Printers: A regulatory blind spot for IT security professionals?

Dec. 19, 2018
GDPR affects all types of personal data workflow, regardless of printed or electronic format

The General Data Protection Regulation (GDPR) represented a seismic change for information security professionals, and months after it became enforceable it is still a scenario ripe for crossed wires and confusion. Recognizing this, the analyst group IDC surveyed European-based professionals on their awareness of the regulation. The responses revealed that even though almost all (97 percent) are now aware of GDPR and the fact that it is now in force, 20 percent still incorrectly think it excludes print and another 14 percent do not know whether it does or not. That’s more than one-in-three companies confused and presumably unprepared and vulnerable.

Hackers pose a threat and grab the headlines, but there is a far more common challenge for organizations, one often overlooked: human error. Companies do not seem to always realize that it is the piece of paper left on the printer due to a lack of a print management solution, the unencrypted printer hard drive on a decommissioned printer; it is issues like these that likely go unnoticed day-in and day-out that pose a potential vulnerability on an organization, both internally and externally.

MFPs play a critical role in supporting business functions, providing several networked services along with significant hard-drive storage. They are capable of printing, scanning, faxing, storing, and even managing and analyzing data. Accordingly, it’s quite natural for organizations to have vast amounts of personal data present in such print systems. But, as evident from IDC’s report, it seems clear that this vast amount of personal data is in danger of being a major oversight for organizations’ regulatory compliance and data security in general.

GDPR affects all types of personal data workflow, regardless of printed or electronic format. The transient nature of information moving through a print, scan, copy, and/or fax utility make this a complex problem for IT security professionals, who are now needing to understand if the office equipment requires management and security, as well as how to accomplish it and demonstrate it in the event of an audit.

This new European regulation isn’t a novelty; here in the U.S., we have had our own government mandated regulations to adhere to, such as the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, which protects consumers’ private information when it’s handled by financial institutions. In an increasingly data-driven society, and with printers growing in sophistication, information security professionals need to arm themselves with the facts and map out processes that will help their organizations adapt to shifting legal and technological landscapes.

In theory, all kinds of information are stored in print management systems from SPII / PII to sensitive business information. The regulatory framework outlines the need of organizations to create an inventory of data. In the case of print, this entails the encryption of printer hard drives, encryption of print streams, job log obfuscation, and the deployment of secure data erase to remove traces of the sensitive data once printed.

So, what should information security professionals keep in mind when helping their organizations comply with privacy regulations and fortify their security in general?

  1. Create a Workflow Map. Organizations can create a comprehensive and finely detailed workflow map of content flow, from the moment content is created or received to the moment it is archived or destroyed. It can be challenging to begin any remediation efforts until an organization completes and analyzes a comprehensive workflow map. Once an organization knows where content travels, it can begin a triage process to remediate the highest risk areas. It is imperative that the workflow map be inclusive, and not allow for assumptions, exemptions, or biases. Software at the desktop, services (on-premise, cloud or hybrid), mobile devices, B2B/B2C communications, printers and scanners, as well as network communication paths and their underlying technologies all need to be evaluated with a critical eye for their ability to transmit, receive, and maintain information that is vital to the organization.
  2. Consider Internal Threats. Office infrastructure that is equipped with user authentication, user tracking, automation, and additional built-in security features will help protect organizations’ confidential information. But being equipped is only the first step. A capable authentication device is just as vulnerable as a device without authentication unless the capability is configured to the business standards and used by 100% of its users. Incomplete or ad-hoc workflow “norms” and user error pose threats of noncompliance in addition to hackings. In fact, in the Ponemon Institute 2017 Cost of Data Breach study, malicious or criminal attacks accounted for 52 percent of data breach incidents, with system glitches accounting for 24 percent, and human error the remaining 24 percent. 
  3. Be Prepared. Having clear and detailed maps as to where all PII resides within an organization’s purview is a helpful way to address GDPR’s “right to be forgotten.” To address one of GDPR’s core imperatives, “the right to be forgotten” provides consumers a means to control the what, why, where, when, and how of their own PII in an exponentially growing global marketplace of consumer data. This is a cornerstone of the regulation and while it may initially be cumbersome to map an organization’s information data-flow, it can also be viewed as a catalyst for improved efficiencies and security remediation. Additionally, organizations must provide all user information or delete all information about a user within 30 days of receiving a SAR (Subject Access Request). Demonstrating that this has been done is incumbent on the business and can become the basis of an audit; failure is subject to the compliance breach penalties of GDPR. Submitting a SAR is relatively easy for consumers: a simple email, fax, or letter is enough to be considered a formal request and put the recipient organization to the test. For the organization responding to a SAR, the complexity of finding all information about an individual's PII on demand is extremely complex, cumbersome, and nearly impossible without an existing catalog of data stores (static or transient locations). Maps of workflows provide a clear outlook of inefficiencies and liabilities that otherwise may have gone unnoticed until a crisis, like a data breach, occurs. A cyber-attack is far more costly than preemptive remediation. Further, GDPR stipulates that in the event of a data breach, organizations must alert affected parties within 72 hours; without a detailed map or inventory of processed data, organizations that haven’t been audited run the risk of taking longer than 72 hours.

The GDPR regulations present us with a useful reminder that personal information - sensitive or otherwise - must be treated with the highest security standards. Given the importance of data in the business world and the role it plays in all our lives, it’s likely that we’ll see more regulation in the not-too-distant future. It’s imperative that information security professionals understand that print and document security are integral to the compliance matrix and must not be overlooked as critical or potentially vulnerable. Ignorance is not bliss and it’s certainly not a legitimate excuse for non-compliance. Organizations risk significant financial and legal penalties if they fail to get to grips with the current realities -- not to mention the loss of customer trust -- and understand that print falls under the purview of GLBA, GDPR, etc.. With foresight, a proactive attitude, and by working with experienced and reputable partners in all facets of the business, including print providers and any others entrusted with providing technologies, solutions, and services that make content security (and by extension, compliance) a fundamental focus, companies can gain better control of their information management.

About the Author:

Hiroyuki “Hiro” Imamura is senior vice president and general manager of marketing for the Business Imaging and Solutions Group of Canon U.S.A., Inc. He oversees all marketing activities for the Enterprise Solutions, Strategic Planning, Marketing Operations, Aftermarket Products, Large Format Solutions, Desktop Printing, and Imaging Solutions divisions.