Office copiers retain data on the files they process – securing that data is a must.

Digital copiers pose many of the same cybersecurity risks associated with computers. This is so because theyre also computers. Data thieves know that office copiers run on “smart” technology with hard drives that store information about printed, copied and scanned documents – a potential trove of sensitive data.

 What steps should businesses take to protect the data across a copier’s lifecycle?

 The Federal Trade Commission provides guidance online in Digital Copier Data Security: A Guide for Businesses. The guide details the process from integrating a copier into your company’s information security policies and offers best practices for printing to securing the hard drive after the device has run its course.

Manufacturers can also tell you about the security features of their copiers, which may include:

  • Encryption software that scrambles hard drive data, making it difficult to extract
  • Overwriting functionality that digitally changes data values so files can’t be reconstructed
  • Locking a hard drive via passcode

The FTC’s point is clear: businesses of all kinds are legally responsible for the information stored on digital copiers. In fact, institutions handling personal financial or health care information are required to have security plans for the information processed on digital copiers.

Cloud computing offers greater flexibility, speed, and convenience, but some businesses were hesitating to take advantage of the technology due to fears of increasing vulnerability to cyberattacks.

But a recent study reveals a marked increase in moving sensitive data to the cloud as a result of increased confidence in security – and despite continuing struggles to monitor and manage the data once it’s there.

In a post on the Dark Reading blog, Kelly Sheridan reports that fewer than 25 percent of businesses had their applications, data, and infrastructure in the cloud two years ago, but that 44 percent are cloud-based today, and 65 percent are expected to be two years from now.

Read more:


On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.

In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.

The settlement order prohibits Snapchat from misrepresenting the extent to which a message is deleted after being viewed by the recipient and the extent to which Snapchat is capable of detecting or notifying the sender when a recipient has captured a screenshot or otherwise saved the message.  Snapchat is also prohibited from misrepresenting the steps taken to protect against misuse or unauthorized disclosure of information.

Finally, the company will be required to implement a “comprehensive privacy program” and obtain assessments of that program every two years from an independent privacy professional for the next 20 years.

In its press release, the FTC noted that its settlement with Snapchat is “part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.”  For more information from the FTC on marketing apps, click here.

Microsoft recently announced its new Trustworthy Computing: Data Governance web site at Tech•Ed.

According to Microsoft, it is promoting data governance because:

“Growing public concerns about abuses of consumers’ personal information threatens to curtail the growth of online commerce and services. Data Governance directly addresses these concerns.

Data Governance can reduce an organization’s IT costs and improve its control over its information, which increases data security and privacy and improves responses to changing compliance requirements.

Conversely, poor Data Governance raises the risks of data breaches, including identity theft and fraud, which can erode trust in an organization, trigger financial or legal penalties, or reduce confidence among employees, customers, and investors.”

Although the purpose of the Data Governance web site is to serve as a reference for software and application developers, it is also a good reference to any person involved in developing and maintaining data integrity, security, storage and sharing that contains personal information.

Among other things, the Data Governance web site is a resource for developing data policies, complying with regulatory and best practices requirements, and establishing length of storage issues.

As required by more and more state statutes, Microsoft is promoting the development and implementation of data policies and action plans.

Although the materials are helpful and directed as more of a what-to-do, not a how-to-do it, Microsoft does publish its own standard privacy guidelines, as well as an IT Compliance Management Guide. Although these materials are prepared for Microsoft, and are not applicable to very many businesses, they are good resources for anyone wanting to get a flavor for these types of documents.

Starting April 6, 2009, European Union telecommunications companies and Internet service providers (ISPs) suddenly found themselves required to store even more data about their users.

Under existing requirements under the 2006 Data Retention Directive, telecommunications providers are required to retain records (when calls were made and the origination/destination details) regarding telephone calls made over their lines.

Now, The Data Retention Regulations 2009, those European telecommunication providers, and for the first time some ISPs (other than ISPs that also provide voice over IP services, which have always been covered), must retain details of Internet traffic and electronic mail transmissions for a period of six (6) to twenty-four (24) months from origination.  The United Kingdom has determined that the period of retention shall be twelve (12) months.  Sweden has threatened to “ignore” these new requirements.

Although the new regulations do not require the retention of the actual data (i.e., the telephone conversations, Internet content or the electronic mail content), affected European telecommunication providers and ISPs must retain the details of the transmissions (e.g., origination and destination telephone numbers, length of telephone calls, IP address of the user, but not the destination IP addresses, and electronic mail addresses, time of transmission).


Continue Reading European Telecoms and ISPs Start Storing User’s Internet Data