Absolutely! In fact, scenarios like the following are relatively common: A growing company bought a used, high quality color printer at a bargain price from a used equipment outlet. It was quickly installed and running fine on the company’s network.
When an IT staff member decided to configure the printer to receive documents from another facility, she discovered that there were network connections and emails saved in the printer’s memory. There were also documents that had been previously on the printer’s disk drive still stored on the printer’s internal storage.
Apparently, the previous owner had simply disposed of the printer by selling or trading it in to the office supply store without properly ensuring that any lingering data was wiped off. Coincidently, the printer’s original owner was a key competitor of the new owner. Clearly the proprietary data left on that printer was at risk.
Why Printers Can Put Data at Risk
As innocent and “dumb” as your office printer may seem to be, it’s actually quite sophisticated in its ability to manage, receive and send data because of a few key components:
- Volatile (RAM) and non-volatile memory
- Disk storage
- Network connection
Today’s printers contain memory and other storage (e.g., disk drive) to manage all sorts of information transactions such as printing, faxing, scanning and emailing.
Convenience Can Add Risk
Earlier generation printers used only volatile RAM memory which does not continue to store data when the power is turned off. Today’s non-volatile “flash” memory and disk storage retain data until it is overwritten – even when the power is shut off. For a user, this can be beneficial to print a previously printed document or access previously stored documents, scans, print logs, fax logs, network connections and recipient emails. Depending on the amount of memory and disk space in the printer, some of the information may persist on the printer for days or even weeks before being overwritten.
Because printers can be configured to connect to a network, users can easily send and receive documents between multiple locations and recipients. Unfortunately, any network connection can also open the printer to potential external threats such as malware, particularly when the printer security is not properly configured.
Security research firm Quocirca noted, “For many organizations, their cyber-attack surface area is increasing as connected Internet of Things (IoT) endpoints proliferate. These include both legacy and the new breed of smart printers and multifunction printers (MFPs).” Malware that is inserted on a printer will present a risk not only to the company that currently owns the printer, but a future owner when disposed of improperly.
Proper Printer Disposal
When a printer is deemed at its end-of-life (EOL), some companies simply disconnect it and sell it, or dispose of it like any other trash. Unfortunately, the risk of data loss from a printer is just as great as from other computing devices such as desktops, laptops, tablets, and phones, especially when they are not properly decommissioned.
To reduce risk and meet certification compliance requirements for your industry, your printer’s media (memory, disks) should be sanitized prior to the transfer of chain of custody (ownership) process from your company to wherever it goes, such as a sale to another company or person, a donation to a charity or permanent disposal.
Destroying or Sanitizing Your Printer
There are multiple technologies available today that claim to be capable of cleaning your printer of all data. Let’s take a look at these to help you determine the best approach to ensure there is no risk to your organization when disposing your printers.
Shredding physically destroys the hardware reducing it to small e-waste pieces that are unusable. Remember, because shredding typically must be handled offsite, while the printer components are in transit to be shredded, your data is still at risk so it’s crucial to use a trusted, certified vendor. Look for the NAID AAA Certification to find the best qualified vendor.
Because the media where the data resides is magnetic, degaussing demagnetizes the media and thereby destroys the data. But this technology also has its limitations. It cannot effectively sanitize all storage media, flash memory devices, and solid-state drives.
Data-bearing Asset Disposition
As a leader in IT Asset Disposition (ITAD), Castaway Technologies recommends data erasure as the best practice. This technology, also referred to as “data wiping,” overwrites the existing data without destroying the device itself. Unique binary patterns are applied to essentially mutilate the data making it meaningless. This technique sanitizes hard drives, solid-state drives, and any other media without generating any e-waste.
Castaway focuses on the protection and safe destruction of all confidential, proprietary and personally identifiable information (PII) associated with IT assets that have reached the end of the IT lifecycle, including printers. Its CastTRAC service makes it a priority to ensure all IT assets are accounted for, data is eradicated, risks are mitigated and compliance standards are met. In the event of a breach incident or audit, CastTRAC provides 3rd party validation, chain-of-custody documentation, detailed disposal records and industry certifications.
For further information about how you can safely dispose of your printers and other electronic devices, contact us online or just give us a call at (978) 208-4730.