Digital Copiers Don't Forget

Protecting sensitive data from loss or theft has become a high-priority risk management objective for companies of all sizes, with the imperative perhaps strongest for public companies that are subject to the SEC's new cybersecurity disclosure guidance and those vulnerable to significant reputational damage in the event of a data security breach. Indeed, it is estimated that more than 30 million records were breached last year (source: Privacy Rights Clearinghouse, www.privacyrights.org/data-breach/new) at a cost to organizations of more than $200 per record (source: Ponemon Institute Study, www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher).

Of course, risk mitigation requires a good understanding of where the vulnerabilities are, and one that many companies have missed is the sensitive data that likely resides in the hard drive memories of printers, copiers, and fax machines. Often, companies that routinely wipe the hard drives of their computers before recycling neglect to do the same for other types of peripheral machines, and may not realize that some networked digital copiers can be remotely accessed.

This issue gained prominent attention thanks to a CBS News investigative report (see www.cbsnews.com/video/watch/?id=6412572n). In that report, CBS revealed that one of the used copiers it obtained had in its hard drive copies of medical records belonging to Affinity Health Plan. As a result of the story, Affinity, pursuant to applicable state and federal privacy laws, was required to make breach notifications to government regulators and affected clients, patients and employees. Affinity notified some 400,000 individuals that their personal or medical data may have been compromised, and became the subject of an inquiry by HIPAA privacy authorities at the federal Department of Health and Human Services.

The Federal Depository Insurance Corporation has issued guidance for financial institutions on “Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers” (www.fdic.gov/news/news/financial/2010/fil10056.pdf). And the Federal Trade Commission (FTC) has released more general guidance entitled “Copier Data Security: A Guide for Businesses” (http://business.ftc.gov/sites/default/files/pdf/bus43-copier-data-security.pdf) advising companies on how best to protect sensitive information throughout the lifecycle of a copier or similar machine. As the FTC explains:

Commercial copiers have come a long way. Today's generation of networked multifunction devices ' known as “digital copiers” ' are “smart” machines that are used to copy, print, scan, fax and e-mail documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production. ' The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or e-mails. If you don't take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.

Legislative Control

The CBS story also prompted bills to be introduced in numerous state legislatures in an effort to address this problem. ELFA, the Equipment Leasing and Finance Association, was tracking 14 bills on this issue in 2011, and predicts at least seven will be renewed for consideration this year. The majority of these bills seeks to assign responsibility for erasing or destroying the information stored on leased digital copy machines. For example, legislation pre-filed for the New Jersey legislature's 2012 session would require businesses to “destroy, or arrange for the destruction of, all records stored on a digital copy machine, which is no longer to be retained by that business, by erasing or otherwise modifying those records to make the records unreadable, undecipherable, or nonreconstructable through generally available means.” Businesses that fail to comply would be subject to penalties of up to $20,000 and civil suits for compensatory and punitive damages, attorneys' fees and costs.

Addressing the Risk

With this level of attention focused on the problem, companies can ill-afford to ignore the data breach risk posed by copiers and other digital machines. In addition, it serves as a reminder to companies to be aware of the risks associated with other devices that can easily carry copies of sensitive information ' such as flash drives, external hard drives and mobile devices.

Addressing the risk associated with sensitive information potentially stored on copiers and other digital machines starts with the same “data hygiene” measures recommended for paper documents and those stored on computers. First among these is knowing what kind of data is being handled, that could be exposed. Types of data vulnerable to copier-related loss or theft include:

• personal information pertaining to employees, customers or patients, including (but certainly not limited to) Social Security and other account numbers, dates of birth, financial and medical records, and contact information;
• competitively sensitive information;
• companies' intellectual property; and
• privileged legal documents.

Even where such information is closely guarded from leaving the office in other forms, it may routinely be copied for internal file-keeping or distribution. Be aware that, when the digital machine that scanned the information leaves the office, the scanned documents may well be leaving the office too.

