Linda McGlasson at The Agency Insider blog had a smart post last week on the recent FDIC guidance on the information security risks of printers, copiers, and fax machines.
It's not about the copies that are made or printed or sent by these machines, (although they can be considered a breach threat too if they fall into the wrong hands) but rather the stored data that poses a problem.
Consider: If you're at an institution that has done any upgrade to its copiers and printers within the last five years, then your current machines most likely are housing the hidden threat underneath the plastic cover -- a hard drive that copies and keeps records of every single copy made on the copier.
Yes, a hard drive can hold a copy of every single copy and the drive continues to write until it is full, and then the new data writes over the old copies. If that hard drive leaves the institution or is accessed, this is a violation of privacy under GLBA. Try explaining how that data made it into the hands of someone who wasn't supposed to see it. Or how after a copier was sent back to the seller for servicing or because its lease was up, a data breach was traced back to your institution -- specifically to that machine.
Banks should have already addressed this issue as part of their information security program that is mandated by the Information Security Guidelines adopted by the FFIEC pursuant to the Gramm-Leach-Bliley Act. The hard drives of these machines should be treated in the same way (and protected and disposed of in the same way) as any other computer hard drive that sits on an employees desktop or is ported about in a laptop, netbook, I-pad, mobile phone, etc. The fact that the FDIC decided that it should issue specific guidance on the topic means that its examiners have discovered a potential "hole" in this respect at more than one bank.
Linda offers some common sense steps that banks should take to address and mitigate these risks:
- change the passwords from the default on copiers and the multi-function printers.
- turn off all the things you don't want and check that the data and fax modems are separate (so you won't run into the problem of having a modem linked in, looking at the records that only a select few are supposed to see in your institution).
- add the manufacturer's security kit that encrypts information on the copier. The kit also shreds each copied document by overwriting the image after it's printed.
- adopt a written policy on the handling of copies, faxes, printed material or stored data, including their secure disposal (if you don't already have one).
- adopt a written policy on the handling and disposal if data on these machines' hard drives.
This is not only good business practice, but, as Linda also discusses, will protect both the institution ad its officers and directors from potential civil money penalties for violation of the requirements of the G-L-B Act.
You may think you've got bigger fish to fry than sweating this "small stuff," but a tiny bump can trip you up. Check your information security policies and make certain this "small stuff" is addressed, whether or not the FDIC is your primary federal regulator.
