Are Your Confidential Documents Really Confidential?

Published: July 16, 2010

Are you conducting your business with the false sense of security that documents in locked filing cabinets, secure storage facilities or only on your password protected and encrypted computers are secure?

The existence of copied, scanned and faxed documents using digital copiers, scanners and fax machines on their hard disks has been known to the fraudster for a long time. Only due to a recent CBS News story earlier this year has the general public become aware and concerned.

The Risk

We all know that computers have hard disks inside. What many do not know is that everything that is opened on your computer, all pages surfed on the web, all documents sent to the printer and all emails, chats in Skype, Windows Messenger and other social networking programs are also stored in temporary files on your computer hard disk. Until they are forensically removed, they are recoverable.

Similarly, hard drive installations have become routine for digital copiers, especially those built since 2005. All images scanned, copied or faxed on these machines are stored on the hard drive, even after they have been copied, faxed or the scan copy appears on your computer disk.

• If you are a doctor, personal data such as medical history, prescriptions, referral correspondence and more.
• If you are a lawyer, privileged and confidential information about your clients, correspondence and planning memos, opinions and more.
• If you are an accountant, personal data such as social insurance numbers, tax return information, bank information and more.
• If you are a banker, confidential information concerning your clients’ bank accounts, balances, signatures and more.

The hard drive in the digital copier will keep images of these documents until one of two events occur:
1. Either the disk becomes full and the next document begins overwriting the disk, thus destroying the first image of the document, from the beginning of the disk; or

2. The disk is intentionally wiped clean using special software designed for this purpose.

The Solution

Like your computer system, local area network and email/internet access, your digital copiers need a risk analysis and security policy.

The first step is to identify those machines in your office that might contain confidential information and establish a security procedure for routinely wiping the disk clean using special forensic software designed for that purpose.

Simply deleting the files on a hard disk does not delete the files — this only makes them invisible to the normal user. A sophisticated user, like the fraudster, knows how to retrieve deleted files.

Your copier manufacturer or service supplier will be able to tell you exactly which models have internal hard disks and in most cases, they will also offer an easy to use application which will perform what is referred to as a DoD (Department of Defense) disk wipe. This will overwrite the disk with a series of 1’s and 0’s three times resulting in the permanent deletion of all data that existed on the disk.

Depending on the size of the disk, this may take some time, but proper scheduling can result in this occurring overnight when the machine is not being used heavily. Your company’s security policy should be no different for digital copiers than for computers — when they are discarded remove the hard disk.

The best way to insure that the confidential information that resides on the disk is not recovered and used by unauthorized individuals is to physically destroy the disk, or at a minimum, retain custody.

With the cost of a new hard disk at less than $100 today, if the machine is to be donated to a charity, traded in for an upgrade or sold, make sure it leaves your offices with a new, empty disk.

THE BEST WEAPON AGAINST FRAUD IS KNOWLEDGE.

About the Author

Phil graduated in 1970 from McGill University and obtained his CA designation one year later. In 1996 Phil successfully completed the CPA examination and is licensed as a Certified Public Accountant in Florida and North Carolina.

Shortly after attaining his CA, Phil branched into computers and has established himself both in Canada and the United States in this field, being invited on several occasions to speak at National and International computer conferences. In addition, Phil's articles on computer related topics have been published on both sides of the border and he was a contributing editor of the New York magazine, Accounting Technology for many years.

Phil has combined his strong background in auditing as well as his analytical abilities with his computer knowledge to develop an expertise in investigative auditing and the prevention & detection of corporate fraud. In this regard, he has been invited to speak at Canadian and U.S. fraud conferences and has had numerous articles published on this subject. Phil has been a member of the teaching faculty of the Association of Certified Fraud Examiners since 1995 and is the technology editor and member of the editorial board of its magazine, The Fraud Magazine.

Integra International is a global association of independent firms, operating under a Federation Agreement between two not-for-profit entities under Swiss and United States law respectively. As an association, Integra International does not practice the profession of public accountancy or provide audit, tax, consulting or other professional services of any type to third parties. The association does not constitute a joint venture, partnership or network between participating firms. Because the associated firms are independent, Integra International does not guarantee the services or the quality of services provided by participating firms. Each member firm is independent and no partnership, implied or otherwise, exists between member firms by reason of their membership in Integra International.