Vendor resold copier with company’s sensitive data

Almost every office copier and multifunction printer contains an internal hard drive that saves images of the documents that are scanned or printed – and if companies aren’t careful, those images could end up in the hands of criminals.

Those machines are often returned to a leasing agent or resold after companies upgrade, so there can be serious security issues if the hard drives aren’t erased before someone else can get a hold of them.

For example, investigators last year reported they had been able to buy used copiers still containing Social Security numbers, medical histories and other personal data from a warehouse in New Jersey.

And in a survey from last year, 68% of companies reported that they don’t wipe data from copy machines after they’re decommissioned.

So whose fault is it when that information gets into the hands of criminals: the organization that failed to wipe the data before the machine was returned, or the vendor that resold or released the machine without erasing the hard drive?

The answer: not the vendor, according to one recent court case.

A company sued a copier vendor after learning a machine it had used may have been resold with sensitive corporate information still on the drive.

The vendor argued that it was the customer’s responsibility to make sure all their data was erased before the machine was returned. But the company claimed the vendor acted negligently when failing to wipe data and failing to explain the capabilities of the machine to hold on to that data.

The judge ruled in favor of the vendor, with the decision based largely on the contract with the customer. The contract didn’t mention anything about wiping hard drives — therefore there was no way for the company to claim the vendor had a duty to do so (Cite: Putnam Bank v. IKON Office Solutions).

The lesson for IT: Whether you’re returning equipment to a leasing agency or just recycling it, you need to make sure all data is erased. You won’t be able to rely on another company to do it for you.