The Agency Insider with Linda McGlasson

FDIC's New Guidance: Defuse the Time Bomb New Guidance Tells Banks to Mitigate Risk to Stored Data
FDIC's New Guidance: Defuse the Time Bomb

I'm talking about the ubiquitous printer, copier, and fax machine that everyone uses. It's also a ticking time bomb. Last week, the Federal Deposit Insurance Corporation issued new guidance on stopping this risk.

I've written about this threat before, and our sister site, HealthcareInfoSecurity.com, covered this same topic earlier this year. It's not about the copies that are made or printed or sent by these machines, (although they can be considered a breach threat too if they fall into the wrong hands) but rather the stored data that poses a problem.

Examiners may ask to review such policies and procedures and verify that they have been effectively implemented. 

Consider: If you're at an institution that has done any upgrade to its copiers and printers within the last five years, then your current machines most likely are housing the hidden threat underneath the plastic cover -- a hard drive that copies and keeps records of every single copy made on the copier.

Yes, a hard drive can hold a copy of every single copy and the drive continues to write until it is full, and then the new data writes over the old copies. If that hard drive leaves the institution or is accessed, this is a violation of privacy under GLBA. Try explaining how that data made it into the hands of someone who wasn't supposed to see it. Or how after a copier was sent back to the seller for servicing or because its lease was up, a data breach was traced back to your institution -- specifically to that machine.

In the healthcare case referenced earlier, Affinity Health Plan of New York was forced to notify more than 409,000 customers, clinicians, employees, job applicants and others about a breach related to personal information stored on the hard drives of copiers it returned to a leasing company. The health plan also notified three state agencies plus federal authorities.

To prevent this scenario from unfolding, organizations should change the passwords from the default on copiers and the multi-function printers. A good action to take is to turn off all the things you don't want and check that the data and fax modems are separate. That way you won't run into the problem of having a modem linked in, looking at the records that only a select few are supposed to see in your institution.

Another consideration is adding the manufacturer's security kit that encrypts information on the copier. The kit also shreds each copied document by overwriting the image after it's printed. There are at least two copier manufacturers who offer this as an add-on to their machines.

Those organizations that don't already have written policy on the handling of copies, faxes, printed material or stored data may want to reconsider. Also, take this as a point to begin a review and write a policy for the secure disposal of these types of documents, after ensuring their copiers and printers and fax machines are locked down with strong passwords. (Now, if your institution is regulated by the FDIC, it is a must, because your examiner will ask about it.) The FDIC's guidance says, "Examiners may ask to review such policies and procedures and verify that they have been effectively implemented."

But aside from the FDIC guidance, doing risk mitigation and creating policy on the handling of data on your copiers, printers and fax machines hard drives will bring your policy in line with GLBA requirements. (Yes, GLBA covers this kind of stored data too.)

Whether your financial institution disclosed non-public information or not, you must have a policy in place to protect this data from foreseeable threats in security and data integrity. The cost if you don't? Well, it may be cheaper to save a few dollars now, but looking at the penalties for not doing the right thing by your customers (and your employees) is taken from the US Senate's GLBA enforcement amendments passed back in 2003: "The financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation," and "the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation."



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.