data have been permanently destroyed. If you do not do it on your own, you should advise your computer leasing company to partner with a reputable third-party provider of such data erasure services. Usually, utilizing the services of an independent third-party provider transfers the liability for data removal to the third-party provider, indemnifying you, the business owner, of responsibility for the data that may or may not be found on the machine. This could save you many headaches, time, and financial resources down the road. As anyone who has worked in this space knows well, best business practices dictate that all companies and the general public only entrust their data disposal to companies that specialize in the business. This most likely IS NOT your computer leasing company.

According to data security and compliance attorney Alan Burger, a partner at the Florida-based law firm of Burger, Trailor & Farmer, P.A., it is important for the public to be aware of the inherent risks associated with returning used computer equipment to a leasing company without first reviewing the data security procedures of the leasing company. Although leasing may appear an easy solution to shift liability to the leasing company ' ultimate liability remains with the company originating the data saved on the hard drive. For this reason, it is imperative that proper outsourcing procedures relating to data destruction are implemented and followed. It is also critical that the company providing data destruction gives proper indemnity and is adequately insured. Without taking these steps, corporations and small businesses that become complacent are exposed to tremendous risk.

In order to provide reliable data destruction and end-of-life IT asset management services to your customers, it is recommended that companies select a leasing company that can guarantee the following three steps are implemented:

1) When retiring IT assets, the optimum means for data destruction calls for no less than a three-time data overwrite, utilizing the standard set forth by the Department of Defense;

2) For public companies, maintain an audit track of the equipment in order to achieve compliance with Sarbanes-Oxley and other regulatory guidelines; and

3) The application should be fully automated, thus eliminating any possibility of human, hardware or software errors.

Besides the obvious risk of having the data stolen and someone becoming the victim of identity theft, there are also some legal implications for those who are not properly deleting data that must be addressed. Identity and proprietary data theft is one of the greatest challenges facing small businesses as they work to comply with legislation that protects consumer financial, credit and health information. The failure of any entity which is or may be governed by Sarbanes-Oxley, Graham-Leach-Bliley, and FACT to ensure that electronic data is at all times secure, then erased and irretrievable at the end of the useful life cycle of the IT asset is likely a violation of any of the laws mentioned above. Public humiliation and negative publicity put aside, the penalties for violating any of the above acts are far ranging, including substantial jail time and hefty fines. A corporate officer certainly does not want to find himself at the middle of any controversies caused by his complacency simply because he relied too heavily on a computer leasing company to protect him from these liabilities.

Picture this scenario: You are the owner of a small to mid-sized business and have decided that it is in your best interest to lease your company's computer equipment. This may be because prudent financial planning dictates a lease versus buy decision; or you may want to be able to run the most current, up-to-date applications and the short time span of a computer lease allows you to do so. Whatever the case, when you make this decision, you have just assumed a very important responsibility ' one that should not be taken lightly. You have just become personally responsible for the security of your own and your clients' personal data. It is your responsibility to personally safeguard the social security numbers, banking information, healthcare data, credit information, or anything else that could lead to catastrophic consequences if found in the wrong hands.

Of course, you know it is in your best interest to protect the personal information of your customers [as well as your own business ' marketing, business development plans, proprietary information, etc.] However, the company you're leasing your computer from most likely isn't, nor has to be, as concerned as you are. While ideally the computer leasing company would employ a secure method to purge the computer of any personal information found on the hard drive when it is returned, many companies are not taking these proper measures to do so. Much to the surprise of anyone who doesn't read the terms of the lease very carefully, the language of most standard computer lease agreements would suggest that the entity leasing the computer is responsible for removing any personal or proprietary information from the hard drive ' and merely dragging and dropping in the trash can or deleting the files DOES NOT accomplish this task. As any computer expert will tell you, information that has been deleted can still be found on the machine's hard drive.

As leasing companies typically resell the returned equipment back into the international marketplace, if not properly and thoroughly audited and erased (not just reformatted), they could be exposing tremendous risk to corporations and consumers since the hard drive data can be easily reconstructed with readily available software from the Internet. Again, sensitive hard drive data that could otherwise be reconstructed includes bank account information, social security numbers, health records, customer records and the like. That is why it's your responsibility to employ a tool that provides a tested and guaranteed means to purge your leased equipment of both yours and your customers' personal information.

Not only are the consequences of having personal data compromised severe, due to various laws I will later address, but having that information out there can also lead to identity theft. Most people automatically associate identity theft with online identity fraud, or other more obvious causal relationships; however, a discarded or donated computer can still be a treasure trove for someone who is criminally minded and could use the information for some ill gotten gains.

Gartner, Inc. estimates that businesses refresh their computer technology an average of every 3 to 4 years. Most PC users recognize that a computer contains toxins that are regulated by the Environmental Protection Agency and they prefer to recycle their old PC to prevent it from being tossed in a landfill. However, some small businesses still choose to leave their old PCs on the curb with the rest of the trash. Identity theft stemming from a discarded PC is the most overlooked and often forgotten way to have your personal information stolen. The average identity theft victim will spend $3000 repairing credit history. Good people with a solid credit report are spending months and sometimes years to clean up the mess caused by identity theft.

