Secure Computer and Mobile Device Disposal

When you get a new computer or mobile device it’s important to remove your personal information and that of your clients from the old one before you recycle or donate it. One also has to take such precautions when sending a computer off to be fixed. Not only are there plenty of horror stories out there about one’s own personal information going awry, but we also have a professional responsibility to clients.

Many real estate professionals store sensitive client information on their computer – in documents and emails – including mortgage applications and commitments, documents surrounding credit approval including credit reports for buyers and tenants, and other client information such as birthdates, social security numbers, bank account numbers on cancelled checks, and more. In terms of the credit information, the Federal Trade Commission (FTC) requires that “all users of consumer report information have in place procedures to properly dispose of records containing this information” (http://www.ftc.gov/os/2004/11/041119factaapph.pdf). There are also a variety of state breach notification laws that may come into play, depending what information you are storing. But, hopefully the security of your own information and the value of your own professional reputation is enough to motivate you to keep reading.

The easiest way for the less technically inclined to eliminate data on an old hard drive is to physically destroy it. Chances of data recovery are slim to none if you take the hard drive out of the computer, put it on a cement surface and hit it with a sledgehammer until the drive is pretty flat and sounds like a maracca¬† when shaken. Then, if you’re going to donate the computer to someone else, you can always have a local computer repair place install a cheap replacement hard drive and install your operating system from disk again.

If you are perfectly confident that you can find and delete all the sensitive files on your computer, then you can take the approach of uninstalling all of the ‘extra’ software you’ve added since getting the computer, deleting all your documents, your temporary Internet files, your cookies, and your email databases. You have to be very careful not to miss application preference and settings files left behind, including those for your browser and email client. Then, if you have a PC, you can use a tool like CCleaner’s Drive Wiper feature to securely erase (overwrite) the hard drive space where the information you’ve deleted will still be stored – just use the “NSA” option or better. CCleaner can also securely erase an entire drive – but not the one you’re running Windows on. You can get CCleaner here: http://www.piriform.com/ccleaner/. If you have a Mac, secure deletion is easier – at least if you are running OS version 10.3 or later. Once you’ve moved all the sensitive information to the trash, just select “Secure Empty Trash” from the Finder’s File menu.

Unfortunately, it’s easy to make a mistake when deleting files one by one, so generally I would suggest wiping the entire hard drive and re-installing the operating system if you plan to donate the computer. If you use Windows or Linux, the best free tools to do this are Darik’s Boot and Nuke¬† (http://www.dban.org/) and Secure Erase (http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml). Unfortunately, you (or a techie friend) have to know how to burn a bootable CD and boot your computer from it. While each of the sites I’ve referenced has some help on how to do that, it’s certainly not as easy as pie. On a Mac, writing over the hard drive is easier. Start the computer with your Mac OS X install disc in the drive and while holding the “c” key. Then choose Disk Utility from the Installer menu, then choose erase and a security option, using at least the “7-Pass Erase”.

What about securely erasing mobile devices? There are so many mobile operating systems and versions, but here are instructions for the most common ones:

  • Blackberry: If you have associated the phone with a blackBerry.net email address and internet service account, these should be terminated. Then once your data is backed up, use the Wipe Handheld option from the Options->Security Options area. Detailed instructions are here: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB05099
  • Android: Go to Settings->Privacy and use “Reset” or “Factory Data Reset” option. Don’t forget about the SD card! In Settings->SD card & phone storage, unmount, then format the SD card. The erasure is moderately secure.
  • Palm: Here’s an article describing how to do a hard reset or better, a “Zero Out Reset”: http://kb.palm.com/wps/portal/kb/common/article/887_en.html. The erasure is moderately secure.
  • iPhone: For version 2 or more recent, select “Settings > General > Reset > Erase All Contents and Settings”. Prior to version 2, it was very difficult to wipe the iPhone, and I’d suggest using the sledgehammer method on the old model.

Don’t forget that sensitive information can also be stored in the memory of printers, copiers, and fax machines. Usually the device user manual or the manufacturers website will have detailed instructions on clearing the device memory before you get rid of it.

If you follow these steps when recycling, donating, or otherwise relinquishing control of your computers and mobile devices, you can have at least some assurance that sensitive information won’t fall into the wrong hands.

Matt CohenAbout the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.