Idaho Power is not alone, said Frances O'Brien, a research vice president for asset management at Gartner. "It happens all the time," she said. Typically a user either doesn't know to clean the drives, or doesn't do it correctly, she said.

According to a Gartner survey, organizations used outside companies to dispose of PCs 29 percent of the time, and to get rid of servers 31 percent of the time. Other methods included donating hardware, putting it in storage, selling it to employees, returning it to the vendor and selling it to third parties.

Aside from the financial concerns with losing data, organizations that improperly recycle disk drives can run afoul of a number of regulations, depending on their industry: the Health Insurance Portability and Accountability Act; Sarbanes-Oxley; Gramm-Leach-Bliley for the banking industry; the Family Educational Rights and Privacy Act for educational institutions; and the Fair and Accurate Credit Transactions Act. In addition, several states, including California and New York, have broad-based privacy regulations, said Robert Houghton, president of Redemtech, a Columbus, Ohio, outsourcer.

The problem is widespread. Gartner estimates that through 2009, consumers and businesses will replace more than 800 million PCs worldwide, and dispose of an estimated 512 million.

What's more, a company can get a bad reputation for not taking proper care of personal data, O'Brien said. When companies hire an outsourcer -- which is a practice Gartner recommends -- it needs to be careful of what the salvage company will do and how they will prove it. "If everyone else is charging US$20 and someone says they'll do it for $2, you've got to wonder why," she said.