Summary: | The FDIC has issued the attached guidance, which describes the risk posed by sensitive information stored on certain electronic devices and how institutions should mitigate that risk. |
Highlights:
Distribution: Suggested Routing:
Note: To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html. Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200). |
Financial Institution Letters FIL-56-2010 September 15, 2010 |
FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers This guidance describes the risk posed by sensitive information stored on certain electronic devices and how institutions should mitigate that risk. Risk Photocopiers, fax machines and printers may contain a hard drive or flash memory that stores digital images of the documents that are copied, transmitted or printed by the device. Financial institutions use these devices regularly to process loans and other financial transactions on behalf of their customers. Loan documents and other business documents often contain sensitive and confidential information concerning financial institution customers. Many financial institutions lease photocopiers, fax machines and printers for a set period of time. At the end of the lease period, the devices are returned to the leasing company and either sold or leased again. Anyone who takes subsequent possession of a device that was used by a financial institution may be able to access the hard drive or flash memory and view digital images of the documents that were processed by the device, thus giving them access to sensitive personal and business information concerning the institution's customers. Controls Financial institutions should be aware of the risks posed by the potential disclosure of sensitive customer information stored on the hard drive or flash memory of photocopiers, fax machines and printers used by the institution. Financial institutions should implement written policies and procedures to identify devices that store digital images of business documents and ensure their hard drive or flash memory is erased, encrypted or destroyed prior to being returned to the leasing company, sold to a third party or otherwise disposed of. If the institution chooses to erase or encrypt the hard drive, the method used should be sufficiently robust to render the information on the disk unrecoverable. Examiners may ask to review such policies and procedures and verify that they have been effectively implemented. Further Information For further information, contact Jeffrey Kopchik, Senior Policy Analyst, at (202)-898-3872 or jkopchik@fdic.gov . |
Additional Related Topics:
- FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers
FIL-56-2010