TechFlash: Personal Sensitive Data, Discoverable ESI in Digital Copiers?

June 02, 2010

On April 19, CBS Evening News correspondent Armen Keteyian reported on the risks associated with information stored in digital copiers that may persist even after the machines have been sold or returned to a leasing company. Most digital copiers contain hard drives similar to those found in computers that store images of documents copied, scanned, or emailed by the device. If steps are not taken to remove or encrypt the data, these digitized images may be accessed by anyone who later obtains the machine.

CBS News and digital security software company representative John Juntunen purchased several used digital copiers and removed their hard drives. Using freely available software, Juntunen easily obtained thousands of documents from the hard drives. The software revealed documents from the Buffalo, New York Police Department, a construction company, and a health insurance company. The police department and construction company documents contained sensitive and potentially embarrassing information, but the information from the heath insurance company included medical records and personally identifiable information, raising potential Health Insurance Portability and Accountability Act (HIPAA) violation issues. After learning of the incident, the insurance company made required disclosures of the potential breaches to state and federal regulators, its members, providers, and current and former employees.

Soon after, an affiliate station in Phoenix, Arizona performed a similar investigation using locally sourced copiers. Those copier hard drives included records from a restaurant containing employee social security numbers and payroll information.

On April 29, Congressman Edward Markey (D-Mass.) called on the Federal Trade Commission (FTC) to investigate the issue of digital copiers retaining sensitive information, citing the CBS News report. Describing digital copier hard drives as "a treasure trove for thieves," Markey raised concerns about identity theft and related crimes. He advised that "[b]usinesses and government agencies … should ensure that all the personal information on the hard drives of these machines is wiped clean" before machines are returned or sold.

The FTC's chairman responded to Rep. Markey's letter on May 17, stating that the FTC is also concerned about the vulnerability of personal information in digital copiers. The FTC said it was "reaching out to" manufacturers and resellers to confirm that they are aware of these risks and not only informing their customers of these issues, but also assisting them with securing their private information.

This story raises eDiscovery concerns that those potentially facing litigation should keep in mind: Should digital copiers be subject to litigation holds? Digital copiers can contain electronically stored information (ESI) that may need to be preserved. The use of the digital copier, the data type and relevancy, and the organization's data management policies should be considered when the duty to preserve arises.

The publicity and interest generated by this report has likely raised litigants' awareness of this potential source of discoverable ESI. Organizations should be prepared for this issue to arise and anticipate it in their eDiscovery planning. There are steps organizations can take to protect their privacy interests. Digital copiers may be programmed to delete data automatically. Once copiers are scheduled to be disposed of, sold, or transferred back to leasing companies, the hard drives should be wiped of all data, or if necessary, retained if subject to a litigation hold.

If you have any questions or would like more information on any of the issues discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys:

Stephanie A. "Tess" Blair
Scott A. Milner
Gregory T. Parks

San Francisco
W. Reece Hirsch