Discarded photocopiers could reveal your private information

Plugging potential data leaks in the office photocopier is the latest security challenge for many Eastern Iowa organizations.

Digital photocopiers made since 2002 have a hard drive similar to PCs and laptops, said Dan Bowie, branch sales manager for RK Dixon, a Davenport-based photocopier firm with a branch in Cedar Rapids. The information on documents scanned into the copier is stored in the hard drive, where it can accumulate for years and from where it could be retrieved.

RK Dixon routinely “wipes,” or overwrites, the data on hard drives when a client returns a photocopier at the end of a lease, Bowie said. Several other photocopier companies contacted by The Gazette do the same.

Many leases don't spell out what will happen to the hard drive data, however, and after the photocopier has left the lessee's possession, they have no way to tell. Even if the dealer agrees to wipe the hard drive, not all procedures are equally effective.

A CBS News report in April on the photocopier data storage issue prompted a wave of calls to area photocopier dealers to find out more about security protection.

CBS went to a New Jersey warehouse, where it bought used photocopiers for about $300 each. Forensic software available free on the Internet was used to scan information off the hard drives, which were found to contain medical records, drug raid targets and reports of sex crime investigations, among other things, from New York offices that had used the copiers.

“It's a pretty effective, inexpensive way of breaking into a company,” said Dag Adamson, a “glorified garbage man” who lectures frequently on information security topics as president of LifeSpan Technology Recycling.

Since the CBS report, Adamson's nationwide company has received an increased number of calls to perform on-site removal and destruction of hard drives from photocopiers.

Some of the companies most at-risk are covered by federal laws that ensure private record-keeping, such as the health care and financial services industries. Adamson said those laws typically require companies that have lost control of client data to notify the clients.

“That can cost from $10 to $100 per client,” Adamson said. “With 80,000 records on a hard drive, you'd be talking about serious money.”

RK Dixon's response to recent concerns is to offer three levels of data destruction: a standard data wipe, a U.S. Department of Defense-quality wipe or removal, destruction and replacement of the hard drive by a certified technician.

The last is the most secure and costliest option at $1,400 to $1,500.

Simply removing the hard drive isn't an option, Bowie said, because the lease agreements require the photocopier to be returned in operating condition.

Cedar Rapids-based GreatAmerica Leasing provides financing to companies that buy and lease photocopiers and other types of equipment. GreatAmerica decided after the CBS report to revise its lease agreement, Director of Corporate Communications Matt Doty said.

“It's the responsibility of the user or the lessee of the equipment to wipe the information,” Doty said. “They're the creator of the information, and it's their responsibility to erase it. We've rewritten our lease agreement to reflect that.”

Midwest Electronic Recovery of Walford provides secure and environmentally sound disposal of used electronic equipment, including photocopiers. President Dave Long said the company routinely removes and destroys photocopier hard drives as part of its service, which costs 15 cents per pound, up to a maximum of $15.

Long believes most companies have someone on their technology staff capable of removing and destroying a hard drive.

Most organizations asked to explain how they handle photocopier security issues declined.

Mercy Medical Center of Cedar Rapids requires that copier hard drives be wiped or removed before leaving the premises for service or return to the dealer, Chief Information Officer Jeff Cash said. The hospital is now adding software as well to automatically erase document data after copies have been made.

The city of Cedar Rapids is looking into a security solution.