Scores of material is written about protecting companies’ IT networks and safeguarding endpoints, but what about digital copiers?
According to the Federal Trade Commission (FTC), the nation’s consumer-protection agency, your information security plans also should cover the digital copiers your company uses. If the data on your copiers get into the wrong hands, it could lead to fraud and identity theft.
“The hard drives in digital copiers are capable of storing personal and proprietary information contained in the documents they copy, fax and e-mail,” said Al Saikali, a certified information-privacy professional and partner in the Miami office of Shook, Hardy & Bacon LLP. “Organizations should take steps when purchasing, maintaining and disposing of their copiers to ensure that the data stored on the copiers is secure,” he told SHRM Online.
Depending on the information your business stores, transmits or receives, you also may have more specific compliance obligations. For example, if you receive consumer information, like credit reports or employee background screens, you may have to follow the FTC’s disposal rule, which requires a company to properly dispose of any such information stored on its digital copier, just as it would properly dispose of paper information or data stored on computers. Similarly, financial institutions may be required to follow the Gramm-Leach-Bliley Safeguards Rule, which requires a security plan to protect the confidentiality and integrity of personal consumer information, including information stored on digital copiers.
In a typical large organization, copy machines are often leased, returned and then leased again or sold, Saikali said. As a result, there is a good chance that an unauthorized third party could access the information stored on the machines’ hard drives.
Whether a particular copier saves every digitized document depends on the brand and how it is configured. The important takeaway is that managers communicate with their copier provider and understand how to protect their data.
Secure Your Copier from Beginning to End
The FTC recommends that businesses build in data security for each stage of the copier’s life cycle: when planning the acquisition of a device, buying/leasing the device, using the device, and returning or disposing of the device.
These guidelines include:
- Before you acquire a copier make sure it’s included in your organization’s information security policies. Copiers should be managed and maintained by your IT staff. Employees who are responsible for securing your computers and servers also should secure the data stored on your digital copiers, the FTC advised.
- Evaluate your choices for securing the data on the device. Most manufacturers offer data-security features with their copiers, either as standard equipment or as optional add-on kits. For example, some copiers can encrypt the data stored on copier hard drives so it cannot be retrieved even if the hard drive is removed, Saikali explained. Other copiers can overwrite existing data on the hard drive with random characters. “Also, check that your lease or purchase contract states that your organization will retain ownership of all hard drives at the end of life or that the company providing the copier will overwrite the hard drive,” he said.
- At a minimum, wipe the data on the drive on a regular basis, the FTC advises. Wiping and deleting data are not the same thing. Deleting the data doesn’t actually remove it from the drive. Wiping the data goes further by actually overwriting the file with random bits of data to ensure it can’t be read or re-created.
- When your organization has finished using the copier, the FTC recommends checking with the manufacturer, dealer or servicing company for options on securing the hard drive.
Make sure the business allows you to wipe the hard drive before returning the machine or, better yet, allows you to keep the hard drive at the end of the lease. Another layer of security that can be added involves locking the hard drive using a passcode. This means data are protected even if the machine’s hard drive is removed.
Don’t Do It Yourself
The FTC cautions companies against removing a digital copier’s hard drive. Hard drives in digital copiers often include required firmware that enables the device to operate, the agency said. Removing and destroying the hard drive without being able to replace the firmware can render the machine inoperable, which may present problems if you lease the device. Also, hard drives aren’t always easy to find, and some copiers may have more than one. The FTC advises businesses to work with skilled technicians, rather than removing the hard drive themselves.
Roy Maurer is an online editor/manager at SHRM.
Follow him on Twitter @SHRMRoy.
SHRM Online Safety & Security pageKeep up with the latest Safety & Security HR news