Financial Firms and the Risk of Digital Document Theft

document-identity-theftIn its guidance on digital copier security and printer risks, the FDIC describes how copiers, fax machines and printer used by financial firms to process loans and other financial transactions — may store digital images on a hard drive or flash memory.

Financial institutions often lease the devices, putting sensitive data at risk. Banks and other financial services firms need to implement written policies and procedures to track devices that store digital images and make sure their hard drive is erased, encrypted or destroyed before they’re returned to the leasing company, sold or otherwise disposed of, the FDIC said.

If a bank decides to erase or encrypt the hard drive of a copier or printer, it needs to use a method that’s “sufficiently robust to render the information on the disk unrecoverable,” according to the guidance.

Jeffrey Kopchik, a senior policy analyst with the FDIC Division of Supervision and Consumer Protection, said the guidance was primarily prompted by information from examiners in the field, who “felt the vast majority of bankers that they dealt with, especially small banks, were completely unaware of the problem.” There was also anecdotal evidence of a couple possible instances of data exposure.

“We felt at that point, even though we didn’t have a lot of evidence this was happening to any great degree, based on what examiners were telling us — that bankers simply didn’t know about the problem — that it was wise for us to put a short, straightforward piece out that let them know about this risk and our expectations of what they should do,” Kopchik said.

As to how financial institutions should go about erasing or encrypting the hard drive of a copier, fax or printer, Kopchik said Wednesday’s notice references previous guidance, including the 2005 Guidelines Requiring the Proper Disposal of Consumer Information. The banking regulatory agencies have never specifically endorsed a standard for information destruction or encryption because needs change, he said.

“You have to use something that is a standard that is well understood to do the job. You can’t use a method that’s was developed 10 years ago and everyone knows it’s been compromised,” he said.

Since the guidance was released, Kopchik said he’s received questions from bankers, such as whether the policies for mitigating the risks should be separate or part of an overall information security policy. Either would be acceptable, but he said he personally believes it makes more sense to include them in the overall info security policy.

Dan Fisher, president and CEO of The Copper River Group, a Fargo, N.D.-based consulting firm to the financial industry, said the risks highlighted in the FDIC guidance are often overlooked because users don’t understand how devices like copiers and fax machines covert and store the digitized document prior to reproduction or transmission.

“Even though the transmission is over or they are done with the copy, it does not mean that the data has been deleted,” he said. “Some devices have significant memory.”

When information is digitized, it “takes on a life of its own,” Fisher said.

For further details on copier hard drive safety please contact the copier and office equipment experts at Imagetec.

Source: Marcia Savage, Site Editor,  16 Sep 2010 |