May 26, 2020

Remember Good Data Hygiene: An Official Advisory from the US Government

Our government is telling us that bringing home that new holiday iPhone® should be a more complicated process than most of us realize. New US Department of Homeland Security (DHS) guidance is appropriately timed to coincide with the holiday shopping season during which many trade up to a new device. It also comes as resales or other transfers of used devices lead to increasing instances of identity theft and scams based on remnant data on the devices.

The US Computer Emergency Readiness Team (US-CERT), part of DHS, has published an official advisory regarding properly deleting data from electronic devices.* The guidance applies to most any device with data memory (e.g., computers, tablets, smartphones, external storage devices, gaming consoles, cameras and printers). Extensive technology experience is not needed to understand the relatively short guidance.

Under the advisory, good data hygiene involves (1) backing up data, (2) deleting data, (3) overwriting old data, and (4) destroying data when you are ready to part with the device. Steps (2), (3) and (4) are the key steps for sanitizing a device, and may not be intuitive. The last step (destruction) could probably compensate for not previously deleting or overwriting data.

A key message of the advisory is that deleting the data may not be enough to "make it go away." Leftover information can linger, for example, in unallocated storage space. To prevent misuse of old files, US-CERT recommends that users overwrite storage devices and not merely delete data. PCs running Windows and Macs often have built-in features to do this – but don’t forget to do it. Don’t forget to sanitize USB thumb drives, memory cards, and other storage systems as well. The gold standard to prevent access to data when you are done with a device, according to US-CERT, is physical destruction of a device. US-CERT tells us you can use a professional service in this regard or have your own demo day by drilling holes or hammering nails into a device. US-CERT fails to tell us to exercise caution in electing the do it yourself route, but please do so!

Following US-CERT’s advisory is akin to the preventive care of an annual medical exam – it’s not always fun, but can be valuable – so don’t forget to do it.

*See the complete advisory "Security Tip (ST18-005): Proper Disposal of Electronic Devices" available at, current as of October 31, 2018.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...