Are Printers and Copiers Stealing Your Information?

August 2, 2021 at 6:15 pm by Amanda Canale

Copiers, printers, and document scanners are just as much office staples as any other piece of equipment (aside from, probably, an actual stapler). While these kinds of devices are not programmed to typically store any sensitive data, they may be harboring more data than you think. Everything from new employee records, tax forms, HR documents, and other kinds of personally identifiable information (PII) and unclassified or classified information are just ticking time bombs. In this blog, we discuss how hackers can tap into your copiers and scanners and steal your private information.

Since approximately 2002, most digital copiers and printers use hard drives that store and manage all the data, documents, and images you are copying, printing, and scanning. Mix that with their web-based interfaces, and now your office serves as the perfect cocktail to lure in online hackers. (In layman’s terms, this means that your copies are essentially giant computers and vulnerable to all sorts of cyber-attacks!)

Most digital copier manufacturers offer some sort of data security feature that involves encryption and/or overwriting to ensure the safety of whatever information you are printing, copying, or scanning. So hopefully, your office’s IT department has already either installed the software to protect you and your data from cyber-attacks or has a system in place to securely sanitize that data. It’s important to discuss your device’s security features with your IT department since each device is different; you should know whether your device’s memory is automatically wiped, needs to be manually wiped on a preset schedule, or another option altogether.  Depending on what those features entail, a schedule should be set in place to ensure a routine is followed.

Some practices you and your team can integrate into your routine are using authentication or additional verification methods that include a mix of a password, card swipe, biometric information, or other similar methods. By implementing more preventive measures, you can help lower your risk of cyber-attacks.

Remember when we said that copiers are essentially giant computers? Well, that also means that their hard drives work the same as computer drives in that overwriting a drive is vastly different than reformatting or deleting. According to the Federal Trade Commission (FTC), simply deleting the data or reformatting the copier’s hard drive “doesn’t actually alter or remove the data, but rather alters how the hard drive finds the data and combines it to make files: The data remains and may be recovered through a variety of utility software programs.” Like other hard disk drives, methods such as cryptographic erasure and data erasure would allow the drive to be used again, but these are not secure and foolproof destruction methods. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten. (You can read more about how not to destroy hard drives in our previous blog post.)

When it comes time to destroy your copier’s end-of-life hard drives, it is always best practice to conduct destruction and degaussing in-house. To ensure the secure destruction of your data, SEM recommends always following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to physical destruction in a shredder or crusher.

By degaussing the drive prior to physical destruction, organizations are choosing the most secure method of data destruction per NSA guidelines as this is the only way to be certain that the end-of-life data has been properly destroyed. When magnetic media is placed in one of our degaussers, powerful magnetic fields essentially scramble and sanitize the magnetic tapes and drives, eliminating all sensitive information from the device. This crucial step securely renders the drive completely inoperable. Once the device has been degaussed, it should be physically destroyed. This two-step method of degaussing and physical destruction — mandated by the NSA for classified media — is without a doubt the most secure method of sanitization for magnetic media such as HDDs.

Solid state drives (SSDs) and optical media cannot be degaussed, so it is critical that each and every chip on a solid state board is destroyed in order to properly sanitize the data. Depending on media type,  crushing, shredding, or disintegrating is recommended. It is also important to remember that a data breach is a data breach, no matter the level of impact. At SEM, we have solutions to securely destroy any type of media on any type of device, ensuring your end-of-life data stays where it belongs: at the end of its life.

 

Applying to College: What Happens to Your PII Once You’re Accepted?

April 27, 2021 at 1:50 pm by SEM

College applications. For a lot of people, just reading those two words can bring back a swarm of flashbacks of awkward college essays, endless SAT prep, and countless hours spent anxiously awaiting that giant envelope announcing your acceptance into your dream school. While this time can be exciting for many people, it’s also a time spent filling out application after application detailing all your personally identifiable information (PII). But what happens to those applications, and that information once you’ve been accepted?

Colleges and universities are bound by a federal law called “The Family Educational Rights and Privacy Act” (FERPA), which ensures that the information provided by and in relation to students is kept private. The law also states that if the information provided is no longer needed, that it must be discarded in a manner that securely protects the information.

For context, FERPA is administered by the Family Compliance Office in the US Department of Education and applies to all educational agencies and institutions that receive funding under any program administered by the department. Private schools at the elementary and secondary levels generally do not receive funding and are therefore not subject to FERPA. Private post-secondary institutions, however, generally do receive funding and are therefore subject to follow all FERPA guidelines and regulations.

While FERPA accounts for a variety of issues such as access to education records, amendments to and disclosure of records, it also makes provisions and guidance on the protection of the information. It is within this segment of the law that institutions are obligated to protect the privacy of the data and to effectively destroy or eliminate data that is no longer needed in a controlled and secure manner.

