The FDIC issued FIL-56-2010 today, addressing risk posed by sensitive information stored on certain electronic devices (copy machines, fax machines and printers) that utilize internal storage, and how institutions should mitigate that risk.
This guidance only covers those devices that have internal storage, such as a hard drive or flash memory, but according to some reports, every copy machine manufactured since 2002 contains a digital hard drive.
In short, the FIL references GLBA, and states that:
“Financial institutions should implement written policies and procedures to identify devices that store digital images of business documents and ensure their hard drive or flash memory is erased, encrypted or destroyed prior to being returned to the leasing company, sold to a third party or otherwise disposed of.”
Because the FIL refers to existing guidance regarding the proper disposal of customer information, no new policies should be required. However you should update your existing policies to make sure these new devices are identified and included. It might also be a good time to re-evaluate your disposal method to make sure it is “sufficiently robust to render the information on the disk unrecoverable”.
(NOTE: HP addresses the issue for their devices here.)
