Data security risks are typically thought of as unsecure Web-based software, outdated servers, viruses, and poor password maintenance. Yet, data risks extend beyond your computer files and cloud storage. All the things you copy in the office— tax returns, medical records, financial information, student records, and more—could end up in someone else's hands. If your Data Security Plan (Risk Communication Plan) doesn’t incorporate printers and multifunctional devices, consider them for your next revision—or emergency amendment.
The Dirty Truth About Smart Printers
Today’s printers and multifunctional devices (such as an all-in-one fax, copier, email, and scanner), have hard drives comparable to small laptops. They can store a copy of every item ever copied, scanned, printed, emailed, or faxed—data some of us never think about clearing. This information can be a target for malicious hackers (students, employees, and outsiders) if not properly maintained.
While the information might be encrypted, it's not usually a challenge for hackers to access details, including Social Security and telephone numbers, and bank account and credit-card numbers, according to digital experts.
A recent bulletin published by the Federal Trade Commission (FTC) stated, "The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or emails. If you don't take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed."
Your Legal Responsibility
It’s not simply for practicality’s sake that we’re talking about data clearing. The FTC publication (linked above) has made it clear that your school takes on serious compliance and liability issues when it comes to information security:
The FTC’s standard for information security recognizes that businesses have a variety of needs and emphasizes flexibility: Companies must maintain reasonable procedures to protect sensitive information. Whether your security practices are reasonable depends on the nature and size of your business, the types of information you have, the security tools available to you based on your resources, and the risks you are likely to face.
Depending on the information your business stores, transmits, or receives, you also may have more specific compliance obligations. For example, if you receive consumer information, like credit reports or employee background screens, you may be required to follow the Disposal Rule, which requires a company to properly dispose of any such information stored on its digital copier, just as it would properly dispose of paper information or information stored on computers.
How to Protect Your School
- Protect your copier’s hard drive. Because digital printers are essentially computers, your IT department should be involved in regular maintenance—even if an outside vendor services your machines.
- Understand what data security features come with your machines. It’s important that you (and your IT department) understand what features come with your machine and/or are provided by the company you’re leasing from. If your school has purchased or leased personal printers for managers in addition to shared machines for administrative support staff, the settings will most likely be configured differently between individual and common machines. Printers operated by managers might be set up to save certain data for ease in retrieving. Saved data runs a higher risk of being hacked than information that is being overwritten. It’s a good idea to have a data security policy that insists on frequent data clean ups.
- Train all faculty and staff on safe data procedures. With all policies your school implements, faculty and staff should be aware of what’s expected of them. With technology in particular, when adding a new machine or new system, it’s best to offer training to everyone who will be using it. And, don’t forget about new employees who will need a little hands-on training operating machinery around campus as part of their orientation.
Beyond usage, confidentiality policies also come into play here. Your school should clearly state what is expected of faculty, staff, and employees when coming across information that is intended for one person such as a fax or personal document still resting on the printer.
The Dirty Truth About Hackers
According to recent statistics published by Forbes, 30,000 websites are hacked everyday. And, it’s not just large organizations and government agencies hackers are targeting—it’s large and small companies alike. You don’t have to be Anthem (the health care provider recently making headlines due to a security breech) to have desired information.
Don’t push the threat aside because you think your school is too small to be a victim. Hackers aren’t just people outside of your cozy school community. Curious (often bored) students, employees, and faculty can access your school’s records and expose your facility to numerous legal threats.
Security and Privacy Insurance can be purchased to help protect your school in the event of a data breach. ISM offers this coverage through Great American to D&O client schools for 15% additional premium. (Your school must have D&O coverage with us to include this endorsement.) Our policy offers $100,000 Regulatory Action limit for legal fees incurred in response to data loss, and to cover fines and penalties you're required to pay by law, as well as $100,000 Privacy Event Limit for identity restoration services, identifying how information was accessed, credit monitoring, and legal fees. For more information have your Broker (or you can contact directly) Andy Bobich at abobich@isminc.com or 302-656-4944.
Additional ISM articles of interest
Private School News Vol. 13 No. 1 Hoarders: Retaining and Disposing of Subjective Data
ISM Monthly Update for Risk Managers Vol. 3 No. 1 Crisis Planning—It’s Your Job
