Prompted by a recent CBS News report on inadvertent disclosures of personal information stored on copy machine hard drives, the U.S. Federal Trade Commission (FTC) has begun contacting copier manufacturers and resellers to determine whether they are warning customers of potential data security vulnerabilities and providing options for secure copying. While the FTC may be investigating copier manufacturers and resellers, companies that own, lease or use copiers or similar multifunction printers need to be aware of the relevant data security issues in order to take proper steps to avoid an inadvertent security breach.

Almost every copier manufactured since 2002 contains a hard drive that stores documents copied, scanned and emailed by the machines. Sensitive personal information about a company’s customers and employees may be stored on those hard drives in the event documents containing that information were copied, scanned or emailed using the copier. As the CBS News investigation illustrated, many copier users are unaware that this personal information is being stored and many organizations fail to take the proper steps to ensure that this personal information is secured and destroyed (whether immediately after copying or upon disposal of the copier itself).

Many state and federal laws regulate the security measures used to maintain and dispose of personal information about individuals. Additionally, laws in almost every state (and federal laws governing certain industries) require a company that has experienced a data breach resulting in the unauthorized disclosure or acquisition of unencrypted personal information notify the affected individuals. Therefore, failing to properly secure and destroy personal information that may be collected by a copier could subject a company to onerous notification requirements, substantial liability and a public relations nightmare.

Just ask Affinity Health Plan. CBS News found personal information maintained by Affinity on a copier hard drive that it acquired during its investigation. Shortly after the report aired, Affinity notified over 400,000 customers and employees of the potential disclosure of their personal information (which included medical records).

Companies should review their present security policies and practices to determine the appropriate next steps, which may include the following:

• Working with the manufacturer or reseller of the company’s copier to ensure document images are erased immediately or after a specified period of time
     
• Developing an information security policy, or amending an existing policy, to address copier data security issues, including:
     
  1. Potential retention of documents and security of any networked copiers or similar devices
        
  2. Restrictions on the copying of documents containing personal information
        
  3. Prohibiting employees from using public copiers (e.g., those not controlled by the company) to copy documents containing personal information in the limited circumstances where such documents may be copied
        
     
  4. Ensuring any data retained on copier hard drives is destroyed in the appropriate manner based upon applicable legal/industry standards upon disposal of the copier at the end of its life
        
• Placing warnings on copiers and adequately training employees to ensure that they are aware of the potential risks

For More Information

If you have any questions about these or other data privacy and security issues or if would like assistance creating or reviewing your policies to ensure they address these issues, please contact:

• Greg Kratofil at 816.360.4363 or gkratofil@polsinelli.com
• Tim Steffens at 816.572.4595 or tsteffens@polsinelli.com

About Polsinelli Shughart PC

With more than 500 attorneys, Polsinelli Shughart PC is a national law firm that is a recognized leader in the areas of business litigation, financial services, bankruptcy, real estate, business law, labor and employment, construction, life sciences and health care. Serving corporate, institutional and individual clients regionally, nationally and worldwide, Polsinelli Shughart is known for successfully applying forward-thinking strategies for both straightforward and complex legal matters. The firm can be found online at www.polsinelli.com.