The Federal Trade Commission (FTC) recently released a new publication in the wake of numerous news accounts highlighting the potential data security issues posed by modern digital copiers. (See, e.g., Digital Copy Machines Pose Security Concerns, Alburquerque News, July 28, 2010, available here; Digital Photocopiers Loaded with Secrets, CBS Evening News, April 15, 2010, available here).
In the wake of such reports, various states have considered or passed legislation designed to alert digital copier users of the security risk, as well as, requiring manufacturers and resellers to provide documentation on how to delete stored data on the device’s internal hard drive before a device is decommissioned. (See our earlier coverage of New York’s Electronic Equipment Recycling and Reuse Act).
Now the FTC has stepped into the mix with the release of its publication, Copier Data Security: A Guide for Businesses, available here. At eight pages the Guide is neither exhaustive, nor highly technical, but it does provide a basic introductory background on basic digital copier operation, lifecycles, encryption, overwriting, simple security tactics and a pointer to the FTC’s more comprehensive publication Protecting Personal Information: A Guide for Business at ftc.gov/infosecurity.
As the FTC’s noted in its announcement accompanying release, highlighted recommendations by the Guide include:
- Before acquiring a copier, plan to have the information technology staff manage and maintain it just as they would a computer or a server.
- When buying or leasing a copier, evaluate your options for securing the data on its hard drive – including the encryption or overwriting features that will be used. Overwriting – also known as file wiping or shredding – replaces the existing data with random characters, so that the file cannot be easily reconstructed.
- Take advantage of all of the copier’s security features. Securely overwrite the entire hard drive at least once a month.
- When returning or disposing of a copier, find out whether it is possible to have the hard drive removed and destroyed, or to overwrite the data on the hard drive. Generally, it is advisable for a skilled technician to remove the hard drive to avoid the risk of rendering the machine inoperable
Seemingly innocuous and common digital copiers once again flag just how many locations potentially sensitive data can be found in a typical business that result in a data breach or inadvertent release or disclosure of protected or confidential information.