The State of New Jersey Department of the Treasury

Disposition of Surplus Computer Equipment Report

REPORT TO THE NEW JERSEY STATE LEGISLATURE AND THE GOVERNOR

Issued pursuant to N.J.S.A. 52:27B-67.2

February 19, 2014 Background

P. L. 2011, c. 225, enacted into law on January 17, 2012 , imposed new requirements for the disposition of surplus computer equipment and other electronic devices capable of storing data and requires the Director of the Department of the Treasury’s Division of Purchase and Property (DPP) to report to the Governor and the Legislature the programs established to implement those requirements. This legislation was adopted in response to a March 9, 2011 audit by the Office of the Comptroller which identified deficiencies in the policies and procedures for disposition of excess and surplus computer equipment. The statute incorporates and requires the adoption of most of the Comptroller’s audit recommendations.

DPP is statutorily responsible for disposal of the State’s surplus personal property (N.J.S.A. 52:27B-66). Treasury’s Division of Property Management and Construction (DPMC) manages the Bureau of Special Services (BOSS) warehouse, where it consolidates surplus furniture and computers for redistribution or disposal. The Office of Information Technology (OIT) is responsible for promulgating policies and procedures to safeguard the confidentiality of State data within the Executive Branch agencies.

The Audit

On March 9, 2011, The Office of the State Comptroller published an audit on the disposition of excess and surplus computer equipment, covering the period from July 1, 2008 through December 16, 2009. The audit identified a number of areas for improvement in the program, the most pressing of which could have resulted in the unintended release of confidential data residing on the hard drives and other storage devices of surplus State computers and other electronic devices. At that time, State agencies were required by Circular Letter 00-17-DPP to remove all data from computers declared excess or surplus, but were not required to remove the storage devices. The auditors found data on 79% of the 58 hard drives they removed from State computers. Additionally, the report recommended changes in the procedures used for redistribution of reusable excess computers both within State government and to local governments and non-profits, and highlighted security deficiencies at the BOSS warehouse.

Treasury’s Policy Changes

DPP and DPMC first implemented more stringent policies and procedures to address the data security issues identified by the Comptroller’s audit eight months prior to the release of the report. On July 13, 2010, following a meeting at which the auditors discussed their preliminary findings with the divisions, DPP suspended all auctions of surplus computers, and DPMC notified its agency surplus contacts that the Division was suspending all movement of surplus

2 | P a g e computer equipment containing data storage devices to the First Avenue warehouse for disposal. On September 24, 2010, DPP published an interim policy for handling surplus computers and other devices capable of storing data (copiers, cell phones, personal digital assistants (PDAs)) that required the using agencies to remove all storage devices and hold them pending further direction on proper data cleansing or destruction.

Since adoption of that interim policy:

 OIT published Circular 09-10-NJOIT, Information Disposal and Media Sanitization, which includes policy, standards and procedures for information disposal and media sanitization. The Circular requires that agencies remove and destroy media capable of storing data, such as hard drives and removable storage devices, prior to sending surplus computers to the BOSS warehouse or otherwise disposing of them as surplus. Previously, the data had to be removed, but we did not require data storage devices within surplus computer equipment to be removed.

 DPP issued Circular Letter 13-18-DPP, Disposition of Excess and Surplus Computer Equipment, to replace Circular Letter 00-17-DPP and the interim policies and procedures. “Computer Equipment” as used in this Circular encompasses all electronic data storage, processing and retrieval devices, and thus includes copiers, printers, facsimile machines, cell phones, PDAs, electronic tablets and multi-function devices which include non- volatile data storage capability. The principal purpose of the Circular is to maximize the value to the State of this equipment as it reaches the end of its useful life, while preventing unintentional disclosure of confidential, personal and sensitive information that may have been stored on the equipment. To this end, the Circular requires all storage devices be removed and destroyed in compliance with 09-10-NJOIT prior to computer equipment surplussing.

 DPP amended two State contracts, T0889 (Off-Site Media Handling and Transportation) and M0483 (WSCA Computer Contract), to provide agencies with drive destruction services. Both contract vendors meet the OIT standards. Currently, only M0483 is available for agency use, as T0899 has lapsed. DPP is re-procuring this contract, including the drive destruction services, but does not expect agencies to make significant use of these services as DPMC now provides a more cost effective option (described below).

 DPMC’s BOSS warehouse recently installed a media shredder to provide agencies with a more cost effective means of drive disposal compliant with 09-10-NJOIT and adopted policies and procedures for media disposal which mirror those of C.L. 13-18-DPP.

