Written by Lani Byrd
IT IS NO SECRET that
smartphones, tablets, laptops, smartwatches, and other portable electronic
devices contain a treasure trove of sensitive data. If these items were to end
up in the wrong hands it could violate the original owner’s privacy, putting
them or their loved ones in danger. It can also bring potential liability upon
the law enforcement agency that oversees these items. It is incumbent upon the property
and evidence department to dispose of these items in a secure manner that
protects the owner’s privacy as well as the reputation of the agency. Ensuring
that these electronic devices are purged in a secure manner is an area that can
sometimes be overlooked.
Let’s look at two
Scenario 1: A teenage girl loses her phone. It is
found by a local citizen who does the right thing by turning it in to their
local law enforcement agency for safekeeping. Since the phone was never claimed
by the owner, the phone is then turned over to be sold at auction. The winner
of the auction—who has a nefarious reputation—can now access the private
information of this teenager, thus having the potential to cause harm to this
person and/or her family and friends.
Scenario 2: A charity receives donated electronic
devices from their local law enforcement agency. The
charity sells these devices to an electronics recycler, who in turn sells them
without ensuring the data is deleted. To his delight, the buyer of the device
finds innocent family photos of the children taking a bath together. Not
only does this person now have access to these photos, he also likely has the
contact information of the family that the device once belonged to. Law enforcement effectively just gave these photos to a man
who intends to share them with his network.
In both scenarios,
the law enforcement agency could face liability along with negative publicity
since they did not dispose of the devices in a safe and guaranteed-secure
This article is
intended to help law enforcement agencies to understand the importance of utilizing
a data-erasure disposal policy that securely deals with the unclaimed
electronics in their possession. It will guide you through the process of
evaluating your current electronics disposal method. We will delve into
the basic technical requirements your process should meet, and how you can
ensure your disposal method protects the owners’ information and your agency’s reputation.
Defining “Secure”: What
Does Secure Disposal Entail?
There are two basic
components to a secure electronics disposal program:
1. First, all data
must be permanently erased from working devices.
2. Second, any device
that cannot be erased must be recycled in a manner that protects the data from
being recovered at a future time.
Permanent Erasure — Erasing devices is not simply a matter
of performing a factory reset. The factory reset process does not necessarily
erase the data. For a two-minute video demonstration of just how easy it is to
recover data, visit www.data-secure.org/android-factory-reset.
Another way some choose
to purge the devices in their possession is to smash them. This is not
effective, nor is it secure. Secure data-erasure recycling facilities have
helped law enforcement recover data from destroyed devices on multiple
occasions. The device itself may be destroyed, but the data contained in it is still
very much alive.
To ensure that data
on devices is not recoverable, each device must be erased in compliance with
minimum industry standards. Using a disposal company that utilizes a third-party,
licensed erasure software can ensure that devices are erased to current
industry standards. Additionally, third-party verification ensures the
integrity of your erasure process.
Below is a list of
the minimum standard by device type.
Standards — Not all devices can
be adequately erased. Some will not power on, are damaged, or are obsolete.
These devices must be recycled by a certified R2 recycler. An R2 recycler
strictly follows both environmental and security standards for the electronic-recycling
What Should I Look
for When Disposing of Devices?
Selling items through
an online auction site may sound attractive. However, consider two items of
1) Protecting the
sensitive information contained on the device, and
2) Protecting your
If you elect to sell
devices through an auction site, make sure the company you choose guarantees the
complete erasure of data. Read all terms and conditions carefully. It is common
for auctions to use terms like “Certified Data Erasure” or “Secure Data
Destruction”, but they employ processes that do not ensure complete data
erasure. Some even say so in their user agreement, with terminology such as:
“we assume no liability” or “we do not guarantee we will erase all data on
The 911 Cell Phone
Bank (911CPB) is a non-profit 501(c)(3) organization that provides a 100% free
service to law enforcement agencies to securely recycle electronic devices.
They purchased ten smartphones from a popular online auction site that sells
items on behalf of law enforcement and public agency clients to see if there
was, indeed, data left behind. Many of the smartphones listed on this auction
site are sold in “as-is” condition. Devices are listed as “untested due to the
fact it does not power on, does not take charge, sold as-is, for parts, may be
account or carrier locked”. Remember, untested essentially means uncleared. James
Mosieur, Director of the 911CPB, notes what was found on these ten devices:
Regardless of who is
processing devices on your behalf, be certain to get satisfactory answers to
the questions below.
1. Who is processing
First, determine who
is doing the actual processing of the devices. Most charities simply pass the
devices on to a third party to process and sell. If your agreement is not with
the third party itself, then, should a data breach occur, you could be held
liable for any damages sustained by the original owner of the device.
