Financial institutions need to take steps to mitigate the risks associated with sensitive data stored on photocopiers, fax machines and printers, the Federal Deposit Insurance Corporation said in guidance issued Wednesday.
Financial institutions often lease the devices, putting sensitive data at risk if it's not erased before the machine is returned to the leasing company, the agency said.
Banks and other financial services firms need to implement written policies and procedures to track devices that store digital images and make sure their hard drive or flash memory is erased, encrypted or destroyed before they're returned to the leasing company, sold or otherwise disposed of, the FDIC said.
If a bank decides to erase or encrypt the hard drive of a copier or printer, it needs to use a method that's "sufficiently robust to render the information on the disk unrecoverable," according to the guidance.
Financial institutions should be prepared to have examiners ask to review their policies and procedures for mitigating these digital copier security and printer risks, the agency advised.
Jeffrey Kopchik, a senior policy analyst with the FDIC Division of Supervision and Consumer Protection, said the guidance was primarily prompted by information from examiners in the field, who "felt the vast majority of bankers that they dealt with, especially small banks, were completely unaware of the problem." There was also anecdotal evidence of a couple possible instances of data exposure.
"We felt at that point, even though we didn't have a lot of evidence this was happening to any great degree, based on what examiners were telling us -- that bankers simply didn't know about the problem -- that it was wise for us to put a short, straightforward piece out that let them know about this risk and our expectations of what they should do," Kopchik said. "Hopefully that will mean it doesn't become a big problem," he said.
As to how financial institutions should go about erasing or encrypting the hard drive of a copier, fax or printer, Kopchik said Wednesday's notice references previous guidance, including the 2005 Guidelines Requiring the Proper Disposal of Consumer Information. The banking regulatory agencies have never specifically endorsed a standard for information destruction or encryption because needs change, he said.
"You have to use something that is a standard that is well understood to do the job. You can't use a method that's was developed 10 years ago and everyone knows it's been compromised," he said.
Since the guidance was released, Kopchik said he's received questions from bankers, such as whether the policies for mitigating the risks should be separate or part of an overall information security policy. Either would be acceptable, but he said he personally believes it makes more sense to include them in the overall infosecurity policy.
Dan Fisher, president and CEO of The Copper River Group, a Fargo, N.D.-based consulting firm to the financial industry, said the risks highlighted in the FDIC guidance are often overlooked because users don't understand how devices like copiers and fax machines covert and store the digitized document prior to reproduction or transmission.
"Even though the transmission is over or they are done with the copy, it does not mean that the data has been deleted," he said. "Some devices have significant memory."
When information is digitized, it "takes on a life of its own," Fisher said.
David Schneier, managing director at consulting firm Regulatory Information Security Compliance (R.I.S.C.) Associates, based in Asbury Park, N.J., said the risks associated with copiers and printers have long been a concern.
"I'm fond of referring to the copy/print room as the land of opportunity for data theft," he said. "Between keeping copies of images on the various devices, poor security awareness training and sloppy security measures, I'm surprised we don't hear about more breaches in this area."
Schneier related several incidents from his consulting work in the banking industry that illustrate digital copier security, printer and fax risks. For instance, one company bragged about its tight security, but wasn't aware that a copier that was being hauled away for replacement had retained dozens of stored print jobs in memory that could be reprinted without detection.
While working onsite for another client, he went to send a fax and saw a credit card application for the company's CFO sitting in the output tray. The application, which included all sorts of personal data, sat there for hours until Schneier brought it to the CFO. And during a risk assessment for a different client, he saw more than a half dozen rejected pages along with sensitive client information in a fax machine after an employee repeatedly faxed the information to the wrong number.