I'm talking about the ubiquitous printer, copier, and fax machine that everyone uses. It's also a ticking time bomb. Last week, the Federal Deposit Insurance Corporation issued new guidance on stopping this risk.
I've written about this threat before, and our sister site, HealthcareInfoSecurity.com, covered this same topic earlier this year. It's not about the copies that are made or printed or sent by these machines, (although they can be considered a breach threat too if they fall into the wrong hands) but rather the stored data that poses a problem.
Examiners may ask to review such policies and procedures and verify that they have been effectively implemented.
Consider: If you're at an institution that has done any upgrade to its copiers and printers within the last five years, then your current machines most likely are housing the hidden threat underneath the plastic cover -- a hard drive that copies and keeps records of every single copy made on the copier.
Yes, a hard drive can hold a copy of every single copy and the drive continues to write until it is full, and then the new data writes over the old copies. If that hard drive leaves the institution or is accessed, this is a violation of privacy under GLBA. Try explaining how that data made it into the hands of someone who wasn't supposed to see it. Or how after a copier was sent back to the seller for servicing or because its lease was up, a data breach was traced back to your institution -- specifically to that machine.
In the healthcare case referenced earlier, Affinity Health Plan of New York was forced to notify more than 409,000 customers, clinicians, employees, job applicants and others about a breach related to personal information stored on the hard drives of copiers it returned to a leasing company. The health plan also notified three state agencies plus federal authorities.
To prevent this scenario from unfolding, organizations should change the passwords from the default on copiers and the multi-function printers. A good action to take is to turn off all the things you don't want and check that the data and fax modems are separate. That way you won't run into the problem of having a modem linked in, looking at the records that only a select few are supposed to see in your institution.
Another consideration is adding the manufacturer's security kit that encrypts information on the copier. The kit also shreds each copied document by overwriting the image after it's printed. There are at least two copier manufacturers who offer this as an add-on to their machines.
Those organizations that don't already have written policy on the handling of copies, faxes, printed material or stored data may want to reconsider. Also, take this as a point to begin a review and write a policy for the secure disposal of these types of documents, after ensuring their copiers and printers and fax machines are locked down with strong passwords. (Now, if your institution is regulated by the FDIC, it is a must, because your examiner will ask about it.) The FDIC's guidance says, "Examiners may ask to review such policies and procedures and verify that they have been effectively implemented."
But aside from the FDIC guidance, doing risk mitigation and creating policy on the handling of data on your copiers, printers and fax machines hard drives will bring your policy in line with GLBA requirements. (Yes, GLBA covers this kind of stored data too.)
Whether your financial institution disclosed non-public information or not, you must have a policy in place to protect this data from foreseeable threats in security and data integrity. The cost if you don't? Well, it may be cheaper to save a few dollars now, but looking at the penalties for not doing the right thing by your customers (and your employees) is taken from the US Senate's GLBA enforcement amendments passed back in 2003: "The financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation," and "the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation."