Bowes owns Purdy’s Wharf Business Centre, a suite of executive offices in Halifax’s downtown core, which houses more than 40 business tenants. Each business pays a tenant’s fee, which includes access to fax machines, photocopiers, printers and other office supplies.

She was shocked to learn that earlier this year CBS news reported it had purchased used photocopiers from a recycling depot in New Jersey, and discovered the hard drives of those photocopiers were loaded with confidential documents from the Buffalo Police Department, including police reports and lists of wanted sex offenders.

Bowes knew it was important to encrypt or wipe the hard drives of personal computers before disposing of them, but until she caught wind of the CBS story, she had never given a second thought to the photocopiers she and her tenants use on a daily basis.

“I’ve dealt with different manufacturers over the years, and none of them have ever communicated anything to me about the hard drives on the photocopiers,” she says.

Most modern photocopiers have internal hard drives that store digital images of anything that’s photocopied. The data is stored unencrypted and resides on the drive until it is full and new data overwrites it. If companies don’t regularly overwrite or encrypt, they run the risk of the data being compromised.

Given the ubiquity of photocopiers, and the fact they are often resold, both within Canada and overseas without being properly sanitized, Canada’s Privacy Commissioner is concerned about the potential for identity theft.

“Identity theft is a significant and growing problem, and the increasing frequency of data breaches involving personal information is certainly a contributing factor,” says Anne Marie Hayden, Privacy Commissioner’s director of communications.

While the Office of the Privacy Commissioner has not investigated privacy issues related to photocopiers per se, it did conduct an investigation on fax machines in 2005 and made recommendations that resulted in amended policies across government departments and agencies. Similarly, following an investigation of privacy issues related to black boxes in cars the Privacy Commissioner’s offices emphasized the importance of manufacturers providing some kind of notification to customers about the existence and capabilities of these devices ”“ so individuals are more aware.

“Although we have not had an opportunity to examine the photocopier issue, I suspect we would say that notification (by manufacturers to customers) would be important here as well,” says Hayden.

As with most data breaches, says Hayden, human error is often to blame, so it’s critical that organizations put procedures and practices in place to safeguard the data.

Bowes admits that, as a business owner, part of the responsibility falls on her shoulders, but she also thinks the manufacturer and the distributors have a role to play in educating their customers.

“We’re talking about my business reputation here, and your reputation has to be squeaky clean. When it starts to mess with my reputation, we have a problem,” she says.

It’s fair to say that manufacturers aren’t doing the best job educating customers on the security risks with digital photocopiers, but at the end of the day the buck stops with the users, says Darin Stahl, research lead at Info-Tech Research Group in London, ON. Photocopiers with digital hard drives have been around for more than 10 years, he adds, but for a variety of reasons, security is often overlooked until there’s an incident that puts a company at risk.

“This is no different than disposing of a laptop. Companies need to treat these devices as a server and lock them down so they’re protected from any unauthorized access on the network,” add Stahl. “Organizations that are very concerned about intellectual property or privacy are probably more clued into this than others, but those that don’t take steps to protect their copiers could be leaving themselves vulnerable.”

Stahl points out that more often that not, internal employees can pose the most significant threat, so the devices must be secured while they are running on an internal network and sanitized before they are decommissioned.

“If I have some disgruntled guy in a cube, he can attach to that printer, and if it’s insecure he can query it, and get all the scanned images off that device.”

Stahl advises companies to follow some basic steps to secure their digital photocopiers, both while they are resident in the office and at the end of life.

“The vendors we talk to say the most secure protection is to have the hard drive encryption-and-erase kit installed on the machine when you buy or lease it,” he says. Alternatively, companies can purchase the field upgrade to make the drive unreadable if it’s removed from the copier.

The bottom line, says Stahl, is that companies must treat all network-attached devices as a workstation and act according.

“They need to ensure printer patches are applied regularly, and, as the copiers are decommissioned, companies need to have their vendors or their internal staff certify that the machines are cleared,” he says, adding that companies should brush off and review the National Institute of Standards and Technology (NIST) guidelines for media sanitation.
 
Xerox Product Security Manager Larry Kovnat agrees it’s important for vendors to educate their customers and to provide the adequate counter-measures for the threats introduced with a piece of digital equipment, but he admits manufacturers probably haven’t gone far enough in highlighting the risks to their customers.

“The ultimate measure of your success is whether or not people have heard the message and a lot of people haven’t heard it,” he says. We have more work to do.”

The photocopier manufacturer has tried to get the message out through its Web site, security summits and general marketing collateral, but Kovnat admits customers have been calling since the CBS news story broke to find out the status of their recently decommissioned copiers.

“If the machines come back to us, they go into our reverse supply chain and if they can be remanufactured or the parts can be used as spares, disk drives are rewritten and reformatted,” he says. “If they’re too old or broken to have any value they’re sent to a secure recycler who crushes them or shreds them.”

For companies that purchase or lease Xerox photocopiers, there are two options for overwriting the hard drive: immediate image overwrite, an online, automatic process that overwrites all the sectors with any temporary image data written to them as part of a scanning or copying process, and on-demand image overwrite, an offline, manual process.

Bowes say she will be making a call to her distributor, given the confidential nature of the data on the photocopiers, and the fact they are shared among a number of companies in her business centre.

“There may very well be information in the owners manual, but that’s 800 and some pages,” she says. “I don’t necessarily blame the distributor or the manufacturer. I blame the whole system, which has not properly passed down this information to the customer.”