IT In Crisis – Three Priorities for IT in 2010. Part 2

Updated: February 15, 2010

You'll never guess who's walking out your front door with confidential data. Yes, it's the guy who leases you your copy machine. When digital copy machines are replaced or come off lease they are wheeled out your front door with a disk-full of images that were printed, scanned, copied or faxed.

Digital copiers can't erase their hard drive so, at the end of their lease, gigabytes of images inside the copier are wheeled out your front door. Newer copy machines can only make the data unreadable to the copier itself but your data is still on the disk! If you have a network connected digital copier, additional information is retained on the copier such as IP addresses, DNS server IP addresses, Email addresses, etc.

A company called Digital Copier Security Inc (DCSI) is a pioneer in raising awareness to this security hole which exists at most companies. DCSI claims they have obtained "off lease" copy machines where they scanned the hard drives with proprietary utilities and have recovered thousands of pages of documents fully intact. Here are some examples of what they've recovered.

• A complete home refinance application including applicant's full name, SSN, current employer, previous employers, bank account numbers, etc.
• A Spreadsheet showing employee names and company issued credit card numbers.
• Full Tax Returns
• Confidential Medical records
• Confidential Executive Business Reports
• Over 20,000 documents were recovered from just one hard drive

You would never let a vendor walk out of your data center with a hard drive that is not scrubbed, but yet it is done every day with digital copiers.

Don't even think about removing the hard drive before releasing the copy machine, doing so would make the copier unusable and void your lease agreement. You would become liable for the complete cost of the copy machine. Don't expect the copy machine technician to purge the device; they don't have the technical knowledge of where all your information is stored, or how to purge it. Most technicians believe the copier is purged when the scans are no longer visible to the display, don't accept their ignorance. Also, don't think you can push the purging responsibility onto the leasing company as I guarantee your lease agreement doesn't require them to provide this service.

This is one of corporate America's biggest risks, yet I haven't found any company with security policies addressing digital copiers. Most end of lease copiers are sold overseas where recipients of these copiers (and your data) are not subject to US laws.

Do you know who has your old digital copy machine and all your data on its hard drive?

How many digital copy machines do you have that are ready to go off lease? How will you ensure your data doesn't go off site with the copy machine? How will you ensure your competitors or hackers won't get their hands on your data through your old copier? Are you at risk of lawsuits from employees or vendors that use your copy machines? This is a security issue we cannot ignore, and it's an issue without an easy solution. The options available are limited and can be very expensive for companies with multiple copiers. DCSI provides a certified disk scrubbing service. Another option is to purchase a "Security Kit" which is expensive and very inconvenient. Most companies disable the kits over the course of time because they are so troublesome. For more information about the subject of Digital Copier Security visit the website of DCSI at www.Copiersecurity.com . (I am not affiliated with this company).

If you still are not convinced this is a major security issue, take a look at the following news video done by an investigative reporter. http://www.cbs13.com/video/?id=67643@kovr.dayport.com

If your company is regulated by SOX, GLB, HIPAA, FERPA or FTC Red Flags, a breach can be construed once your digital copier leaves your possession and control. Considering the costs of fines, penalties, sanctions, public notification, credit monitoring and damage to a corporate image, careful purging of these machines should be a top priority for every company.