Researchers examined thousands of hard drives during the decade before the report, finding the percent of drives containing residual data after being resold had dropped from 80 percent to only 30 percent.
Almost all are unencrypted and unprotected. Collectively they represent more than 95.6 million gigabytes of data lost from computer hard drives during the 10-year course of the study.
Data left on cell phones amounted to 90 million gigabytes of lost data per year, of which 4.5 million gigabytes were sensitive data including emails and contact details.
For corporate IT those figures amount only to a warning to scrub disks more carefully before recycling or reselling PCs.
Most companies are moving part of their IT operations into the cloud, however, in the form of software as a service (SaaS) apps such as Salesforce.com or Google Docs, or in the form of readymade servers and data centers from cloud infrastructure providers such as Rackspace, Amazon or Microsoft.
Those are the services that can pose a problem, because they put many clients on the same set of hardware, relying on encryption and virtualization software to keep one client's virtual data center from overlapping with another.
Virtual servers are not supposed to be able to see the underlying operating system, let alone the hardware.
Many companies insist on being able to access the hardware running their apps or data, however, to help ensure security, performance and usage policies can be kept within their own guidelines.
Those servers, virtual storage and other resources may be dedicated to that one client alone, to avoid putting another client on hardware whose security is controlled by a different client.
The hardware itself is almost never new, however. They're servers or storage that has been used as real servers, or hosts for as many as 16 virtual servers at a time.
Each of those servers and each client who passed through the system could leave sensitive data behind if the cloud provider and the client aren't both careful.
Worse even than the possibility that "Deleted" doesn't mean "securely erased" is the risk of giving away secure certificates or tokens contained in virtual-server containers that could be passed from one department or company to another by users who believe them to be only templates, not individually identified and authenticated servers.
Even cloud providers who are conscientious about erasing data between users can be flummoxed by conflicts or software errors that simply mark data "deleted" rather than actually deleting it.