National media outlets have recently trumpeted the potential cyber-security dangers of digital copy machines. But is it really something government agencies should worry about?
Yes, it's something to keep an eye on, say experts on the state and local government market. It's an issue that if not already, should be on public-sector CIOs' radars, said Alan Shark, CEO and executive director of the Public Technology Institute.
"It's important that all CIOs consider digital copying devices, as they would any other kind of storage device, and we don't have a good feel whether they are doing that or not," he said. "We have this trust that is put upon us, and rightfully so, to protect very sensitive data."
Digital copy machines are like any other computer, laptop and digital gadget used by a government: Their hard drives may contain identifiable, private information and should be held to the same security standards.
"Most offices today have a single device with multiple functions," said Doug Robinson, executive director of National Association of State Chief Information Officers (NASCIO). "Just the fact that they're on the network makes them a potential security risk -- it's a liability because they can be hacked, they do have an IP address and a network interface card."
As recently revealed in a CBS News report, improper disposal of such technologies can backfire on agencies, and leave security holes for hackers and identity thieves to exploit.
The report revealed that not only do most copy machines built since 2002 contain hard drives that store an image of documents copied, scanned or e-mailed by the machine, but many used copiers also contained Social Security numbers, internal police records and medical records.
It was a wake-up call for lawmakers. Rep. Ed Markey, D-Mass, sent a letter to the Federal Trade Commission (FTC), urging it to investigate the issue. Concerned that the hard drives represent a "treasure trove" for identity thieves, Markey called on the FTC to pursue ways to give consumers more information about the privacy risks digital copiers pose.
"As you know, photocopiers frequently are leased for a fixed period, and the CBS segment included footage of warehouses of used copiers -- their hard drives intact and presumably packed with personal information -- being sold and shipped to customers around the world," Markey's letter wrote.
In response, FTC Chairman Jon Leibowitz wrote in a letter that the commission is aware of the security risks and is examining whether the photocopier industry is doing enough to warn consumers.
But for John Juntunen, founder and chief operating officer of Digital Copier Security, who was featured in the CBS News report, there isn't enough scrutiny or understanding in this area.
"People think, 'Just clear the hard drive and don't take any chances,'" he said. "But you can't just clear the information; it's not that simple." Juntunen's California-based company developed and sells INFOSWEEP software that scrubs copiers' hard drives so they can be reused without any residual data. And since the CBS' mid-April report, he's been flooded with questions concerning security and best practices.
"People are calling every day. Our phone just rings off the hook," he said. "People are calling and saying, 'What can you tell me about this?'"
Not all digital copiers pose the same risks. They don't all contain hard drives; some contain more than one, and as Juntunen points out, the buck doesn't stop with wiping the hard drive. The firmware, which is cleared from the copier's operating system, must be replaced afterward for the machine to function, he said.
"You can't just scrub the hard drives, you have to put the firmware back on the machine -- that's the critical part," Juntunen said. To illustrate the financial loss this critical step represents, he recalled a recent conversation with a leasing company, in which he learned a university was billed $20,000 after returning some machines. The reason? The hard drives had been cleaned, but the firmware was gone.
"Without the firmware, the machines won't work," he said. "It's a missing part of many [media] stories. When you clear the hard drives' information, you've also cleared off the firmware, or the machine's operating system."
Also, information isn't just stored on a copier's hard drive. Network settings, e-mail, server passwords and other data are oftentimes stored elsewhere in the machine's memory, Juntunen said, and need to be manually deleted.
While there haven't been any major publicly disclosed cases of identity theft linked to data from digital copiers, the potential certainly exists. Some breaches have been reported. After the CBS News report showed the hard drive of a copy machine -- owned by Affinity Health Plan -- contained 300 pages of health records, the New York-based insurance company notified more than 400,000 people that their personal or medical data may have been compromised.
While the information obtained was part of a journalistic investigation (the hard drives were later returned to the company), Affinity was required by medical privacy laws to file a breach notification to state and federal regulators, and notify all clients and everyone who may have had information on Affinity copy machines.
All it takes is one incident, Shark said, to sound that wake-up call. "We always stress looking for the weakest point of failure in a system," he said, noting that audits of an agency's network and peripherals should be performed quarterly. The first step in protecting one's agency from breached information via digital copiers is to check if it even contains a hard drive, Shark said. If so, does the agency have a policy that describes the security procedures when discarding the equipment?
Robinson said that while no state CIOs have contacted his office about this issue, that doesn't mean it's not one to keep an eye on. NASCIO hasn't performed a survey on how states dispose of digital copiers, Robinson said, but most have policies or standards in place that dictate the disposal of surplus electronic equipment, which would include digital copiers.
That said, it's unclear whether the responsibility to oversee the devices' disposal falls under the umbrella of the CIOs' offices or those who handle equipment procurement, Robinson noted. "The question here is one of authority and policy," he said. "Although many CIO and IT offices have done this from a security standpoint from the risk of personally identifiable information, sensitive information and confidential corporate information and the risk of it being exposed through surplus property -- it really gets down to procurement officials."
That said, there are ways to scrub thoroughly and abide by federal standards. Most states have adopted the U.S. Department of Defense's triple-pass standard, Robinson said, in which the software is written over three times, making it virtually unhackable. "It's software that basically places binary zeros and ones across the drive three times, rendering it impossible to get that information," he said. "The key there is the information was still on the hard drive, it's just been written over three times."
Another option is for agencies with highly sensitive material to physically destroy the hard drives, Robinson said. As well, many states have adopted degaussing requirements, which means using magnets to render the data undiscoverable.
But one method -- reformatting -- has proven itself to be the least successful method, he said. "People obviously know in a forensics world that you can recover a lot of data on a reformatted drive," he said.
And as with any technology, government policies are constantly in a game of catch-up, Robinson said. "The technology continues to outstrip our policy framework to deal with it because of these unintended consequences, so it's just something that requires constant attention because we keep introducing all these digital products into our workplace," he said. "It's a continuing challenge."