The United States Federal Trade Commission (FTC) recently published a guide for digital copier security based on requests from Congressman Ed Markey (D-MA) to investigate the risks to data security posed by these devices. The guide is called Copier Data Security: A Guide for Business and gives businesses some good advice on acquiring, using and disposing of a digital copier.

A digital copier or MFP is not just a printer, scanner and copier. It’s a computer on your network and needs to be treated that way. It has an operating system and can store files just like any other computer. This means it’s susceptible to the same security problems as any server, desktop or laptop on your network. Your IT department needs to be involved in the procurement, use and disposal of these devices.

The FTC guide proposes tips on four (4) stages of acquiring and using a copier:

1. Before acquisition
2. Acquisition
3. Use
4. Disposal

Before Acquisition
As you evaluate purchasing or leasing a copier, make sure that its use and disposal is part of your information security policies. Your IT staff should manage and maintain it just as they would a computer or server. Make sure the people responsible for securing your data are responsible for securing your copier.

Acquisition
Ask the company proposing to sell or lease you a copier about your options for securing the data on its hard drive. Digital copiers typically allow you to encrypt and overwrite the data.

Encryption scrambles the data on the hard drive so it can only be read by particular software. This ensures that even if the hard drive is removed from the machine, no one can read the data. Look for on-the-fly encryption rather than a preset schedule.

Overwriting or file wiping replaces the existing data with random characters. Deleting the data is not enough, since someone could easily recover the data with numerous undelete programs. Look for overwrite functions that erase the data after every fax, scan, copy or print job.

Use
Make sure you use all of the copier’s security features. If your device doesn’t overwrite the data on your hard drive automatically, make sure you do it at least once a month. Lock down external and internal network access to your device, just like you would with any computer. Most copiers’ administrative functions are accessible with a browser, so you need to limit access to authorized people. You don’t want a hacker coming through on an open IP port.

Disposal
When it’s time to sell your machine or return it to your service provider, make sure that you or they overwrite the data on all the hard drives. Some copiers have more than one for efficiency, so you need to check them all. Reformatting the hard drive is not enough, since someone could easily reconstruct the data with a data recovery program. Your security policies may require you to remove and destroy the hard drive. If so, work with your service provider to avoid rendering the machine inoperable.

By following these tips you can be sure that you are properly handling any sensitive information on your copier. Check out the FTC Guide for the full details.

For further information on the right MFP for your organization, contact MCC’s Document Solutions Division today!