Does your organization use a photocopier?  If so, what types of documents do you copy, fax, and email with it?  Do those documents contain proprietary information or personal information of your consumers/employees?  If so, then you should review a guide issued by the Federal Trade Commission, called “Copier Data Security:  A Guide for Businesses.”  The guide reminds us all that hard drives in modern digital copiers store data about the documents the copiers copy, print, scan, fax, or email, and steps must be taken to secure that data.

In a typical large organization, copy machines are often leased, returned, and then leased again or sold.  As a result, there is a good chance that information stored on those copy machines’ hard drives could be accessed by an unauthorized third-party.  The FTC’s guide recommends that organizations build in data security for each stage of the copier’s life-cycle:  planning the acquisition of a device, buying/leasing the device, using the device, and returning or disposing of the device.

Before acquiring a copier, organizations should ensure that their information security policies govern copiers.  Employees who have responsibility for securing computers/servers for your organization should be responsible for securing data stored on the copiers.

When buying/leasing a copier, an organization should consider options to secure data on the device.  For example, some copiers can encrypt (scramble) the data stored on copier hard drives so it cannot be retrieved even if the hard drive is removed.  Other copiers can overwrite existing data on the hard drive with random characters.  Also, check that your lease or purchase contract states that your organization will retain ownership of all hard drives at the end-of-life, or that the company providing the copier will overwrite the hard drive.

When using the copier, the FTC guidance recommends overwriting the entire hard drive at least once per month.  Place a sticker on the machine that reminds the organization that at the time of disposal the hard drive must be physically destroyed.  Additionally, make sure that if the copier must be connected to a network, it is integrated securely.

When your organization has finished using the copier, the FTC recommends checking with the manufacturer, dealer, or servicing company for options on securing the hard drive.  Some companies will remove the hard drive and return it to you or will overwrite it for you.

What’s the takeaway?  The hard drives in many modern copy machines can store personal and proprietary information contained in the documents they copy, fax, and email.  Organizations should take steps when purchasing, maintaining, and disposing of their copiers to ensure that the data stored on the copiers is secure.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.