It’s not every day that an IT manager can claim that his research into a new technology yielded national news. But Boris Zvonkovic, IT manager at the Office of the Information and Privacy Commissioner of Alberta (OIPC), certain can.
Not that he necessarily would. By Zvonkovic’s telling, it was a typical roundtable discussion with other tech heads at the OIPC’s Edmonton office that led him to consider security issues around high-end printers, scanners and other multifunctional peripherals.
A few years ago, when the OIPC was switching out its old printers in favour of new ones, Zvonkovic and his team scrutinized the security implications of the novel devices. These were nothing like the standard, mechanical-feed printers of days past. The new machines stored information on hard drives and processed data rather like desktop PCs do.
That raised certain questions: what kind of info do the machines keep? How long do they hold onto the data? What happens to that data when businesses hand leased printers back to the leaser? Are companies in danger of giving away private or personal information — details about their customers, perhaps — if they don’t wipe the printer hard drives before putting the boxes out to pasture? “It’s one of those things that has flown under the radar a bit,” Zvonkovic said. “People might not have noticed the changes in the technology.”
This past March, the OIPC urged businesses to consider similar questions regarding their printers. “The newer generation of office equipment…can pose a security risk for organizations,” read the OIPC’s press release on the matter.
According to Tim Chander, the OIPC’s research manager, the issue received plenty of attention from national news outlets. He said Zvonkovic was the catalyst for the release with his research into the subject for the Commissioner’s office. Chander said there are ways for companies to ensure their printer info stays safe.
“You do have the option of buying [the hard drives]. A lot of people don’t realize it.” Zvonkovic said some printer manufacturers let user organizations disable the hard drives. For the OIPC’s part, this group removes the drives from the machines and overwrites whatever data the drives harbour before sending the components back to the company that holds the lease.
According to Sean Murray, senior manager of solutions marketing at Canon Inc.’s Canadian headquarters in Mississauga, Ont., this printer manufacturer offers something of an electronic shredder that helps customers deal with information stored on Canon machines. The feature lets users erase the hard drive contents after each print job. As well, Canon’s service department can wipe the hard drive clean.
“We’re starting to hear more and more from our customers about security,” said Martin Sutherland, Canon’s director of product marketing. Chander pointed out that it’s not exactly easy to get at the info stored on printer hard drives. You’d need some special software to pull it off.
“The odds of someone accessing the data may be low, but it could still be accessed if someone really wanted to do it,” he said. If a company fails to wipe its printer hard drives and the information is leaked, the firm could find itself with the wrong kind of attention. In Alberta, for instance, the OIPC might pay the offending firm a visit, Chander said. “We’d go in and recommend procedures to prevent something similar from happening in the future.”
Zvonkovic said it’s up to enterprises to devise a way to deal with printer hard drives and the information these components hold. “You might want to institute some controls around service, what you’re going to do when your lease is up.”
He also emphasized that it is imperative for IT teams to try to keep abreast of technological developments. Had Zvonkovic and his crew not done so, they probably wouldn’t have come across the potential printer problem when they did. “It helps to have that team dynamic where everybody brings forward issues, not just day-to-day firefighting things, but what’s on the horizon.”