Collecting personally identifying information from clients, such as names, social security numbers and credit card numbers, is common practice. This means that protecting against a data security breach is (or should be) a priority for virtually every organization. Unfortunately, when it comes to implementing data security measures, many organizations overlook a significant and somewhat obvious threat: the copy machine.
Commercial copiers have come a long way, and though they may not look it, they are powerful computers. Today’s generation of networked multifunction copiers are “smart” machines capable of copying, printing, scanning, faxing and emailing documents. To manage incoming jobs and heavy workloads, these copiers require hard disk drives capable of storing a lot of information. And, since they are often leased, returned and then leased or sold again, the Federal Trade Commission (FTC) recommends including copy machines in an organization’s data security plans.
Understanding security options is the first step to controlling the risks posed by copy machines. Most manufacturers offer data security features with their copiers, either as standard equipment or as optional add-on kits. These features typically involve encryption and overwriting.
Encryption is the scrambling of data using a secret code that can be read only by particular software. Copiers offering encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine. Since encryption is typically an automatic feature with many copiers, specific steps or processes are generally not necessary.
Overwriting changes the values of the bits on the hard drive that make up a file by replacing existing data with random characters. By overwriting the drive space occupied by a file, its traces are removed, and the file can’t be reconstructed as easily. This is different from deleting or reformatting, which doesn’t actually alter or remove the data.
Depending on the copier, the overwriting feature may allow a user to overwrite after every job, periodically or on a preset schedule. Users may also be able to set the number of times data is overwritten; generally, the more times data is overwritten, the safer it is from being retrieved. The FTC recommends overwriting the entire hard drive at least once a month.
Finally, security measures must be taken before returning, selling or discarding a copy machine. Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. Some may offer to remove the hard drive so that it can be disposed of, stored or destroyed pursuant to an organization’s own security policies and procedures. Others may undertake the task of overwriting the hard drive. These services may involve an additional fee, so check the lease or purchase agreement before deciding how to proceed.
Copiers are often the center of an organization’s operations. They have “seen” and saved countless documents with sensitive, confidential or personally identifying information. This is why protecting the copy machine should be a part of every organization’s data security plans.
Organizations should also consider protecting against data security breaches with insurance. Various insurance products are available to protect against privacy injuries, such as identity theft, resulting from security breaches and to cover the cost of complying with various data breach notice laws. Given the complexity of the risk, an experienced insurance agent should be consulted to ensure that proper coverage is obtained and that no gaps remain.
If would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.
If you would like to learn more about insuring against data security breaches, contact us.
If you’d like to subscribe to our weekly newsletters please click here.