GLBA Compliance: Lock Down Your Copiers and Printers
Hold on. Did you forget something? The biggest hole not plugged in your security is sitting in plain view, probably near your workstation, or at least it’s in a public area. The culprit is the institution’s copier. If you’re a larger institution, they’re on the network too.
What you say? How can the copier be a security threat? If you’re at an institution that has done any upgrade to its copiers and printers within the last five years, the copier/printers being used are most likely housing the hidden threat underneath the plastic cover, a hard drive that copies and keeps records of every single copy made on the copier. Yes, a hard drive can hold a copy of every single copy and the drive continues to write until it is full, and then the new data writes over the old copies. If the Super Bowl party invitations you made copies of get out, well, even though they were really sloppy, they aren’t violation of privacy under GLBA. However, the loan applications that the loan officer printed out and made copies of that had every single Social Security Number of the loan applicant on them are a big problem. Try explaining how the data stored on the drive before a document is printed or copied made it into the hands of someone who wasn’t supposed to see it. Or how after a copier was sent back to the seller for servicing, that a data breach was traced back to your institution, and specifically to that particular machine.
To prevent this scenario from unfolding, you’ll want to change the passwords from the default on copiers and the multi-function printers. A good action to take is to turn off all the things you don’t want and check that the data and fax modems are separate. That way you won’t run into the problem of having a modem linked in, looking at the records that only a select few are to see in your institution.
Another consideration is adding the manufacturer’s security kit that encrypts information on the copier. The kit also shreds each copied document by overwriting the image after it's printed. There are at least two copier manufacturers who offer this as an add on to their machines.
Those institutions which don’t already have written policy on the handling of copies, faxes, and printed material may want to also take this as a point to begin a review and write a policy for the secure disposal of these types of documents, after ensuring their copiers and printers and fax machines are locked down with strong passwords. This will bring in their policy in line with GLBA requirements. Note: whether or not a financial institution disclosed non public information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity. The cost if you don’t, well, it may be cheaper to save a few dollars now, but looking at the penalties for not doing the right thing by your customers (and your employees) is taken from the US Senate’s GLBA enforcement amendments passed back in 2003: “the financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation†and “the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation.â€