In

FDIC issues guidance on copy machine hard drives

The FDIC issued FIL-56-2010 today, addressing risk posed by sensitive information stored on certain electronic devices (copy machines, fax machines and printers) that utilize internal storage, and how institutions should mitigate that risk.

This guidance only covers those devices that have internal storage, such as a hard drive or flash memory, but according to some reports, every copy machine manufactured since 2002 contains a digital hard drive.

In short, the FIL references GLBA, and states that:

“Financial institutions should implement written policies and procedures to identify devices that store digital images of business documents and ensure their hard drive or flash memory is erased, encrypted or destroyed prior to being returned to the leasing company, sold to a third party or otherwise disposed of.”

Because the FIL refers to existing guidance regarding the proper disposal of customer information, no new policies should be required.  However you should update your existing policies to make sure these new devices are identified and included.  It might also be a good time to re-evaluate your disposal method to make sure it is “sufficiently robust to render the information on the disk unrecoverable”.

(NOTE:  HP addresses the issue for their devices here.)

Print Friendly, PDF & Email

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Leave your comment