Currently, the Federal Trade Commission (“FTC”) recommends businesses implement measures such as those outlined above to ensure that consumer data does not fall into the wrong hands. Last year, there were more than 240,000 cases of identity theft reported by the FTC. The majority of these were related to credit card fraud ' information that can easily be recovered from a PC that has not been properly sanitized. Although mandated by law, there is no consistent standard for the destruction of data by small businesses, thus no guarantee that there is actual compliance. If not properly removed, data on obsolete computers can be easily compromised, jeopardizing the financial and legal standing of a small business, including doctors' offices, brokerage houses and insurance agencies.

Once a criminal has gained access to your personal information, identity theft can take on many forms. According to the Federal Trade Commission, the following nationwide statistics show how victims' information was misused in 2004.

Total number of victims reporting: 246,570

• Credit card fraud: 28%
• Phone/utilities fraud: 19%
• Bank fraud: 18%
• Employment-related fraud: 13%
• Government documents/benefits fraud: 8%
• Loan fraud: 5%
• Other identity theft: 22%
• Attempted identity theft: 6%

The recent instances of data being lost in transit raise concerns for companies looking to safely upgrade their IT assets and retire older systems. In April, Ameritrade Holding Corp. told 200,000 current and past customers that a tape containing confidential account information had been lost or destroyed in transit. Time Warner Inc. reported in May that 40 tapes containing personal data on 600,000 current and former employees had been lost en route to a storage facility. In June, Citigroup Inc. said that a box of tapes holding personal information on 3.9 million customers had disappeared on the way to a credit bureau. These mishaps place an emphasis on protecting data being transported, whether in transit to be stored or destroyed.

When files and data are not properly deleted, computer-savvy criminals will be able to recover your personal data and subject you or those who have depended on you to the pains and expense of identity theft. Finding a tool that follows the Department of Defense's standard set forth for data destruction, a three time data overwrite, is key to ensuring a successful data erasure. It is also a good idea to enlist the services of an independent third party that provides an automatic certificate of destruction, lending further peace of mind that the tasks have been effectively completed.

That said, if your leasing company isn't already doing so ' and you should wisely ask ' you should partner with an independent third-party provider of data erasure services. You should pick one that can generate a comprehensive, fully automated audit report that tracks each piece of equipment and documents that all stored data have been permanently destroyed. If you do not do it on your own, you should advise your computer leasing company to partner with a reputable third-party provider of such data erasure services. Usually, utilizing the services of an independent third-party provider transfers the liability for data removal to the third-party provider, indemnifying you, the business owner, of responsibility for the data that may or may not be found on the machine. This could save you many headaches, time, and financial resources down the road. As anyone who has worked in this space knows well, best business practices dictate that all companies and the general public only entrust their data disposal to companies that specialize in the business. This most likely IS NOT your computer leasing company.

According to data security and compliance attorney Alan Burger, a partner at the Florida-based law firm of Burger, Trailor & Farmer, P.A., it is important for the public to be aware of the inherent risks associated with returning used computer equipment to a leasing company without first reviewing the data security procedures of the leasing company. Although leasing may appear an easy solution to shift liability to the leasing company ' ultimate liability remains with the company originating the data saved on the hard drive. For this reason, it is imperative that proper outsourcing procedures relating to data destruction are implemented and followed. It is also critical that the company providing data destruction gives proper indemnity and is adequately insured. Without taking these steps, corporations and small businesses that become complacent are exposed to tremendous risk.

In order to provide reliable data destruction and end-of-life IT asset management services to your customers, it is recommended that companies select a leasing company that can guarantee the following three steps are implemented:

1) When retiring IT assets, the optimum means for data destruction calls for no less than a three-time data overwrite, utilizing the standard set forth by the Department of Defense;

2) For public companies, maintain an audit track of the equipment in order to achieve compliance with Sarbanes-Oxley and other regulatory guidelines; and

3) The application should be fully automated, thus eliminating any possibility of human, hardware or software errors.

Besides the obvious risk of having the data stolen and someone becoming the victim of identity theft, there are also some legal implications for those who are not properly deleting data that must be addressed. Identity and proprietary data theft is one of the greatest challenges facing small businesses as they work to comply with legislation that protects consumer financial, credit and health information. The failure of any entity which is or may be governed by Sarbanes-Oxley, Graham-Leach-Bliley, and FACT to ensure that electronic data is at all times secure, then erased and irretrievable at the end of the useful life cycle of the IT asset is likely a violation of any of the laws mentioned above. Public humiliation and negative publicity put aside, the penalties for violating any of the above acts are far ranging, including substantial jail time and hefty fines. A corporate officer certainly does not want to find himself at the middle of any controversies caused by his complacency simply because he relied too heavily on a computer leasing company to protect him from these liabilities.