Did you know your multifunction device could put your entire organization at risk?
Most multifunction printing devices store thousands of images on their hard drives. When these machines are taken out of service or decommissioned, typically the hard drives are not wiped, cleaned, or destroyed even though the stored images can be retrieved, explains Rob Lingard, the Manager of Central Services at Deseret Mutual Benefit Administrators in Salt Lake City. Many of the images contain personal information useful to someone desirous of committing identity theft.
Who is responsible (and liable) for securing these images?
If an MFD is decommissioned and taken out of service, the company decommissioning the unit should be responsible for ensuring that any data stored on the HD is removed. However, many organizations, including in-plants, are not aware of the potential danger posed by the MFD hard drives. In some industries such as law enforcement, healthcare, insurance, and financial benefits, the organization having custody of the personal information is responsible for its protection and could face stiff penalties including fines for each violation.
How are some in-plants dealing with this threat? Rob Lingard with Deseret Mutual Benefit Administrators and Doug Maxwell with Brigham Young University are working to ensure that all in-plants are aware of this potential security threat. Lingard says that even his organization was unaware of the problem until recently. Since learning about the potential threat, he says his company has written and implemented policies to ensure their IT support group or the MFD vendor completely destroys any information contained on the hard drives. This includes overwriting up to 7 times per military standards and physically removing and destroying the HD.
What steps can in-plant managers take?
Lingard shares some immediate responses that can ease threats in the short-term.
· Most of the major vendors of MFD's have software that can be programmed to "erase" or "overwrite" the information at specified intervals as defined by the customer. Most of these programs can be added to existing equipment.
· Some vendors also offer enhanced security at the time of purchase or lease that performs the same function and adds about $500 to the cost of the machine. Some organizations require a certificate of security from the vendor when used MFD's are decommissioned. The certification provided by the vendor guarantees that the HD's have been wiped clean or removed. A written certificate is returned to the customer.
· Third party organizations can also be hired to come in and remove the HD on any MFD for a fee.
· Everyone should adopt a policy of either erasing or removing the HD from any MFD equipment before it is returned at the end of a lease or sold to a wholesaler.
Only Vendors Can Deliver a Permanent Solution and That Requires Your Help!
When choosing your next multi-function device, the adequate handling of sensitive information should be a top priority. Anyone purchasing or leasing equipment should be educated on the problem and demand that vendors respond with adequate solutions. HD security needs to become a major differentiating factor among vendors. If sales slide because a solution is not offered or guaranteed, vendors will take immediate notice and design a permanent solution which will ultimately benefit all in-plants and their organizations.