How is this data destroyed?

Personal data resides on many forms of media, including but not limited to paper, hard drives, data tapes, optical disks, and more. Paper documents can easily be destroyed by feeding the end-of-life documents into a paper shredder. Many institutions use in-house cross-cut paper shredders for this purpose while others may deploy an outside service to shred the paper. If an office or institution utilizes an outside service to destroy their paper documents, they are usually stored in a locked cabinet or receptacle that only the outside service has access to. While these documents are securely stored in the meantime, SEM will always recommend in-house data destruction to ensure secure destruction. By opting for a third party vendor to handle your end-of-life destruction, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle, misuse, or even lose drives and/or paper when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. (Some third party vendors have even been known to sell the data they are given to online third parties!)

Unfortunately, many college applications are now submitted virtually through applications like CommonApp and through institutions’ online portals. This means that the destruction of their electronic media is a bit more challenging. Again, there are outside services that perform this function, but they do not come without their own set of consequences. For hard drives, it is best practice to degauss any end-of-life drive prior to destruction. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. This can in turn potentially save an institution more time and money in the long run by preventing a breach of any kind and ensuring their applicants’ PII stays safe.

At SEM, we specialize in providing secure and effective in-house solutions to numerous educational facilities around the country. We have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your institution’s destruction needs.

How NOT to Destroy Paper Documents

April 5, 2021 at 1:13 pm by Amanda Canale

In the age of Big Media, it’s easy for some to say, “Paper is dead! Everything is digital now!” Well, not quite. Even as we get further and further into the digital age, not everyone (or everything) has gone paperless. While the majority of our information and data has gone digital, there are very literal paper trails linking our identities to our private information. From medical records and birth certificates to mailed credit card offers and business contracts, there is a plethora of paper documents out in the world that hold some of our most private and confidential information. It is this reason in particular why we at SEM stress that any end-of-life paper documents containing sensitive or confidential information should be destroyed securely. Join us as we break down some of the methods that should be avoided.

Cutting and/or Shredding by Hand

As satisfying as ripping up physical spam mail can be, making it your primary shredding method is not recommended. While this method may be enough for mail or documents not containing private, confidential, or personally identifying information (PII), it will not ensure that the information cannot be pieced back together. Unfortunately, when media or data of any nature is not destroyed with high security end-of-life destruction equipment, there is always a risk that some of the data may be recovered. Take for instance the DARPA Shredder Challenge where people competed to reassemble shred particles, or our previous blog, A History of Data Destruction.

Shredded paper with text.

Recycling and/or Throwing Away

While we support the green initiative in wanting to recycle your end-of-life confidential paper documents, unfortunately this cannot always be securely done. For starters, the majority of our waste and recycling ends up in landfills and dumpsters which are typically gold mines for hackers and thieves. In addition, recycling and waste are not transported securely, making it easy for people to intercept and have access to your most sensitive and confidential information.

It is reported that, on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. Given that length of time, anything can happen! It is important to note that after this period, remnants of your information are not magically sorted; dozens of employees’ sort what the machines cannot and have direct access to your data. By opting for a seemingly eco-friendlier alternative, you will unfortunately only put your data at more risk.

nsa-listed-paper-shredder

It is always best to err on the side of caution when it comes to end-of-life data destruction. When it comes to specifically destroying paper documents, it is best practice to use a paper shredder. By adopting a shredding policy, companies and organizations can take preventative measures to ensure that end-of-life confidential information does not fall into the wrong hands.

That’s why at SEM, we want you to future proof the destruction of your most sensitive and confidential data with one of our high security paper shredders, the SEM Model 344. The Model 344 offers an even more secure shred size that we like to call P-7+. This device is the only high security paper shredder on the market that offers a particle size of 0.8mm x 2.5mm (that is 50% smaller than the current National Security Agency requirement!) This compact, portable, energy saving option is listed on the NSA/CSS Evaluated Products List and has a throughput of 12 reams of paper per hour when feeding five sheets at a time.

By opting for in-house data destruction methods, you and your company or agency are making the most cost-effective, safe, and secure decision. It is also important to remember that a data breach is a data breach, no matter the level of impact. At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

Records Retention Schedules: When Will Your Data Expire?

January 21, 2021 at 8:00 am by Amanda Canale

In the growing age of Big Media, it is imperative now more than ever that companies and organizations develop and maintain a Records Retention Policy, otherwise known as RRP. An RRP is a policy that defines a company or organization’s legal and compliance bookkeeping requirements. An RRP ensures that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient.

When establishing an RRP, there are several key questions to keep in mind. Who is responsible for overseeing the RRP? How long should records be retained? What type of records should be retained? What should we do with those records after the required retention period has passed?

