Expert advice: Be wary of the office copier
Mon, Apr 15th 2013 12:00 am
By MEGAN BLARR
Your digital copy machine could be holding a big secret.
Every office has a photocopier that scans, duplicates and emails everything from company fliers and schedules to pay stubs and private records. But what you may not know is that the copier could be storing each one of those documents.
Just as computers have internal hard drives that store documents and information, digital photocopiers may contain hard drives, as well. Think of copy machines in the same light as smartphones, says Kevin Cross, a partner at Lippes Mathias Wexler Friedman LLP. And if you're involved in any litigation, he says, attorneys may look to your copier as a source of information.
"Copiers are basically smart machines much like your cell phone is a smartphone where they have memory capabilities (and) data storage capabilities," he said. "Copy machines now run emails through them and can scan (and) photocopy documents and I think a lot of that material is maintained on those hard drives. So that would be another place that a litigator would want to look for potentially discoverable material."
At the same time, since law firms handle confidential client information, they need to be wary of where those photocopier hard drives end up when an aging machine in moved out of the office.
"With respect to the machines, much like we do with our computers and our servers and our phones, we are concerned with where that type of data can go and what its future might be when the machines are turned in," Cross said.
Hodgson Russ LLP has a policy of destroying those hard drives before they leave the office.
"In the cases where we lease equipment, we have a provision in our lease agreement that allows us ... to take the hard drive and completely destroy it and obliterate it just as if the machine was ours," said Daniel Oliverio, the firm's chairman. "Our destruction policy is total and absolute destruction so nothing remains as a vestige once the machine leaves our office."
He and Cross are right to worry about the future of their photocopier hard drives.
In 2010, CBS News revealed that nearly every digital copier built since 2002 contained a hard drive that stored an image of every document copied, scanned or emailed by the machine. CBS investigators came across two used copiers belonging to the Buffalo Police Department, both of which contained thousands of documents and top-secret information.
At the time, Mayor Byron Brown and the Buffalo Police Department declined to comment on the police information discovered on the discarded copiers. Meanwhile, other businesses in Western New York became concerned about the risks involved with their own equipment.
Nathan MacVittie, senior recreation supervisor for the Town of Tonawanda Youth Parks and Recreation Department, still recalls the department's reaction to the story.
"I remember everyone was pretty scared about what was going on," he said. "We talked to tech support, who talked to Xerox and sent over an email to every department in the town: 'Here's what you need to do to make sure (image overwrite) is enabled on all your copiers.'"
According to MacVittie, each copier in the department contains several options for protecting information stored on the hard drive, including disk encryption and image overwrites.
Security options
Disk encryption protects information by converting data into unreadable codes that cannot be easily deciphered by unauthorized people, whereas image overwrite effectively removes all image data from the hard drive by re-magnetizing the magnetic domains on the drive.
Joseph Carson is a service technician at Ark Digital Imaging, a local dealership that resells Canon copiers. He said copy machines don't necessarily store information. Rather, the machine creates an image file of the document, which is saved and usually encrypted.
"Basically, when you make a copy, (the machine) is going to make an image file so that it can reproduce it," he said. "If you're scanning something to send it to an email, it has to create a PDF file and then transfer that PDF file through your email or to the file or folder that you're scanning to."
Of course, not all copiers have hard drives. Still, those that do require some level of protection. While many have disk encryption, not all have the security option of image overwrite to actually erase the image.
"With our newer machines we did arrange to have a security package put on there. What that basically allows us to do is to have the machine overwrite the data that is stored on the hard drives of the copiers," Cross said. "We have an older machine that does not have that capability (and) we have made arrangements with Ricoh to turn in and surrender the hard drive to use at the end of our contract."
Not all buyers are notified of a machine's security standards.
Carson said Ark Digital Imaging doesn't necessarily make customers aware of security options or whether the machine has a hard drive.
"We're a small dealership so a lot of our customers are not concerned about that," he said. "Normally if they are that concerned, they're just going to buy that hard drive off of us so it doesn't leave with the machine."
Responsibility and risk
So who is responsible for cleaning a copier's hard drive? The manufacturer that can notify buyers of security options? The company that purchased and used the machine? Or the reseller?
While Ark Digital Imaging uses software built into the machine to reformat the entire hard drive, Carson said it is ultimately up to the company that used the copier to erase the data.
"Basically, if you sell your copier, we're going to initialize the data on it, but if there's any information on that, that's up to the company that sold the copier (to get rid of it)," he said.
Cross agreed.
"(Any) type of business that deals with confidential information such as Social Security numbers or bank records or birth certificates would need to be mindful at the end of that lease when they're turning in their copy machine that there is some way that either the material is wiped through the overwriting feature or the hard drive is returned back to their company," he said. Oliverio of Hodgson Russ, meanwhile, suggested that clients and businesses have a document retention policy in which information is managed economically and quickly.
"Have a policy that governs when emails are destroyed, how certain important data is backed up, how even hard files are destroyed or kept or stored," he said. "I'd make sure that the confidential proprietary information was destroyed by my business before it went out the door. I wouldn't leave it to a vendor where I have no control, especially if you're in a business that has a lot of confidential information."
While Carson said most copiers are generally safe, he acknowledged the potential for identity theft from image files found on hard drives.
"The chance you're going to get any information off of someone's drive (is low), but it has happened," he said.
Who is most at risk?
"Bigger banks or government agencies, but those are things that people all protect anyway. ... They're all going to have the encryption," Carson said. "There's nothing on your average user's copy machine that anyone is going to go through the time to steal."
Megan Blarr is a freelance writer from Tonawanda.
Original Post