Digital Printer/Copiers May Cause Data Security Breach

2/1/2011

Pursuant to Regulation S-P, financial institutions are required to adopt written policies and procedures to safeguard nonpublic personal customer information.  FINRA advises its members that procedures must be reasonably designed to:

  • ensure the security and confidentiality of customer records and information;
  • protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
  • protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.[1]

Many compliance professionals agree that best practices a firm may employ to safeguard customer information include:

  • limiting physical access to areas where customer information is stored;
  • establishing user IDs and passwords for all computers and computer networks;
  • using firewalls, anti-virus software or other methods to limit unauthorized access;
  • encrypting emails or faxes;
  • shredding paper documents, DVDs, CDs; and
  • wiping data from USB, flash drives and computer hard drives.

However, an often overlooked source of possible access to nonpublic personal customer information is digital printers.

Printers contain hard drives for queuing print requests from computers, as well as copying, scanning, emailing and faxing documents.  The hard drive stores images of these documents which commonly include nonpublic personal customer information including social security numbers, account and transaction records, and medical information.   Depending on the printer and its security settings, imaged documents may continue to be stored on a printer’s hard drive for indefinite periods of time.

Some printer manufacturers offer security settings including encryption of the images, electronic shredding of images on a regular basis, and limiting users’ ability to reprint images stored on a printer’s hard drive.  These are all features which firms should be aware of, consider, and utilize whenever possible to help safeguard customer information.  Additionally, when a firm disposes of a digital printer, it should ensure that the hard drive is wiped clean before it is returned to the leasing agent or sold.

These simple practices will help firm’s ensure that nonpublic personal customer information remains protected.

Dionne Fajardo provides consulting to broker-dealers, investment advisors and their associated persons in addressing the compliance challenges they face and developing strategies to implement effective solutions suitable for each client’s individual business operation.

[1]See NASD Notice to Member 05-49