Digital Copiers and Hard Drives: Keeping a Lid on Confidential Information
September 13, 2010 by James F. Maguire
Your court staff is very careful to redact data deemed confidential by Administrative Rule 9 and to insist that all litigants properly file on green paper those pleadings that contain confidential information that must be kept private. When they need to make copies they do so carefully, keeping protected information out of the public eye. They may even use the copier to send documents by fax or email before carefully putting them back in the file and never think twice about a potential privacy risk.
Does that strike you as a prudent way to conduct court business? Well, it probably does; but, fast forward to a time in the future when it is necessary to replace that old copier. If the copier to be replaced was made in 2002 or after then it is very likely a digital copier containing a hard drive that may store images of documents copied, scanned or emailed from that machine. Unless proper precautions have been taken, or the hard drive has been destroyed, individuals may gain access to information on documents that have been copied or transmitted on it. That information may include social security numbers, bank account and credit card numbers, birth dates, driver’s license numbers, and the names of children involved in sensitive cases.
Many courts lease their copiers and upon lease expiration the leasing company tunes and upgrades the machine and places it back into the marketplace with a new lessee or buyer. The danger, unless the proper safeguards have been taken, is that the subsequent owner or lessee may have access to confidential information contained in documents that have been copied or sent from it and remain in the hard drive memory.
Copiers built prior to 2002 operated with a process that was typically referred to as analog copying. It involved the use of an internal mirror that copied the image of the document onto a drum. Static electricity was used with particles of toner creating an image of what was on the drum with a heat element to dry and fix the toner into place producing a copy on the sheet of paper. There was no storing of information involved in the process.
Digital copiers scan the document and save it to memory. A laser imprints the information on the drum, toner is applied, and the document is printed. The digital copier allows for the printing of the document from memory or even transmitted electronically to other digital devices that are capable of receiving it, such as by email or by facsimile transmission.
CBS News reported on a potential privacy breach in a broadcast that aired on April 19, 2010. They noted that practically every digital copier contains a hard drive that functions very much like a computer hard drive. CBS reported that an industry study revealed that 60% of Americans are unaware that copiers store images on the machines’ hard drives.
The CBS investigative reporter, Armen Keteyian, discovered how relatively easy it is to access sensitive information from these discarded copiers. He visited a warehouse in New Jersey and found used copiers for sale for as little as $300. There are around 25 of these warehouses across the country. After pulling the hard drives out of the copiers that they purchased, and using forensic software that may be downloaded from the internet, in less than 12 hours they downloaded thousands of documents containing sensitive information.
From these hard drives they obtained social security numbers, birth certificates, bank records, income tax forms, individual medical records, drug prescriptions, blood test results, a cancer diagnosis, domestic violence complaints, a list of wanted sex offenders, and a list of targets in a major police drug raid.
It did not take long for the CBS report to gain the attention of lawmakers and Congressman Edward J. Markey (D-Massachusetts). Markey is a senior member of the House Energy and Commerce Committee and Co-Chairman of the Bi-Partisan Congressional Privacy Caucus. In a letter dated April 29, 2010 to Federal Trade Commission (FTC) Chairman Jon Leibowitz, he requested information concerning any actions taken by the FTC to investigate this issue and urged him “to pursue measures to provide consumers with additional information about the privacy risks associated with the use of digital copiers for copying sensitive information and the steps consumers can take to protect themselves against these risks.”
FTC Chairman Leibowitz responded to Congressman Markey’s letter on May 11, 2010. He expressed his shared concern about the privacy risks posed by digital copiers. The goal in his words is that “businesses and government agencies should ensure that the information on the hard drives in digital copiers are wiped clean of personal information after the conclusion of use.” He indicated that the FTC is reaching out to manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risks associated with digital copiers. The FTC is determining whether these entities are providing education and guidance on this subject, and whether manufacturers and resellers are providing options for secure copying.
He reported that the FTC is reaching out to government contracting officials to advise them of the risks associated with using digital copiers and ensuring that the government is taking measures to protect the information collected from the public.
In his reply letter, Mr. Leibowitz referred Congressman Markey to consumer education material released in November 2008 that encourages consumers to wipe clean or destroy hard drives before disposing of their computers:
FTC Consumer Alert: The Download on Disposing of Your Old Computer, available at:
Computer Disposal, available at:
He further noted in his letter to Markey that they have released business education material instructing businesses to dispose of hard drives containing consumer information in a secure manner:
Protecting Personal Information: A Guide for Business, available at:
The information technology (IT) experts at the Division of State Court Administration agree that the presence of hard drives in digital copiers is an issue that must be addressed.
Bob Rath, State Court Administration’s Director of Appellate Court Technology, agrees that advanced technology copiers are grounds for concern. “The CBS story shows that copiers can be a powerful tool for invading the privacy of companies and individuals. Former antiterrorism czar Richard Clarke addresses additional risks with digital copiers in his recent book, Cyberwar. Clarke notes that some copiers are made accessible via the internet to enable remote technical support. This feature also opens a door for someone to access the copier hard drives from anywhere in the world. Obviously, this feature should be disabled unless absolutely necessary.”
Andy Cain, MIS Director/CMS Project Manager for State Court Administration’s JTAC operation observed: “This problem illustrates further how the proliferation of devices with computing and storage capabilities affects our personal security. There are surely other such devices on the horizon that will cause us to rethink how we secure confidential information.”
Given these concerns, the Division of State Court Administration IT experts conducted a review of the copiers used in our offices. Their review indicates that the settings and process established for the office digital copiers assure that the copied data is stored only temporarily on the hard drives and then erased as soon as the copy job is completed.
Now that we have identified this potential problem for our courts, what are the available solutions? Here are a few for consideration:
- Determine if your copier is analog or digital, and if leased or purchased since 2002, it is probably digital.
- If your court leases its copiers, review the terms of the lease to determine if there are provisions made to erase the contents, or dispose of the copier’s hard drive, at the end of the lease.
- Contact the responsible person with your copier supplier to determine if they have a company policy for end of lease disposal or cleaning of the hard drive. If not, insist that they provide for one of these safeguards.
- In all future leases or purchases of digital copiers make sure that there is a provision in the agreement to eliminate this potential privacy breach.
In the digital age in which we now live and conduct business it is very challenging to insure that privacy is maintained, or at the very least not unwittingly breached.
If you have questions about your digital copier please contact either Mark Roth, State Court Deputy Director, Appellate IT Operations, at 317-232-2542, email@example.com, or Andy Cain, JTAC MIS Director/CMS Project Manager at 317-232-2542, acain@jtac.IN.gov.