3 | P a g e

 DPP amended Contract T437A, Copiers, Cost per Copy, to require that all hard drives are removed and returned to the using agency for destruction whenever a copier is retired or replaced.

 DPMC has strengthened the BOSS warehouse’s security procedures to require visitor sign-in and escort and has moved two outside agencies out of the first-floor space where the surplus computers are stored pending disposition.

Current Process

The current process for disposing surplus computer equipment meets all statutory requirements.

Unlike other surplus property, surplus computers are no longer offered to other agencies for reuse, though departments or agencies may use their established procedures for redeploying within their organization, excess computers and other electronic devices which have not yet reached the end of their useful life. Similarly, surplus computers are no longer offered to other governmental units, boards of education, nonpublic schools or nonprofit charitable corporations as permitted by N.J.S.A. 52:27B-67.1. Both of these redistribution programs were suspended on July 13, 2010, and DPP has no plans to resume them.

Surplus computer equipment is typically disposed of through one of three methods: shipment to DPMC’s BOSS warehouse for aggregation and auction, on-site auction directly from the using agency or removal and aggregation for auction by a contract vendor, typically as part of a contracted roll-out of replacement assets. In each case, the department or agency must first physically remove the computer's hard drive and any other device that has data storage capability. This includes the removal of all memory sticks, flash drives, tapes, CDs, disks and other nonvolatile memory. All hard drives and other data storage devices must remain with the owning department or agency and must be disposed of in accordance with Circular 09-10- NJOIT. Circular 09-10-NJOIT requires storage devices for equipment that will leave the control of the owning organization to be removed and destroyed and data cleansing for assets redistributed within the owning organization.

Departments and agencies must notify DPP’s Surplus Property Unit or DPMC’s BOSS Warehouse of computer equipment they wish to declare as surplus. Notification consists of completion and forwarding Form PB-160, "Excess/Surplus Property Notice," or the department’s own inventory, asset or property disposal form. In addition, each unit of equipment capable of storing data must be certified using Form PB-180, “Declaration of Removal of all Hard Drives and Other Data Storage Devices on Surplus Computer and other Electronic Devices” (also available as Form OIT-0120), which must be signed by the department’s Chief Technology Officer, or their designee.

4 | P a g e

The BOSS Warehouse does not accept equipment without the required documents. Each shipment to the warehouse is counted at receipt. Any discrepancy between the certified count and the physical count results in refusal of the entire shipment. If a shipment contains a storage device, the entire shipment is refused. Should a drive be discovered in a shipment after delivery has been accepted, the entire shipment is segregated and returned to the owning agency within 48 hours.

For contracted roll-outs of replacement assets, the department or agency must notify the Surplus Property Unit of the anticipated roll-out schedule in advance. The owning department or agency may require a contract vendor to conduct the drive removal and complete the PB-180, but the responsibility to ensure that all data storage devices are properly removed and disposed remains with the department. Additionally, the PB-180 must still be certified by the department’s IT Officer. All computer equipment held for auction at an agency site or a contractor’s warehouse is subject to inspection or audit at any time to confirm proper compliance with these procedures.

All computer equipment delivered to the BOSS Warehouse or held for onsite auction is visually inspected for data storage devices, and a percentage of computers are opened and checked for hard drives before any shipment is accepted for auction. If any data storage device is found or if the physical count does not match the PB-180 count, the entire shipment will be rejected and must be reinspected and recertified. Additionally, an incident report will be filed with OIT. Repeated violations may result in Treasury suspending the offending department from the program until it submits and the division accepts a corrective action plan detailing how the department will ensure future compliance. Contract vendors that violate surplus computer handling procedures also require a corrective action plan and may have their contract revoked and/or be bypassed for future contract awards.

DPP is aware of only five instances of non-compliance since implementing these policies, as the BOSS Warehouse has refused to accept five shipments for lack of proper certification because the CPU count did not match the declaration forms. In two cases the shipment was returned to the using agency, and in three cases the agency’s Information Technology Officer appeared at the warehouse to conduct a recount and recertification. The Division has also sampled shipments to confirm that hard drives have been removed and were not included in an agency shipment.

In sum, the Department of Treasury, through DPP, DPMC and OIT, has implemented policy and procedure changes concerning data security and the disposition of surplus computer equipment which we believe have and will continue to prevent confidential State data from release through the disposition of surplus computers. Sampling of surplus computer shipments indicates that agencies have complied with these new procedures. Treasury will continue sampling shipments to monitor and to ensure future compliance.

5 | P a g e