Header graphic for print
Privacy Compliance & Data Security Information on Data Breach Prevention and the Appropriate Response

FTC Concerned About Retention of Scans on Copy Machines

Posted in Regulatory Enforcement and Litigation

Everyday we all read about the latest threat to our privacy.  Facebook tricks you into sharing your private, life details and Facebook staff is fed up.  The computer in your car can be hacked to disable your brakes.  Google collected wi-fi hotspot data for some (alleged) nefarious purpose.

It is not often that we come across something that just does not seem possible.  Yesterday was one of those days, when the FTC announced that it is working with copy machine manufacturers to either end or severely restrict the existing practice of storing digital images captured on photocopiers.  The FTC’s response (PDF link) was in reaction to a letter (PDF link) from Representative Ed Markey (D-MA) after seeing a CBS report last month on the issue.

Photocopies made on modern photocopies are stored on an internal hard drive in the copy machine.  CBS’ report last month that "[n]early every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine."  In other words, everything you have photocopies is stored on a hard drive hidden deep inside the photocopier.

WHAT!?!  Why?  Who thought this was a good idea?  And all, or almost all, copier manufacturers put this function in their copiers?  When did I photocopy those "youthful" pictures from college for my buddy’s bachelor party?  We received new photocopiers last year, so that copier is gone (thank goodness).  But wait, where is it?  Read on to see some of the nightmare scenarios this raises.

The used photocopier in the CBS story was from the Buffalo, New York Police Sex Crimes Division.  Putting aside that a page was still on the glass of the scanner bought from a used wholesaler, there were also tens of thousands of images detailing confidential police reports, victim statements and investigations.  All of these images were pulled from the hard drive using forensic software available on the Internet.  You have to read this article to believe it.

But what about your business?  You probably don’t own your photocopiers, and instead opt to lease or finance copiers that you turn back over after a set number of years.  Do you photocopy medical information, social security numbers or banking/tax information of your employees?  What about your clients?  If you are in the medical field, clearly a problem.  What about CPAs?  Insurance companies?  Almost any business is affected.

If they do not already, I bet litigators reading about this are going to start adding photocopier hard drives to their Requests for Production of Documents.  Talk about smoking guns!

Used copiers go somewhere, and they are generally cheap.  A thief that trades in personal information would certainly be interested in looking into purchasing used copy machines on the chance (likelihood) that personal information is in there (kind of a game of Identity Theft Bingo). 

It is easy to have an alarmist reaction to this news.  Depending on your field, you may want to consider some of the software solutions for this problem (CBS cites Digital Copier Security as a solution vendor).  But everyone is affected, so you are not alone.  Ultimately, your response depends on how much your organization takes the protection of your clients’ and employees’ confidential information.