The second important “data hygiene” measure is to understand the legal obligations associated with the vulnerable data. While loss of certain data may be embarrassing to the company or jeopardize valuable intellectual property, the loss of employees' or customers' personal information can expose a company to specific legal liability, as well as breach reporting obligations. Legal counsel with privacy expertise can assess the types of data the company is handling, help spot the risks, and identify the state and federal laws that may apply.

Third, every organization should know its partners. Frequently, digital copiers and similar office equipment are leased from third-party equipment suppliers. Leasing companies that are ELFA members should be aware of the vulnerabilities discussed in this article. Nonetheless, it is the company that owns the information that is obliged to conduct due diligence on the vendors and machines it uses. For example, HIPAA covered entities that contract with business associates to handle medical information are responsible for ensuring that their agreements with those business associates mandate compliance with the HIPAA privacy and data security rules.

Moreover, vendors can be valuable partners in securing vulnerable information. Most digital machines offer encryption or overwriting features, and many vendors will work with companies to remove or overwrite hard drives at the end of the lease term. The FTC recommends that digital copiers be included in an organization's information security policies, and managed and maintained on a routine basis by the organization's in-house IT staff, who should be sensitized to data security concerns.

Last, it is important for every organization to have a data security plan in place that addresses not only the steps necessary to identify sensitive data and keep it secure, but also the steps that will be taken if the worst occurs, and data is exposed. What proactive data protection and reactive breach notification laws apply to the kinds of data handled by the company? Who in the organization is responsible for protecting data and for detecting and responding to a breach? Is there a budget for breach response (remember that the average cost of breach response is more than $200 per compromised record)? Does the organization have appropriate insurance and indemnities in place?

Conclusion

Together, the measures discussed above can help organizations to manage the risks associated with operating in the digital environment. This is important because, in 2012, ignorance of what your copier remembers is no longer a defense.

L. Elise Dieterich is co-Chair of the Telecommunications and Privacy Practice Groups in the Washington, DC, office of Kutak Rock LLP, and a member of this newsletter's Board of Editors. She may be reached at [email protected].

Protecting sensitive data from loss or theft has become a high-priority risk management objective for companies of all sizes, with the imperative perhaps strongest for public companies that are subject to the SEC's new cybersecurity disclosure guidance and those vulnerable to significant reputational damage in the event of a data security breach. Indeed, it is estimated that more than 30 million records were breached last year (source: Privacy Rights Clearinghouse, www.privacyrights.org/data-breach/new) at a cost to organizations of more than $200 per record (source: Ponemon Institute Study, www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher).

Of course, risk mitigation requires a good understanding of where the vulnerabilities are, and one that many companies have missed is the sensitive data that likely resides in the hard drive memories of printers, copiers, and fax machines. Often, companies that routinely wipe the hard drives of their computers before recycling neglect to do the same for other types of peripheral machines, and may not realize that some networked digital copiers can be remotely accessed.

This issue gained prominent attention thanks to a CBS News investigative report (see www.cbsnews.com/video/watch/?id=6412572n). In that report, CBS revealed that one of the used copiers it obtained had in its hard drive copies of medical records belonging to Affinity Health Plan. As a result of the story, Affinity, pursuant to applicable state and federal privacy laws, was required to make breach notifications to government regulators and affected clients, patients and employees. Affinity notified some 400,000 individuals that their personal or medical data may have been compromised, and became the subject of an inquiry by HIPAA privacy authorities at the federal Department of Health and Human Services.

The Federal Depository Insurance Corporation has issued guidance for financial institutions on “Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers” (www.fdic.gov/news/news/financial/2010/fil10056.pdf). And the Federal Trade Commission (FTC) has released more general guidance entitled “Copier Data Security: A Guide for Businesses” (http://business.ftc.gov/sites/default/files/pdf/bus43-copier-data-security.pdf) advising companies on how best to protect sensitive information throughout the lifecycle of a copier or similar machine. As the FTC explains:

Commercial copiers have come a long way. Today's generation of networked multifunction devices ' known as “digital copiers” ' are “smart” machines that are used to copy, print, scan, fax and e-mail documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production. ' The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or e-mails. If you don't take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.

