A recent series of news articles highlight privacy issues associated with today's modern multifunction copier devices. Most businesses have them. The devices are all in one digital copiers, scanners, printers and fax machines. As pointed out by the Buffalo News, these devices have hard drives that are often forgotten repositories of all sorts of images. The devices are usually connected to an IT network. Often dedicated network locations store scanned images or faxes, until they are retrieved by a user. While we were not able to find a reported case dealing with preservation or spoliation issues, should these locations be added to a checklist of ESI locations for preservation purposes? The short answer is maybe. Some background first.
The first article titled Police data on copiers causes city to scramble appeared on April 21, 2010. The article reports on a CBS News investigation of data privacy issues. CBS purchased four used copiers from a warehouse in New Jersey and two were once leased to the Buffalo Police. The hard drives of the two copiers contained sensitive information, including reports from domestic violence, a list of wanted sex offenders and information about suspects from a drug investigation. In addition the Buffalo News reported:
The CBS investigation pointed out that copiers made since 2002 contain a hard drive that stores images of documents that are scanned on the machine. The hard drives are often filled with personal information — Social Security numbers, birth certificates, tax forms, bank records — making them a potential gold mine for identity theft.
The City of Buffalo was doing damage control in response to the CBS News investigation and the excuses sound familiar to anyone reading spoliation cases. One City official questioned whether the vendor ever told the City the hard drives where even present on the copiers. The law department said it was doing everything to track down where the City's old copiers went and is working to retrieve the data. Members of the City Council said it was more important than ever for the City to develop policies to ensure old data is scrubbed from the hard drives when the copiers are disposed.
The Buffalo News followed with a second article the next day: Scrub copiers' memory before discarding. The article provides more background about the data stored on copier hard drives, the practice of local retailers to scrub the contents of used copier hard drives when they are returned and the security features available, including encryption. One local IT expert was quoted saying:
"I'm pretty sure that most people have no idea that these devices have any storage capacity. Most of us just think of them as copiers," said Richard H. Lesniak, director of academic services for the University at Buffalo's Computing and Information Technology office. "It's a wake-up call."
The Buffalo News reported on the local practices of several companies. A medical group reported that it scrubs data from its copier hard drives each day. A locally headquartered regional bank reported that it uses a program to wipe data from its copier hard drives two minutes after a copier is used. Despite these measures it was reported that users can intentionally save data on copier hard drives for later reuse.
Computer World reported on copier hard drives in 2007: Photocopiers: The newest ID theft threat. The article reported,
At issue are the hard drives embedded in most copiers and intelligent printers manufactured in the past five years. Data is stored on the drive before a document is copied or printed; unless security provisions are in place, the data is stored unencrypted and remains there until the drive is full and new data overwrites old.
The article also contains the results of an interesting study commissioned by Sharp. The study questioned people about copying their tax returns and found that "54% of those polled had no clue that digital photocopiers store an image of what's duplicated and that a majority believed running off returns on copiers or printers is a safe practice. When told of the security threat posed by unsecured hardware, however, two-thirds of the people surveyed said they were less likely to copy their financial information on a public digital photocopier."
While no reported decisions appear to directly address preservation or privacy issues, one case fighting about the tax status of digital copiers contains testimony from an expert for Xerox. See Xerox Corporation v. The Wisconsin Department of Revenue, 2009 Wisc. App. LEXIS 595 (Ct. of App'ls of Wisc. Jul. 30, 2009). The esoteric point of the case is unimportant (unless you like taxable property disputes). During the case Xerox's expert explained the differences between old fashioned "copiers" and newer "digital copiers."
[W]ithin the document processing industry, the term "copier" refers to
a machine that uses a process whereby an original document is placed on a glass or fed through a document feeder, the image is projected through a series of mirrors and lenses onto a drum or photoreceptor surface, and that projected image is then transferred onto paper without any conversion or manipulation of the image. Copies are made by taking pictures of the original document. Such copiers are also referred to in the document processing industry as optical copiers, analog copiers, or photocopiers. These copiers are not connected to or operated by computers and do not use electronics for image processing at any stage of the copying.
The expert also testified that the term "digital copier" refers to
a device that uses electronic processing to improve the image the photoreceptor sees, thereby producing sharper color images than optical copiers. In a digital copier, a document is scanned by a raster scanner, which 'rasterizes' the data, i.e., converts it to a pixel-by-pixel description of the lightness and darkness across a page and then to digital 1's and 0's. The raster scanner is directly connected to a raster printer which prints the scanned data the same way it is received, without any manipulation.
Back to our question about preservation. Should the hard drives of digital copiers be an issue to consider during preservation of relevant ESI pursuant to a litigation hold? The answer has to be yes. Copier hard drives may be a possible data source and should be added to ESI investigation checklists. Depending on the use of the digital copier, the type of ESI stored, the wiping policies of the organization and whether relevant ESI stored on the hard drive of the copier exists at the time the duty to preserve arises are all issues to consider. Whether ESI of copiers should be preserved in any particular case can only be answered by considering these issues on a case by case basis.