Photocopiers: A Threat to Security and Privacy?
A May 2010 CBS news story about a new generation of photocopy machines called “multi-function devices” (MFDs) has garnered attention from a number of sources and prompted the Federal Trade Commission (FTC) to start asking questions. The report pointed out that MFDs contain hard drives capable of storing images of documents they have faxed, scanned, or copied. These images often remain on the hard drives when the MFDs are sold or returned to leasing companies after their leases expire.
The CBS news report highlighted a number of documents reporters had been able to retrieve from the hard drives that contained sensitive information such as Social Security numbers, pay stubs, individual medical records, and test results. These examples highlight opportunities for identity theft and unauthorized leaking of sensitive personal information.
There are steps that can be taken, however, to mitigate or even remove the risks these MFDs pose to organizations. It is important for companies to get all the facts about any devices that have the potential to store images or data. Protecting themselves from these risks does not necessarily mean making large financial investments; they can start with a few simple steps. They should:
- Ask questions about data storage and deletion capabilities when selecting new equipment for purchase or lease.
- Take inventory of current equipment and determine whether it is capable of storing images. Some manufacturers build protection into the devices to prevent the capture of data from the hard drives. Determine whether the current equipment has this capability.
- Review the security settings on current equipment and upgrade them if necessary.
- Establish procedures to properly protect used computers and MFDs when they are replaced or taken out of service. Ensure data is wiped from the hard drives before the equipment is transferred or sold. Destruction of data means overwriting the storage space several times, not just simply deleting files.
The impact of even inadvertent leaks of information outside the company is real. Personal privacy, such as that protected under the U.S. Health Insurance Portability and Accountability Act, may be compromised, the organization’s intellectual property may be lost, or litigation requests may require retrieving images from MFD hard drives. The ramifications of any of these events are likely to be much more damaging and expensive than taking preventive actions.
On May 17, the FTC was reported to be concerned enough that it is considering how best to protect the general public and to make people aware of the potential risks posed by MFDs.
ARMA International IMN, May