Written notice which says "I don't have any company stuff on that laptop"

jibbajabba

Can someone come up with a decent paragraph which can be signed by someone who bought an old company laptop and agrees / confirms that there is nothing company related stored on it ?

I am somewhat struggling (not native myself) ..

Seems easy I know - but it also has to be "right"

Any help is appreciated ..

erpadmin

jibbajabba wrote: »

Can someone come up with a decent paragraph which can be signed by someone who bought an old company laptop and agrees / confirms that there is nothing company related stored on it ?

I am somewhat struggling (not native myself) ..

Seems easy I know - but it also has to be "right"

Any help is appreciated ..

Do you mean your company is selling an old laptop to someone and you want that person to sign something confirming there is nothing on the company like the O/S or data??

Normally, when companies want to sell/donate/give away to staff computers, the computer (be it desktop or laptop) is wiped. Lately, a company will wipe the HD and not even include the hard drives.

In that case, this is what I would write:

I, _______________, agree that XYZ company has sold a laptop to me AS-IS. I, furthermore, understand that XYZ company will not provide any support, software, or other warranty for sold laptop and that it is my responsibility to install any necessary software/hardware on my own.


Signed,

_______________________

Mind you, I'm not a lawyer (or what you guys call a barrister), but that is the gist of what you want.

gunbunnysoulja

I agree with erp that the company should do the wipe. A contract is not really sufficient when we are talking about possible PII and intellectual property of the company.

I would do a professional wipe or (preferably) sell without a HDD.

ThunderPipe

From my experience, when a company donates of sells the computer, the hard drive is removed and destroyed.

erpadmin

And by wipe...we're talking degaussing/high powered magnets. Formatting/deleting partition is just not good enough. A few years ago, I was able to retrieve this police captain's data (90% of it) after one of his sergeants reinstalled an O/S over it (after partition was deleted and reformatted.) He would have paid me good coin for my trouble, but having a friend like him on the force was a better deal.

Had the hard drive been degaussed, there would have been nothing I could have done.

JDMurray

If there's an OS on the laptop's hard drive that was licensed to the company, that licensed must be transferred to the new owner too. If the organization selling the laptop wishes to retain the OS license, wipe the hard drive and install/image a free distro of Linux on to it so the laptop can be booted and verified that it works.

Forsaken_GA

erpadmin wrote: »

And by wipe...we're talking degaussing/high powered magnets. Formatting/deleting partition is just not good enough. A few years ago, I was able to retrieve this police captain's data (90% of it) after one of his sergeants reinstalled an O/S over it (after partition was deleted and reformatted.) He would have paid me good coin for my trouble, but having a friend like him on the force was a better deal.

Had the hard drive been degaussed, there would have been nothing I could have done.

If the company has the drive fully encrypted, just destroying the volume and recreating it will be sufficient. The data may still be there, but without the decrypt keys, good luck breaking it.

dustinmurphy

In the past, I've wiped the drive with KillDisk, which is GENERALLY sufficient. I've also removed hard drives and/or destroyed them (with a drill.. straight through the platters) at times. It depends on how important the data was on the laptop.

I would not trust just a contract for that.... BUT, what erpadmin posted sounds sufficient AFTER you wipe the laptop.

afcyung

This is really a remanance security issue that should be addressed. The buyer has no knowledge of what info is stored on the laptop until they view it. The best solution is to sell the device without the hd and destroy it or use a nist certified whole disk erasure software. A user agreement wont be sufficient to protect sensitive info.

SteveLord

DBAN for the win. Totally free for all types of wipes, unlike Killdisk.

erpadmin

dustinmurphy wrote: »

I would not trust just a contract for that.... BUT, what erpadmin posted sounds sufficient AFTER you wipe the laptop.

I believe my contract stated that the new owner would have to procure any hardware/software...that would include a hard drive.

[Seriously, a 250GB laptop drive is pretty cheap. The 500 gigger that replaced the 160 gigger that came with my PS3 wasn't that expensive.]

erpadmin

Forsaken_GA wrote: »

If the company has the drive fully encrypted, just destroying the volume and recreating it will be sufficient. The data may still be there, but without the decrypt keys, good luck breaking it.

I'm willing to bet dollars to donuts that's not even the case with the OP. Since that would be double work for him, he's better off wiping/destroying the hd. That's the only thing I would not give to an individual/organization outside of my shop for a donation.

SteveLord

erpadmin wrote: »

I believe my contract stated that the new owner would have to procure any hardware/software...that would include a hard drive.

[Seriously, a 250GB laptop drive is pretty cheap. The 500 gigger that replaced the 160 gigger that came with my PS3 wasn't that expensive.]

$80+. Not really cheap anymore since "the flood", but I hear ya.

DBAN takes 3+hrs depending on the size of the HDD and the wipe method you choose. I typically do the DoD level wipe (as that is the minimum recommended by the security team here).

If you choose the Guttman wipe, expect it to take overnight. Save it for when you are selling a hard drive that contains launch codes to a nuke or your collection of Johnny Cash MP3s.


erpadmin, does NJ contract a vendor for wiping hard drives?

erpadmin

SteveLord wrote: »

erpadmin, does NJ contract a vendor for wiping hard drives?