Ask the following of
the third-party processor:
• What erasure
standard does the processor use? Most organizations (non-profit and for-profit alike) simply use the built-in
factory reset or “hard reset” as some refer to it, to clear devices. As the
video referred to above proves, factory resets don’t always delete personal
data. Make certain the processor you choose adheres to the minimum standards
listed above. Otherwise, you leave your agency open for liability.
If your processor
relies only on factory resetting devices, find a new processor! Regardless of
the good that may be accomplished, they are leaving your agency unnecessarily
exposed to potential liability.
• Can your processor
prove the devices are being erased properly? Many
organizations will simply assure you that the devices are being erased
properly. That’s why third-party verification is important. Without it, you
must take the word of the processor. With it, however, a qualified third-party
software provider will confirm the device has been erased. Most processors do
not use third-party software because of the cost: licensing can cost tens of
thousands of dollars per year or more.
• Does the processor operate
a secure facility? Most facilities have
basic security like an alarm system, deadbolts on the doors, etc. However,
since portable electronic devices are just that — portable — there must be
increased security inside the processor’s facility. Increased security includes:
Checks — A background check helps to identify applicants that have a
criminal past. While someone with a criminal past may qualify to work in other
capacities, they should never have access to devices that contain private and
Processing Area — The processing area must be secured with locking doors
and accessible only by staff that have a legitimate reason to enter. Doors
from the secure processing area must not open to the outside of the building.
– Security Cameras
— Good surveillance, whether live-monitored or recorded, discourages theft and
pilfering. Since the processor will have memory cards and thumb drives that can
easily be slipped into a pocket before erasure, cameras in the entire facility
are a necessary deterrent.
– Alarm Backup and
Monitoring — The facility’s security alarm must be monitored. In addition,
it should have a battery-powered wireless backup that allows it to continue to
operate if the phone lines or power is disabled.
• Do the
processor’s internal policies ensure security? Extra care must be taken
when hiring and managing employees, and when handling shipments. Policies that
ensure that the law enforcement agency’s data will be protected while under the
control of the processor are imperative. Below is a list of minimum policy
requirements that should be in place.
– Personal items that
can be used to steal or pilfer, such as jackets with pockets, lunch boxes,
purses, backpacks, etc., should not be allowed in the processing area.
– As shipments are
received, they must be immediately secured in the processing area. Shipments
should never be opened outside of the secure processing area. If devices are
removed by the processor or their representative, they must be properly secured
before removal (for example: Are boxes taped? Are they being transported in a
vehicle that can be locked?).
– Only necessary
staff who have had a background check should have access to the secure
processing area. It should be clear who is authorized to enter the secure
processing area, as well as the consequences for unauthorized entry. Visitors
should not be allowed in the secure processing area.
– Devices that have
not been erased should not be taken outside of the secure processing area.
• Does the
processor have a professional liability insurance policy? Mistakes do happen.
Your processor should have a liability policy that covers them if they are
negligent in the service they provide and, as a result, private information is
exposed. They should have no problem adding your agency as an additional
insured on the policy.
• Does the
processor use a certified R2 electronics recycler for recycling broken or obsolete
devices? Proper disposal of broken or obsolete devices goes beyond the
environmental aspect. Using a certified R2 recycler ensures that devices that
cannot be erased are destroyed.
As you can see, there
are many variables to consider when ensuring that devices leaving the care of your
agency are disposed of in the most orderly and secure manner.
devices from your agency is more important than ever before. The way your
agency chooses to dispose of purged electronic devices matters. Showing concern for private data after the device leaves your property room can protect
your agency and build trust from within your community.
Since 2004, the 911
Cell Phone Bank has been working with law enforcement agencies to provide
guaranteed secure disposal of electronic devices. The service is 100% free
including shipping costs. Every erasure is tested, certified, and approved. To
date, over 150,000 phones have been repurposed and used as emergency devices to
help vulnerable persons contact 911 in an emergency.
To arrange for a
donation of devices, or to obtain emergency phones for your Victim’s Agency Unit,
please contact: 911cellphonebank.org | 866-290-7864 | email@example.com
Take the necessary
steps now to protect your agency’s reputation far into the future.
About the Author
Lani Byrd works with the 911 Cell Phone Bank
assisting law enforcement agencies throughout the country with the safe
disposal of electronic devices in their Property & Evidence departments.
She previously worked as the National Membership Director for the Emergency
Care and Safety Institute (ECSI), providing safety certification training
programs such as First Aid and CPR/AED, to law enforcement and EMS agencies.
She has also worked for the Citrus County Sheriff’s Office in Inverness,
Florida where she held two different civilian positions, 1. Receptionist and 2.
Information Technology Support.