GLBA Compliance: Lock Down Your Copiers and Printers

GLBA Compliance: Lock Down Your Copiers and Printers
At your institution you’re considered the person who has thought of every possible security angle, and when it comes to locking down the systems, networks and Internet based offerings, you’re confident that you’ve met or exceeded everyone’s expectations for privacy, security. You’ve even heard rumors that your superior is happy.

Hold on. Did you forget something? The biggest hole not plugged in your security is sitting in plain view, probably near your workstation, or at least it’s in a public area. The culprit is the institution’s copier. If you’re a larger institution, they’re on the network too.

What you say? How can the copier be a security threat? If you’re at an institution that has done any upgrade to its copiers and printers within the last five years, the copier/printers being used are most likely housing the hidden threat underneath the plastic cover, a hard drive that copies and keeps records of every single copy made on the copier. Yes, a hard drive can hold a copy of every single copy and the drive continues to write until it is full, and then the new data writes over the old copies. If the Super Bowl party invitations you made copies of get out, well, even though they were really sloppy, they aren’t violation of privacy under GLBA. However, the loan applications that the loan officer printed out and made copies of that had every single Social Security Number of the loan applicant on them are a big problem. Try explaining how the data stored on the drive before a document is printed or copied made it into the hands of someone who wasn’t supposed to see it. Or how after a copier was sent back to the seller for servicing, that a data breach was traced back to your institution, and specifically to that particular machine.

To prevent this scenario from unfolding, you’ll want to change the passwords from the default on copiers and the multi-function printers. A good action to take is to turn off all the things you don’t want and check that the data and fax modems are separate. That way you won’t run into the problem of having a modem linked in, looking at the records that only a select few are to see in your institution.

Another consideration is adding the manufacturer’s security kit that encrypts information on the copier. The kit also shreds each copied document by overwriting the image after it's printed. There are at least two copier manufacturers who offer this as an add on to their machines.

Those institutions which don’t already have written policy on the handling of copies, faxes, and printed material may want to also take this as a point to begin a review and write a policy for the secure disposal of these types of documents, after ensuring their copiers and printers and fax machines are locked down with strong passwords. This will bring in their policy in line with GLBA requirements. Note: whether or not a financial institution disclosed non public information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity. The cost if you don’t, well, it may be cheaper to save a few dollars now, but looking at the penalties for not doing the right thing by your customers (and your employees) is taken from the US Senate’s GLBA enforcement amendments passed back in 2003: “the financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation” and “the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation.”


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network