Trending

BROWSE ALL TOPICS

Your Office Copier/Printer May Present Information Security Risks

By Steve Muck - Published, March 8, 2010

The following is a recently reported compromise of personally identifiable information (PII) involving the disposal of copiers containing personal information stored on their hard drives. Incidents such as this will be reported to increase PII awareness. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

The Incident

Recently, a command disposed of numerous copiers that had reached the end of their service life. The copiers were originally leased and subsequently purchased by the government with a typical copier maintenance agreement. The command was under the impression that the copiers did not contain hard drives and therefore did not require sanitization or removal of hard drives before disposal. A few weeks after disposal, the command learned that the copiers did, in fact, contain hard drives. This particular breach did not result in a loss or compromise of PII because the machines were recovered by the government soon after disposal.

Many copiers, printers and multifunctional reproductive machines manufactured today have hard drives capable of storing documents that have been scanned, printed or faxed as digitized images. These machines are often connected to DON networks to ease workload and increase efficiency.

Reproductive office equipment manufactured in the last seven years employ hard drives that store digital images. While much of the hard drive space is used for processing, the machines in this scenario stored up to 6,000 pages of information. The information copied may include PII, classified or sensitive but unclassified information, depending on the machine. Once the hard drive memory has been exceeded, files are automatically overwritten. "Cap points" limit the number of pages stored to hard drives, and the cap limitation can vary in each make and model number.

Depending on the type of machine, information from small print jobs may be stored in random access memory (RAM) only, and the files may be overwritten with each new print request, or lost when the machine is powered off. Manufacturers of the newest reproductive office equipment may advertise that their hard drives use encryption software to safeguard data, but as of this writing, that encryption capability is not DON-approved. Approved DON encryption solutions do not encrypt reproductive equipment hard drives.

DON copiers, printers and multifunctional machines are either leased from a vendor or government-owned. In either scenario, the possibility of PII loss presents challenges when equipment is repaired or turned in for replacement. Stand-alone fax machine memory is generally nonvolatile and is lost as soon as the machine is turned off.

Lessons Learned

The DON CIO is drafting tighter policy controls regarding the turn-in and disposal of reproductive equipment. Until release of the new policy, DON personnel should comply with the following best practices.

For CLASSIFIED copiers/printers: Guidance for reproductive equipment can be found in SECNAV M-5510.36, paragraphs 7-15(2), (3), available on the Chief of Naval Operations (N09N2) Information and Personnel Security web site at http://www.navysecurity.navy.mil/info-551036.htm.

For UNCLASSIFIED copiers/printers:

  • Identify the hard drive capabilities (and security risks) of your photographic equipment and educate office personnel regarding that information.
  • For government-owned equipment, hard drives should be removed and physically destroyed before disposal. Hard drives are not easily accessible, so removal will probably require a technician.
  • For leased equipment, the hard drives should be reformatted to remove all data. Refer to the equipment manual or service technician for instructions on the reformatting process.
  • Place a sticker or placard on the copier/printer with the following: "Warning, this government-owned copier uses a hard drive that must be physically destroyed before turn-in" or "Warning, this leased copier uses a hard drive that must be reformatted before turn-in."
Steve Muck is the DON CIO privacy team lead.

TAGS: Cybersecurity, MFDs, Privacy

Related Policy
Improving Critical Infrastructure Cybersecurity
Processing of Electronic Storage Media for Disposal
DON Public Affairs Policy and Regulations
Safeguarding Personally Identifiable Information
DON Privacy Impact Assessment Guidance
Related News
DON IT West and East 2017 Conference Registration Now Open
Nominations for DON IM/IT Excellence Awards Due Dec. 5
DON CIO Awards Recognize Information Management and Information Technology Excellence
DON IT Conference Presentations Available
DON CIO Congratulates 2016 DON IM/IT Award Winners
Related CHIPS Magazine
Tech Support Companies Using Deceptive Pop-Up Ads to Scare Consumers into Purchasing Unneeded Service
Creating a Smart, Skilled Cybersecurity Workforce
Factsheet: National Background Investigations Bureau
DoD Releases Update of Manual Governing Defense Intelligence Activities
OPM Announces New Chief Information Officer
Related Resources
Personally Identifiable Information Posters
2014 PII Brief
DON Users Guide to Personally Identifiable Information
Inventory of DON Systems With Completed Privacy Impact Assessments
Privacy Frequently Asked Questions
Related Industry News
New Pentagon Website Can Tell If You Were Hacked by China
Nextgov 
America Needs To Stay the Course on GPS Security
Space News 
5 Ways to Spot a Coerced Insider Threat
Nextgov 
For Today's Government Data Security, Trust no one
Government Computer News 
OPM Security Chief: You're Gonna Need a Bigger Boat
Federal Computer Week 

DON CIO Information

Online Services & Community