Privacy & Information Security Law Blog

As reported in BNA’s Privacy Law Watch, on April 1, 2011, a New York law went in effect requiring manufacturers of certain electronic equipment, including devices that have hard drives capable of storing personal information or other confidential data, to register with the Department of Environmental Conservation and maintain an electronic waste acceptance program.  The program must include convenient methods for consumers to return electronic waste to the manufacturer and instructions on how consumers can destroy data on the devices before recycling or disposing of them.  Retailers of covered electronic equipment will be required to provide consumers with information at the point of sale about opportunities offered by manufacturers for the return of electronic waste, to the extent they have been provided such information by the manufacturer.

In addition, five other states are considering legislation to address the privacy risks associated with digital photocopiers that may store personal information on their hard drives.

• Connecticut would require businesses that lease digital copiers to ensure that all data is erased from the machine’s memory when the lease expires.
• Florida would require financial institutions to implement security polices to identify copiers under their control and ensure that the hard drives on the copiers are erased before returning any leased copiers to a lessor or selling the copiers.
• Nevada would require any business or data collector that owns or possesses a copier, fax machine or multifunction device (collectively, “digital office equipment”) that uses a data storage device to ensure that any personal information stored on such digital office equipment is either (1) encrypted or (2) physically or technologically destroyed before giving up ownership, physical custody or control of the digital office equipment.
• New Jersey would require businesses to destroy personal information stored on digital copiers before disposing of the machines.
• Oregon would require sellers and distributors of copy machines to remove, erase or destroy and personal information in a data storage device on the machines.

These bills reflect an enhanced focus on the privacy risks associated with digital office equipment.  Last year, we reported that the Federal Trade Commission was investigating this issue after an exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information.  The FTC eventually produced a report entitled “Copier Data Security: A Guide for Businesses” that offers businesses tips for securing data stored on digital copiers.