Earlier this spring , CBS did a story called Digital Copiers Loaded With Secrets which exposed the hidden dangers of sensitive data stored on the hard drives of digital copiers. According to the story “Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine.”
In their research, they purchased 4 previously used digital copiers and removed the hard drives. Using software that was easily found and downloaded off the Internet they read the drives, discovering tens of thousands of scanned document images containing highly sensitive data.
The story went on to say that in 2008, Sharp Imaging commissioned a survey which found that 60% of Americans don’t know that copiers store these images on their hard drives. While most of the major copier manufacturers offer security features to protect this data, most users either don’t know about them, or don’t understand the need to use them.
In response to the outcry from this story, US Representative Ed Markey sent a letter to the Federal Trade Commission, calling for an investigation into the potential impact on data privacy presented by this practice. The FTC responded that they were contacting copy machine manufacturers and vendors to find out what communication and education they were providing to their customers about the potential risks, and what security options they offered to help mitigate them. The FTC also promised to review its own educational materials and create some guidelines for businesses to use when leasing, purchasing and securing digital copiers.
In November, 2010, the FTC’s Bureau of Consumer Protection released those guidelines in this: Copier Data Security: A Guide for Businesses.
The guidelines provide a comprehensive analysis of the problem as well as several best practices to use during the entire life cycle of your copier. Some of these include:
- Include your IT staff in the purchase decision. Make sure the copier has built in security options that meet the requirements of your business. This can be anything from the ability to encrypt data on the drive, to the ability to wipe the drive completely.
- At a minimum, wipe the data on the drive on a regular basis. Wiping and deleting data are not the same thing. Deleting the data doesn’t actually remove it from the drive. Wiping the data goes further and involves actually overwriting the file with random bits of data to ensure it can’t be read or recreated.
- Make sure that the manufacturer, dealer, or servicing company allows you to wipe the hard drive before returning the machine, or better yet, allows you to keep the hard drive at the end of the lease.
When it comes to data security, most businesses are aware of the rules that govern their internal security practices. Regulations like HIPAA, Sarbanes Oxley, and Gramm-Leach, Bliley have been in place for several years. This recent discovery has just served to remind us that not all data is stored in paper files in our file rooms, or electronic files on our computers. There can be other unexpected and hidden places that we have to protect with the same level of diligence and planning.