Digital Copiers Don't Forget

With legislative attention now focused on the problem, companies can ill-afford to ignore the data breach risk posed by copiers and other digital machines. In addition, it serves as a reminder to companies to be aware of the risks associated with other devices that can easily carry copies of sensitive information ' such as flash drives, external hard drives and mobile devices.

Addressing the risk associated with sensitive information potentially stored on copiers and other digital machines starts with the same “data hygiene” measures recommended for paper documents and those stored on computers. First among these is knowing what kind of data is being handled, that could be exposed. Types of data vulnerable to copier-related loss or theft include:

• personal information pertaining to employees, customers or patients, including (but certainly not limited to) Social Security and other account numbers, dates of birth, financial and medical records, and contact information;
• competitively sensitive information;
• companies' intellectual property; and
• privileged legal documents.

Even where such information is closely guarded from leaving the office in other forms, it may routinely be copied for internal file-keeping or distribution. Be aware that, when the digital machine that scanned the information leaves the office, the scanned documents may well be leaving the office too.

The second important “data hygiene” measure is to understand the legal obligations associated with the vulnerable data. While loss of certain data may be embarrassing to the company or jeopardize valuable intellectual property, the loss of employees' or customers' personal information can expose a company to specific legal liability, as well as breach reporting obligations. Legal counsel with privacy expertise can assess the types of data the company is handling, help spot the risks, and identify the state and federal laws that may apply.

Third, every organization should know its partners. Frequently, digital copiers and similar office equipment are leased from third-party equipment suppliers. Leasing companies that are ELFA members should be aware of the vulnerabilities discussed in this article. Nonetheless, it is the company that owns the information that is obliged to conduct due diligence on the vendors and machines it uses. For example, HIPAA covered entities that contract with business associates to handle medical information are responsible for ensuring that their agreements with those business associates mandate compliance with the HIPAA privacy and data security rules.

Moreover, vendors can be valuable partners in securing vulnerable information. Most digital machines offer encryption or overwriting features, and many vendors will work with companies to remove or overwrite hard drives at the end of the lease term. The FTC recommends that digital copiers be included in an organization's information security policies, and managed and maintained on a routine basis by the organization's in-house IT staff, who should be sensitized to data security concerns.

Last, it is important for every organization to have a data security plan in place that addresses not only the steps necessary to identify sensitive data and keep it secure, but also the steps that will be taken if the worst occurs, and data is exposed. What proactive data protection and reactive breach notification laws apply to the kinds of data handled by the company? Who in the organization is responsible for protecting data and for detecting and responding to a breach? Is there a budget for breach response (remember that the average cost of breach response is more than $200 per compromised record)? Does the organization have appropriate insurance and indemnities in place?

Conclusion

Together, the measures discussed above can help organizations to manage the risks associated with operating in the digital environment. This is important because, in 2012, ignorance of what your copier remembers is no longer a defense.

L. Elise Dieterich is co-Chair of the Telecommunications and Privacy Practice Groups in the Washington, DC, office of Kutak Rock LLP.

Editor's Note: As marketers increasingly turn to technology to do their jobs (see the article by Larry Bodine on page 1), they may be unaware of what danger lurks in the most benign of office aids.

When it comes to data security, one area that many companies have missed is the sensitive data that likely resides in the hard drive memories of printers, copiers, and fax machines. Often, companies that routinely wipe the hard drives of their computers before recycling neglect to do the same for other types of peripheral machines, and may not realize that some networked digital copiers can be remotely accessed.

As the FTC explains:

Commercial copiers have come a long way. Today's generation of networked multifunction devices ' known as “digital copiers” ' are “smart” machines that are used to copy, print, scan, fax and e-mail documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production. ' The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or e-mails. If you don't take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.

Addressing the Risk

With legislative attention now focused on the problem, companies can ill-afford to ignore the data breach risk posed by copiers and other digital machines. In addition, it serves as a reminder to companies to be aware of the risks associated with other devices that can easily carry copies of sensitive information ' such as flash drives, external hard drives and mobile devices.

Addressing the risk associated with sensitive information potentially stored on copiers and other digital machines starts with the same “data hygiene” measures recommended for paper documents and those stored on computers. First among these is knowing what kind of data is being handled, that could be exposed. Types of data vulnerable to copier-related loss or theft include:

• personal information pertaining to employees, customers or patients, including (but certainly not limited to) Social Security and other account numbers, dates of birth, financial and medical records, and contact information;
• competitively sensitive information;
• companies' intellectual property; and
• privileged legal documents.

Even where such information is closely guarded from leaving the office in other forms, it may routinely be copied for internal file-keeping or distribution. Be aware that, when the digital machine that scanned the information leaves the office, the scanned documents may well be leaving the office too.

The second important “data hygiene” measure is to understand the legal obligations associated with the vulnerable data. While loss of certain data may be embarrassing to the company or jeopardize valuable intellectual property, the loss of employees' or customers' personal information can expose a company to specific legal liability, as well as breach reporting obligations. Legal counsel with privacy expertise can assess the types of data the company is handling, help spot the risks, and identify the state and federal laws that may apply.

Third, every organization should know its partners. Frequently, digital copiers and similar office equipment are leased from third-party equipment suppliers. Leasing companies that are ELFA members should be aware of the vulnerabilities discussed in this article. Nonetheless, it is the company that owns the information that is obliged to conduct due diligence on the vendors and machines it uses. For example, HIPAA covered entities that contract with business associates to handle medical information are responsible for ensuring that their agreements with those business associates mandate compliance with the HIPAA privacy and data security rules.

Moreover, vendors can be valuable partners in securing vulnerable information. Most digital machines offer encryption or overwriting features, and many vendors will work with companies to remove or overwrite hard drives at the end of the lease term. The FTC recommends that digital copiers be included in an organization's information security policies, and managed and maintained on a routine basis by the organization's in-house IT staff, who should be sensitized to data security concerns.

Last, it is important for every organization to have a data security plan in place that addresses not only the steps necessary to identify sensitive data and keep it secure, but also the steps that will be taken if the worst occurs, and data is exposed. What proactive data protection and reactive breach notification laws apply to the kinds of data handled by the company? Who in the organization is responsible for protecting data and for detecting and responding to a breach? Is there a budget for breach response (remember that the average cost of breach response is more than $200 per compromised record)? Does the organization have appropriate insurance and indemnities in place?

Conclusion

Together, the measures discussed above can help organizations to manage the risks associated with operating in the digital environment. This is important because, in 2012, ignorance of what your copier remembers is no longer a defense.

L. Elise Dieterich is co-Chair of the Telecommunications and Privacy Practice Groups in the Washington, DC, office of Kutak Rock LLP.