Legislative Control

The CBS story also prompted bills to be introduced in numerous state legislatures in an effort to address this problem. ELFA, the Equipment Leasing and Finance Association, was tracking 14 bills on this issue in 2011, and predicts at least seven will be renewed for consideration this year. The majority of these bills seeks to assign responsibility for erasing or destroying the information stored on leased digital copy machines. For example, legislation pre-filed for the New Jersey legislature's 2012 session would require businesses to “destroy, or arrange for the destruction of, all records stored on a digital copy machine, which is no longer to be retained by that business, by erasing or otherwise modifying those records to make the records unreadable, undecipherable, or nonreconstructable through generally available means.” Businesses that fail to comply would be subject to penalties of up to $20,000 and civil suits for compensatory and punitive damages, attorneys' fees and costs.

Addressing the Risk

With this level of attention focused on the problem, companies can ill-afford to ignore the data breach risk posed by copiers and other digital machines. In addition, it serves as a reminder to companies to be aware of the risks associated with other devices that can easily carry copies of sensitive information ' such as flash drives, external hard drives and mobile devices.

Addressing the risk associated with sensitive information potentially stored on copiers and other digital machines starts with the same “data hygiene” measures recommended for paper documents and those stored on computers. First among these is knowing what kind of data is being handled, that could be exposed. Types of data vulnerable to copier-related loss or theft include:

• personal information pertaining to employees, customers or patients, including (but certainly not limited to) Social Security and other account numbers, dates of birth, financial and medical records, and contact information;
• competitively sensitive information;
• companies' intellectual property; and
• privileged legal documents.

Even where such information is closely guarded from leaving the office in other forms, it may routinely be copied for internal file-keeping or distribution. Be aware that, when the digital machine that scanned the information leaves the office, the scanned documents may well be leaving the office too.

The second important “data hygiene” measure is to understand the legal obligations associated with the vulnerable data. While loss of certain data may be embarrassing to the company or jeopardize valuable intellectual property, the loss of employees' or customers' personal information can expose a company to specific legal liability, as well as breach reporting obligations. Legal counsel with privacy expertise can assess the types of data the company is handling, help spot the risks, and identify the state and federal laws that may apply.

Third, every organization should know its partners. Frequently, digital copiers and similar office equipment are leased from third-party equipment suppliers. Leasing companies that are ELFA members should be aware of the vulnerabilities discussed in this article. Nonetheless, it is the company that owns the information that is obliged to conduct due diligence on the vendors and machines it uses. For example, HIPAA covered entities that contract with business associates to handle medical information are responsible for ensuring that their agreements with those business associates mandate compliance with the HIPAA privacy and data security rules.

Moreover, vendors can be valuable partners in securing vulnerable information. Most digital machines offer encryption or overwriting features, and many vendors will work with companies to remove or overwrite hard drives at the end of the lease term. The FTC recommends that digital copiers be included in an organization's information security policies, and managed and maintained on a routine basis by the organization's in-house IT staff, who should be sensitized to data security concerns.

Last, it is important for every organization to have a data security plan in place that addresses not only the steps necessary to identify sensitive data and keep it secure, but also the steps that will be taken if the worst occurs, and data is exposed. What proactive data protection and reactive breach notification laws apply to the kinds of data handled by the company? Who in the organization is responsible for protecting data and for detecting and responding to a breach? Is there a budget for breach response (remember that the average cost of breach response is more than $200 per compromised record)? Does the organization have appropriate insurance and indemnities in place?

Conclusion

Together, the measures discussed above can help organizations to manage the risks associated with operating in the digital environment. This is important because, in 2012, ignorance of what your copier remembers is no longer a defense.

L. Elise Dieterich is co-Chair of the Telecommunications and Privacy Practice Groups in the Washington, DC, office of Kutak Rock LLP, and a member of this newsletter's Board of Editors. She may be reached at [email protected].