Depends on the agency/shop. Some NJ IT shops are autonomous from OIT, and I work in one of those shops. I have seen that a company called Mountain View being used to shred HUNDREDs of hard drives. When the number is relatively few, help desk guys will use an inhouse solution, which may involve something like KillDisk. (I know they have a software solution, but I don't know which one...but I know it's a wiping solution. I'll ask after the holidays.) I'm not really involved in that side of the house, but in meetings I was at discussing IT security, that was brought up. I've known for years that a wiping solution/magnets/destruction of HDs was what needed to be done to HDs to protect the organization's data.

Edit: BTW, I had to go back to my Amazon purchase to see what my 500 GB drive was. $69.99 was what I had paid. That same drive is now going for $149.99!! This was back in February 2011!

What is this "flood" you are speaking of?

JDMurray

erpadmin wrote: »

Edit: BTW, I had to go back to my Amazon purchase to see what my 500 GB drive was. $69.99 was what I had paid. That same drive is now going for $149.99!! This was back in February 2011!

What is this "flood" you are speaking of?

The "flood" is the Japanese tsunami that happened on March 11th. The damage to Japan's power and industrial systems has caused the price of a lot of Japanese good and service to rise considerably this year due mainly to manufacturing shortages.

exampasser

JDMurray wrote: »

The "flood" is the Japanese tsunami that happened on March 11th. The damage to Japan's power and industrial systems has caused the price of a lot of Japanese good and service to rise considerably this year due mainly to manufacturing shortages.

It was the flooding in Thailand in October that damaged a lot of hard drive plants which resulted in a hard drive shortage.

erpadmin

Ahh....gothcha...I remember back in the late 90s when this happened and the price of RAM went through the roof. This should stabilize within a year.

petedude

dustinmurphy wrote: »

I've also removed hard drives and/or destroyed them (with a drill.. straight through the platters) at times. It depends on how important the data was on the laptop.

One word: Sledgehammer.

(No, not two words, because that leads to other connotations such as hardboiled cop show spoofs and Peter Gabriel songs.)

colemic

To the OP, I think you are coming at this from the wrong way, as a few others have said - I don't think you can require the purchaser to confirm that the laptop has not sensitive information on it... what happens if they find a file 6 months from now? If they distribute it, who is held liable? The company, I would imagine, since they have a duty to protect that sensitive information, and the purchaser has no obligation to do so. Even if you required them to certify that there was not, if that information was disclosed or leaked, your company is still on the hook as the information owner.

Forsaken_GA

erpadmin wrote: »

I'm willing to bet dollars to donuts that's not even the case with the OP. Since that would be double work for him, he's better off wiping/destroying the hd. That's the only thing I would not give to an individual/organization outside of my shop for a donation.

Well, certainly, I'm just pointing out, that if his organization is intelligent enough to do full disk encryption (they may be under some regulation that requires it, for example), that destroying the hard drive isn't necessarily the best or easiest solution, even though it's the one that so very many default to out of paranoia.

And any organization that deals with sensitive information that isn't doing full drive encryption is being incredibly foolish. Of the two scenarios - Someone getting the hard drive used and actually bothering to do data recovery on it to see if they can get anything juicy, or an employee losing their laptop or getting it stolen.

In the latter case, if the company isn't using entire drive encryption, they're employing less risk management to the more likely occurrence which is just plain freaking stupid.

cisco_trooper

I think this is a little ridiculous. You are trying to place responsibility for the contents of a machine on the person buying the machine. No offense but if you even remotely indicated that I would in any way be responsible for the contents that YOU put on the machine I would laugh in your face, walk away, and never attempt to transact business with you again. If you are concerned about the contents of whatever machine you are selling or donating it is entirely your responsibility to wipe the machine. It takes no time, it's easy, and it is your best option.

ThunderPipe

cisco_trooper wrote: »

I think this is a little ridiculous. You are trying to place responsibility for the contents of a machine on the person buying the machine. No offense but if you even remotely indicated that I would in any way be responsible for the contents that YOU put on the machine I would laugh in your face, walk away, and never attempt to transact business with you again. If you are concerned about the contents of whatever machine you are selling or donating it is entirely your responsibility to wipe the machine. It takes no time, it's easy, and it is your best option.

Somebody just got served.

cyberguypr

cisco_trooper wrote: »

I think this is a little ridiculous. You are trying to place responsibility for the contents of a machine on the person buying the machine. No offense but if you even remotely indicated that I would in any way be responsible for the contents that YOU put on the machine I would laugh in your face, walk away, and never attempt to transact business with you again. If you are concerned about the contents of whatever machine you are selling or donating it is entirely your responsibility to wipe the machine. It takes no time, it's easy, and it is your best option.

Agree. The average user can't change even change the default printer. There's no way they can attest to the contents of the drive. That makes absolutely no sense. I am no legal expert but I think that if SHTF the document they sign would never hold in court. As part of the asset life cycle you should at least wipe the drive when you retire it. Due diligence can do wonders to CYA and the company's.

I am surprised no one has mentioned that coming up with legally binding verbiage is better left to the legal dept. goons.