Imagine you are being audited or are under a discovery order to present all materials pertaining to a lawsuit. You have well-planned, maintained, and monitored Information Governance (IG) policies and practices, including those related to litigation hold and presentment.
You confidently search across the enterprise, locating what you believe is every shred of information requested. There is no place in your information ecosystem where information resides, and you are unaware of its existence. Or is there? The question I would now ask is, did you search the hard drives located in your copy machines and potentially, some of your printers?
That’s right, there is a hard drive in most of today's copy machines and some high-end printers, where information is held and stored. Not only can they can store copies of documents, they also have usage logs that hackers can get to, as can anyone servicing the devices. The question you have to ask now is this: "Are my copiers equipped with hard drives and use logs capabilities, and if so, how do I manage these in a way that my organization is not placed at risk and will maintain compliance requirements?" You must consider and include these devices in your IG program, assigning responsibility to periodically delete information stored on their drives. You must consider the possibility that they will be included in any audit or litigation proceedings and as such, there should be documented policies and practices on proper disposition of the information they hold.
Another consideration is what to do when copiers and printers are taken out of service? Disposal of the peripheral device does not mean the hard drive and information contained on those drives will be disposed of properly. As part of the disposal procedure, you may want to remove the hard drives and destroy them independently. The same would be true of PCs, and any other devices containing a hard drive.
In My View
Look at the specification sheet for your devices and locate the reference about hard drives in those devices. If you do not find one, there is a chance the device does not have a hard drive. You can also ask your service technician if the device contains a hard drive and where it is located. You will want to learn the processes to erase information stored on those hard drives and how to access information in times of litigation and audit. This includes not only the documents stored there, but also the use logs and how to extract the information either in digital or print form.
When it comes time to change out a copier or printer with a hard drive, you will want to erase, remove and/or destroy the hard drive before turning it over to the supplier. This may require assistance from the service tech, but you will want to ensure that all information — as some may be sensitive or confidential — is not vulnerable to being accessed by unauthorized persons.
Where is information hiding in your organization? Copiers, printers and my guess is many other locations you may not be aware of, or if you are aware, may unintentionally overlook. Printers, copiers and even Smartphones are all devices that hold information and should be included in your IG program. Take time to research what you have in-house, in use by your remote workforce and portable devices that are being used by your employees. Find the hidden information before it finds you as a RISK factor.