A prison sentence could lurk in your copier
3 times when you’re exposed and how you can deal with each
Data loss and unauthorised access of information has been given a high profile in the media, as businesses need to comply with new and ever-changing rules and regulations.
The problem for many businesses is that you have potential breaches where you least expect it: your printers, multifunction printers, and copiers.
The devices are much more capable now than they were in the past, they can do things like e-mail documents directly from the device and they can be document servers themselves. They subsequently hold a lot more information today than they did in the past. Most of these devices are now wirelessly connected to the network, which, without proper protection, is another potential breach point.
There’s also a general misconception that data is only stored on the hard disk drive (HDD). But that’s only one place; there are others, such as NVRAM, SD cards, the fax board and even media that gets jammed in the device.
Acts and Codes that apply in South Africa
In South Africa the most well known are Protection of Personal Information (POPI), codes of good governance like King III, and potentially sections of the Consumer Protection Act that pertain to consumer personal details and direct and indirect marketing. There are others:
• Electronic Communications and Transactions Act
• Promotion of Access to Information Act
• Regulation of Interception of Communication Act
• Public Finance Management Act
• National Credit Act
• Financial Intelligence Centre Act
• Public Finance Management Act; and others.
The fines for data breaches will be high and in some cases there could be prison sentences. The impact on a company’s reputation and loss of competitive advantage can be even more costly.
Top affected industries include:
• Financial Services
• General Office
• Law Firms
• Medical or Hospitals
While those are the top industries and sectors they are not the only ones. Any business that deals with people’s personal information is potentially at risk.
There have also been many global incidents in the last few years, widely publicised by the media, where improperly decommissioning, reselling or servicing copiers, printers or MFPs have resulted in information leaks. That prompted vendors like Ricoh to take action. Even though we’re not ultimately responsible for customers’ data on the devices we work with customers to meet their business needs and we protect our brand reputation.
What should you do?
There are three main times when you need to ensure data your company uses is secure in the printer, copier and multifunction devices:
• When they are in use on your premises
• When they are either sent away to be serviced or serviced on site
• When they are decommissioned
When in use
Every reputable vendor offers numerous methods for securing data processed by the document devices. For example, we have around 45 security solutions directly related to or integrated into our devices. They cover the range of threats from low to high, from physical contact with the device, such as restricted device access using codes or employee ID cards, all the way to RAM security, locked printing, and smart Web device monitoring.
One customer, the local embassy of a major western power, specified for example that their devices not contain HDDs at all; they wanted devices with RAM only so that the moment the device is switched off any data is instantly deleted.
There are other methods too. One such is using proprietary software to encode data sent to the print stream or when scanning documents.
Some of our customers specify that devices must be serviced on site and any off site servicing requires our technicians first remove hard drives and leave them with customers. If customers haven’t specified removing or retaining the hard drives we make them aware of it. We also follow an audited, certified process for handling drives and RAM modules in our workshop during servicing and maintenance to satisfy regulatory controls and codes of good governance. Testing equipment following service or maintenance is done by direct connection without any network connectivity being activated to eliminate that potential threat.
When being decommissioned
We have a data cleansing policy and processes when devices are returned at the end of a lease period or are being decommissioned. It is now mandatory in our business for customers to either accept the service or sign a disclaimer waiving the service.
The processes involve formatting hard drives before we remove them, disassemble them and physically destroy the platters that constitute a hard drive. We do the same to any RAM modules in the devices; format and physically destroy them. These are once again audited, verified and certified processes that meet regulatory and coded good practices. We take these processes extremely seriously because of the nature of the work and the potential harm should it not be adhered to.