Your work is vital. We are raising funds to support it.
some surprising information that has largely remained under the radar. Most
copiers and larger multifunction printers (MFPs) made after 2002 have hard
drives that store images of all documents that are scanned, copied, faxed,
emailed and printed on them. These devices pose a data security risk for
organizations that buy or lease them especially at their end of life. It’s pretty common for all of us to copy
the important documents: financial statements, contracts, employment records — anything
worth keeping in hard copy. What is an organization to do? We’ve got some
suggestions for you.
this is not news. There was a momentary public flurry about this issue when CBS
Evening News’ Armen Keteyian did an exposé on it in 2010 called "Digital
Photocopiers Loaded with Secrets" and then it quietly went away again. It’s not a
particularly hot topic at the electronics recycling conferences I go to,
although recyclers do handle copiers. The nonprofit techies I spoke to about it
didn’t know anything about it. One good thing is that this issue does not apply
to small desktop printers like HP Officejet and Deskjet printers. Big
multifunction network printers and copiers are the machines that have hard
multifunction printers and copiers have PC-style hard drives that store
documents that are scanned, copied, faxed, emailed and printed on them. They
also store data in DRAM memory,
the same type of memory that conventional computers use. When copying documents
with things like social security numbers, credit card numbers, confidential
employment information, health information etc, these devices store digital
and MFPs are most often used on an office network these days. Their network
capabilities, particularly their on-board servers make them somewhat vulnerable
on the Internet to hacking and data theft. In looking in to this, I
couldn’t tell how big a risk this is. Tech
Republic’s piece about the topic says that most copiers and MFPs use proprietary operating systems, which makes them fairly immune to
exploitation over the Internet.
The main concern seems to be what
happens to these devices at end of life – when you get rid of them. Many copiers find their
way in to the second-hand markets with data on hard drives perfectly intact.
The CBS News piece graphically demonstrates how that works.
As a first step it looks like it’s most useful to find out how your
particular copier or MFP stores data and either encrypts it, or clears it, or
just keeps it. It’s probably quickest to call your vendor or leasing company to
find this out. For DIY folks, Xerox copiers, for instance, can print out a page
that lists the device’s configuration information. That at least would tell you
if your machine has a hard drive.
you’re contemplating getting a new or used copier or MFP, try to buy or lease
machines that encrypt data and if possible also do hard drive data overwriting
either continuously, on demand, or on a scheduled
basis. Several HP
LaserJet models do encryption and secure hard drive erasing as a standard
feature. Most of the big copier and MFP companies like Ricoh,
sell data security kits that add automatic
encryption and erasure features. Factory data security kits enable
encryption and/or erasure while the machine is in use in your office. They’re pretty pricey at around $500.
When you’re ready to finally get
rid of a copier or MFP, once again contact your vendor or leasing company to
find out how they recommend final data destruction on the hard drive and memory
and of course the cost.
If you own the machine, you could conceivably do
surgery and take the hard drive out. Once out, a few hefty whacks with a big
hammer will make the hard drive inoperable and the data unrecoverable. If you
lease the machine, removing the hard drive will likely violate your lease
agreement and be a big additional expense.
If you own the copier or MFP,
probably the most convenient and least expensive data sanitation option is to
locate a local electronics recycler to pick up the machine and destroy the hard
drive. I called Abe McKay at a recycling company close by, Green
Citizen, and the cost for hard drive destruction is $20. They do free
pick-up as well for 10 or more IT items (computers, monitors, TVs, printers).
There is at least one company
that specializes in copier data destruction, INFOSweep.
They sell a Mobile Hard
Drive Wiping Station for $1,300. That makes sense if you have many
copiers to manage.
One last and disappointing tip I
found in multiple articles on this is to not
copy or print documents with sensitive information in them at your local copy
store or even a big national copy service like FedEx Office. I
read through their “Security
Compliance Requirements“ but couldn’t make a bit of sense of it.
Image: Courtesy of Shutterstock
This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.
Close this window