Thinking about identity theft, there are lots of places to keep your guard up – online, in local stores, around ATM machines, and now photocopy machines.
The Computer We Forgot About
CBS ran a story where they recovered the personal information for Caroline Kennedy from a printer. This was one of those large industrial printers used in offices – law firms, banks, pretty much anywhere you find an office with more than a few employees.
Most people know those big printers will do far more than print. They can photocopy, scan, fax, or even collate a full-color presentation. But all that function is available because it's not just a printer, it's really a very specialized computer. It has memory, a processor, and data storage, just like a laptop.
That data storage is where the problem creeps in.
A Little Geek Talk
It helps if you understand basically how printing works. Typically, there is no hard drive in a home printer. Most of us use inkjet printers, which means our data is stored on the computer. When you send a print "job" to your printer (i.e. when you click the Print button) the information about what you're printing is sent to software on your computer called a "spooler". The spooler feeds the information to your desktop printer in little pieces, because the printer can only handle so much information at one time. The printer spits out a few lines of ink in just the right places to form words or pictures on the paper – reproducing whatever it was that you wanted printed. When the printer needs more information to print out the next line, it tells the spooler, which sends the next chunk, until the job is finished.
In an office environment, the big printer might have 3 or 4 people sending it a print job at the same time. It could just tell your spooler to wait until it's ready, but that slows down your computer, and nobody wants that. So office printers were designed to have their own spooler and a hard drive to store the print jobs in the order they were received. It prints as fast as it can with the same process, but when it needs more data for the next page, it already has that data on the hard drive.
Evenutally, the company upgrades to a newer printer, the old one goes somewhere to be refurbished, cleaned up, and sold second-hand. There are several companies that make quite a profit buying old printers, fixing them up, and reselling them. Many of those printers end up overseas in countries like India and China.
Identity thieves have learned about how these industrial printers store information, though, and they're cashing in. For a little cash, they can buy one of these secondhand printers, access the hard drive, and collect all the information stored on it. They might even turn around and re-sell the printer to get their money back, and sell the data for pure profit.
Who Really Cares?
Of course, IT professionals provided service and support on office printers from the very start. They saw the problem, and talked with their engineers, who came up with a solution – data encryption for the printer's hard drive. That package costs the business owner a little more on the front end, but would also make sure the customer's information remained secure.
But, according to the CBS article, companies aren't willing to spend the few extra dollars to protect our information. Worse, despite laws such as HIPAA and FACTA, very few companies are taking the precautions of wiping the hard drives clean before they sell the printer off. The same is true for the resale company. The attitude seems to be one of indifference. The article even says there are no regulations governing that data.
But the FTC has published some guidelines (PDF) to help businesses comply with various data security laws. The booklet suggests identifying "…all connections to the computers where you store sensitive information." Obviously, the printers discussed here would fit in that category, since they store sensitive information.
Down the road there will doubtless be a lawsuit, and a competent authority will determine that the data stored on printer hard drives falls within the realm of protected information as defined by several data security laws. This may soften the corporate battle cry of "That's not our responsibility."
Until that happens, though, keep in mind the fact that most businesses don't even know they are putting your personal information at risk. So when you see someone making a copy of something for you, or printing a document that has your information on it, take a couple of minutes and tell them what you've read here. Better yet, send them to this site to look into it.
After all, the biggest reason identity theft continues to happen is lack of knowledge about the risks involved. Being well-informed is a big step toward taking care of the problem.