Hard Driving Security18 Jan, 2005
Hard Driving Security
I received an email recently from Bill Petty, service operations managers of GR Graphics. They are an authorized Sharp dealer in Fargo, North Dakota. This dealership is working to create an added value marketing program when offering a hard drive over-writing security package. Sharp has designed this security software to ensure that the copier’s hard drive is completely cleared of all information on a periodic basis. This is especially necessary when the copier is resold, traded in or returned to the leasing company.
Bill’s email asked if I knew how other dealers are addressing the hard drive security issue. He specifically wanted to know if my dealership was requiring our customers to sign a disclaimer or waiver if the end user chooses not to purchase the security software. He was also concerned about what legal ramifications (to the dealer) were involved when picking up machines that are coming off lease, traded in, end of a rental, etc. Whose responsibility is it to completely clean (strike over multiple times) any sensitive information that may be on the copier’s hard drive?
After reading Bill Petty’s email I immediately gave him a call. I wanted to have a further discussion about this hard drive security issue. Sharp has been very proactive by packaging a security software program designed for the Sharp copier. In turn, Bill's company has established a retail pricing of the security software and appropriate IT services.
During our telephone conversation, two separate issues were addressed.
First was the security issue itself. What exactly are the responsibilities and liabilities of the independent dealer when addressing the privacy of any information on the copier’s hard drive? Secondly, how can the independent dealer remarket this added value security software to the end user?
To the best of my knowledge Sharp was the first manufacturer to have a hard drive security package that was offered to their dealers. I called several other manufacturers enquiring about any similar security overwriting software that has been specifically made for their copier’s hard drive. In each case I was referred to other people who referred me to other people who told me their R&D was working on it, etc. etc. etc. They were aware of the significance of the need for a secure hard drive within the copier.
There are several new security overwriting software packages available for purchase through independent resellers. I found software that can X out, or strikeover 3 times, 4 times, 5 times and 6 times any information that was formerly stored on the hard drive. I saw various levels of required strikeovers depending on what governmental documentation I was referencing.
So where does this leave the dealer? Exactly what are we suppose to do when picking up a formerly connected copier form a hospital, adoption agency, judge’s chambers or other potentially sensitive location?
I recently read an article written by Karen Bannen in CFO magazine entitled The Secret Life of Copiers. The article recalls a story of a security breach at a large university in the Northeast. An unsuspecting IT employee of the university stumbled on the illegal usage of a university copier’s hard drive. The IT worker had noticed a great deal of traffic going to and from the networked copier. Further investigation uncovered an illegal music file swapping service on campus. The music files were being stored on this copy machine’s hard drive. The students were actually transferring MP3 files to and from the hard drive on the university's copier.
Ms. Bannen goes on to explain the technology for making copies has changed very little of the past 50 years. However the copy machines themselves have gotten very sophisticated. Most copiers are now full-blown IT devices with network capabilities, email servers, connectivity, integrated fax, up to one gig of memory and a hard drive. Yet few IT professionals have thought of the security breach that copiers can create.
Most copiers have some sort of copy management system which includes a password. In my personal experience, less than 10 percent of all copier usage requires a secure password or code in order to have access to the use of the copier equipment. Simple security measures are rarely utilized by end users. In most cases the hard drives can be easily removable.
With the implementation of the 1996 Health Insurance Portability and Accountability Act / HIPAA and the 2002 Sarbanes-Oxley Act, copier users, sellers (leasers) and servicing agents must be aware of the sensitive personal documents that can be stored on copier’s hard drive. Medical records, birth certificates, financial information, etc. can all be stored on the copier’s hard drive. Lou Slawetsky, president of the Rochester-based research firm Industry Analysts states, “People don't think of copiers as vulnerability. That’s a problem.”
In today's litigious society, being aware of the potential security liabilities of the copier’s hard drive is worthy of a discussion in your next manager’s meeting. Would your company's liability insurance cover a claim against your company for not protecting privileged information on a traded in copier’s hard drive?
Who is ultimately responsible for the information on the hard drive of a leased or rented copier? Is it the leasing company, servicing dealer, sales or service rep who did not inform the customer of the hard drive’s ability to store the end user’s sensitive information?
If your dealership offers to sell the end user a security software package and the customer declines purchasing the software; does that relieve your dealership of future liability? Should you require the end user to sign a waiver or release of liability if they refuse to purchase the security software? Are those manufacturers who are offering customized software trying to provide a value added product to the end-user? Or are they just creating one more item the customer will insist the dealer include, at no additional charge, at time of purchase?
If your company sells or leases the original piece of equipment with a hard drive; and another dealer picks up the equipment, who is responsible for hard drive security? Will the leasing company’s return warehouse agent have any liability? If a customer demands to have the hard drive removed and wants to retain possession what happens? Can dealers offer to sell removed hard drives to the former end user?
At this stage of the game, there appears to be more questions than answers. Just as we began to feel comfortable with solution selling and installing digitally connected equipment, the hard drive security issue presents a new technology challenge.
There is an opportunity to sell security software. Some Sharp dealers are offering an additional service of periodic cleaning (and Xing) of the hard drive as part of the software purchase.
Dealers may need to pressure those manufacturers, who have not yet provided customized or approved hard drive security software, to become proactive. New forms, that can be given to end user, explaining the hard drive security issues, may be necessary. Signed forms, releasing dealers from any liability may also become necessary for those end users who do not want to pay for security software and hard drive cleaning IT services.
Now is the time for dealers to address the hard drive security issues. Establish a plan. Be prudent and consistent in dealing with security issues of those end users whose businesses may be governed by HIPAA or other privacy concerns. Whenever possible sell the added value feature of increased security needs. Protect your dealership from any future ramifications of inadvertent hard drive security lapses.