Within any type of business, there are a multitude of records you’ll need to keep track of, from accounting and bank records to corporate and employee information, just to name a few. Just as the type of record may vary, so does the retention period. Let’s break down some of the more important record types and retention periods.

identity-theft
Accounting Records

It is a good rule of thumb to keep the majority of accounting records permanently. These types of records can range from income taxes, asset records, training manuals, general ledgers, and more. Patents and related papers, insurance claim documents, legal correspondence, capital stock and bond documents require permanent retention, along with real property records, such as deeds, bills of sale, and appraisals.

While the majority of accounting records should be kept permanently, there are some types that you can safely destroy after a period of seven years. These types of records can be in the form of electronic payment records, employee expense records, inventory listings, and timecards. These records are still crucial to your accounting team but are not necessary to harbor forever.


Employee Benefit and Personnel Records

When it comes to employee benefit and personnel records, the retention period can vary. Any financial statements, documents from the Internal Revenue Service (IRS) and Department of Labor Correspondence, and plan and trust agreements should all be kept permanently.

Normal employee personnel files, employment applications, individual employee contracts, and employment applications should be kept on file for two to three years from the date of termination. Other personnel records, such as worker’s compensation and employment eligibility forms can be kept for three to five years.


Insurance and Legal Records

Insurance records, such as accident reports and settled claims, fire inspection and safety reports, and expired insurance policies should all be kept for seven years. It’s important to note that any accident reports and settled claims should be kept for seven years from the date of the settlement, not when the accident occurred. When it comes to legal documents, the retention period can vary. Records of expired contracts and leases and employment agreements can be kept for seven years, but other documents, such as effective contracts and leases, meeting minutes, partnership agreements, and legal correspondences should be kept permanently.

It is also important to keep in mind that records are not just paper documents but can consist of electronic documents and data as well. This includes, but is not limited to, word processing, emails, databases, spreadsheets, and so forth. Any device on which files are stored, optical media, flash drives, and HDDs or SSDs are considered to be electronic documents and must follow the same RRP guidelines the corporation sets forth for paper documents retention and disposal.

The disposal of these records is just as important as retaining them. Having an appropriate shredder is crucial to ensuring that your data is not falling into the wrong hands.

Although the non-permanent records are no longer required to be kept in your possession, this does not mean that the information on those records has necessarily expired or become any less important. If records are disposed of in an unsecured manner and important corporate or employee information falls into dishonest hands, the results can be catastrophic for both the corporation and the employee. (You can read about the monetary consequences of data breaches here.)

In conclusion, establishing an RRP is a crucial step in ensuring that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient. Management of these records include, but is not limited to, securing the information they contain, even upon disposal of those records. Records that no longer require retention should be destroyed by means of shredding, disintegration, or degaussing, whichever is appropriate depending on the storage method and applicable industry regulatory requirement. Although it is not necessary for a corporation to maintain the same destruction requirements as a government facility, the proper destruction should not be considered any less vital. With any company or organization policy, an RRP relies on its employees to maintain and enforce it.

Higher Education Institutions: The Great Debate

August 8, 2016 at 9:15 am by SEM

Technology is a huge part of our lives today. From computers to tablets to all kinds of PDA’s. But what do you do with these devices when they are at the end of their life considering all the sensitive information on them? This is particularly a problem for colleges and higher education universities. Just think of all the different types of IT related products that are used on a college campus. There are computers and laptops for the staff. Most students use some type of laptop, tablet, cellphone and USB drives. So when these devices are at the end of their life what do you do with them? Simply throw them in the trash, use a third party service, or set up a secure in-house destruction program?

Back to school education knowledge college university concept

Outside Shred Service

In the past this has been a common solution because of convenience. Particularly in years past when the volume of IT devices was low. The premise was simple,  call a shred service and they come out and destroy the media for you. It’s kind of an out of site out of mind thing. However as the volume increases it can get expensive. There is typically a fee to come to your location and then pricing is based on your volume with a minimum fee. So why not put that money into a piece of equipment where you could destroy the drives yourself and also ensure maximum security?

In-house Destruction Options

When you are starting to think about setting up your own in-house destruction program there are a few things to think about. What is your volume? What type of drives are you looking to destroy? What is your budget? Depending on these answers to these questions you could possibly purchase your own destruction device and actually have it pay for itself in the first year or 2 compared with what you are paying for a destruction service. Also doing it yourself ensures maximum security.

High Security Destruction

When dealing with high security and classified data that is associated with National Defense, the US Federal Government implements a two step process in which a hard drive is degaussed with an NSA level degausser and physically destroyed. To that end, SEM offers a variety of Degauss and Destroy Bundle Solutions for both NSA Level and/or commercial level information.

If you need to destroy hard drives or any other type of electronic media, SEM has a solution to meet a wide variety needs and budgets.