Federal Trade Commission Chairman Jon Leibowitz recently sent a letter to Congressman Edward Markey, Co-Chairman of the bipartisan Congressional Privacy Caucus, announcing that the FTC will address the privacy risks associated with the use of digital copiers. Congressman Markey had urged the FTC to investigate this issue after a CBS News exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information.
In the letter to Congressman Markey, Mr. Leibowitz promised the FTC would collaborate with “copier manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risk associated with digital copiers and to determine whether they are warning their customers about these risks, whether they are providing education and guidance on this subject, and whether manufacturers and resellers are providing options for secure copying.” He also stated that the FTC would “provide additional guidance to both consumers and businesses specifically addressing how to protect personal information that may be stored on hard drives of digital copiers and other devices.”
By not erasing personal information stored on the hard drives of digital copiers, businesses may be violating numerous state records disposal laws that require businesses to take reasonable steps to ensure that records containing personal information be destroyed such that the information is unreadable or undecipherable through any means. Personal information stored on digital copiers also may trigger federal and state breach notification laws if that information is not erased. In April 2010, Affinity Health Plan notified over 400,000 current and former customers that their personal information had been stored on the hard drives of a leased office copier that Affinity later returned to the leasing company. The copier containing the Affinity customers’ information was featured in the CBS News exposé when reporters found information from “drug prescriptions, to blood test results, to a cancer diagnosis.”
To help ensure compliance with applicable privacy and information security laws, businesses should destroy or erase any hard drives in digital copiers before selling or discarding those machines, and should contractually require that the hard drives of leased digital copiers be erased at the termination of the lease.