Security risks with copier scanner & fax systems (Multi-Function Devices, MFDs)

The University copies, prints, and scans thousands of documents each day. These documents may contain information that is sensitive, confidential and/or protected under FERPA, HIPAA, or other laws governing data and records confidentiality. Please see EP 8 for University Data Policies. Many printers, copiers, and scanners used today have hard drives that save image copies of all documents processed on them. If these devices are disposed of “as is,” these documents are retrievable with many free tools.

Unauthorized access, disclosure, or loss of institutional data is a security incident and could constitute a data breach, resulting in reputational damage, loss of public trust, and fines from regulators.

Some considerations to ensure images from copied or scanned documents do not fall into the wrong hands:

  • Proper configuration of security controls on the MFDs is critical. At a minimum, administrative access to the device should be configured with a non-default password. If the unit supports drive encryption, this should be enabled.
  • Education and Awareness: Educate office personnel regarding the appropriate management of sensitive information and the risks associated with equipment used to copy or scan. Remember the greatest security risk is when the equipment leaves the University. No copy and print equipment should leave University units, whether it is through disposal, resale, or trade-in (for leased equipment), without going through Surplus Stores. Please see BPPM 20.76, Surplus Property, regarding proper removal of data.
  • If copiers, scanners, or MFDs were assigned to employee home-work locations during the pandemic, ensure that they are securely brought back to the appropriate on-campus work location as employees return to work. If employees are moving to a hybrid model and devices are going to continue to be assigned to their home-work location, ensure that inventory records are up to date and that employees understand that in all instances, these devices must be returned to WSU to be properly disposed of at the end of their useful lifecycle.
  • Disposal and Resale: While University departments may transfer and sell equipment directly to other units, Surplus Stores (509-335-3089) is the only University department authorized to sell or dispose of equipment outside the University. Surplus Stores will ensure that hard drives are properly “wiped” before the equipment is resold, a process similar to the method used to “clean”’ computers when they are sent to Surplus. If you are trading, upgrading, or replacing the equipment, contact Surplus Stores.
  • Leased Equipment: In addition to Surplus Stores, Purchasing Services (509-335-3541) should be involved in trade-ins of leased equipment.

All security incidents or suspected incidents involving institutional data must be reported immediately to the Information Security Services (ISS) group within ITS at abuse.wsu.edu.

For questions or additional information, you may contact the Office of Internal Audit at ia.central@wsu.edu.

The Notices and Announcements section is provided as a service to the WSU community for sharing events such as lectures, trainings, and other highly transactional types of information related to the university experience. Information provided and opinions expressed may not reflect the understanding or opinion of WSU. Accuracy of the information presented is the responsibility of those who submitted it. The self-uploaded posts are reviewed for compliance with state statutes and ethics guidelines but are not edited for spelling, grammar, or clarity.

Next Story

Exhibit explores queer experience on the Palouse

An opening reception for “Higher Ground: An Exhibition of Art, Ephemera, and Form” will take place 6–8 p.m. Friday on the ground floor of the Terrell Library on the Pullman campus.
By Communications staff, Washington State University

Recent News