You might not think your copy machine poses a potentially disastrous cybersecurity risk.
But just ask New York health care provider Affinity Health Plan, which sustained financial losses of more than a million dollars following a data breach involving its copiers.
“With so much attention paid to phishing attacks and hacking, ubiquitous technologies are being overlooked,” writes tech expert Jason Tashea in the ABA Journal. [P]hotocopiers, fax machines, smartphones and USB drives create unique security vulnerabilities. For lawyers, overlooking these devices could have serious consequences for attorney-client privilege and create ethics violations.”
The trouble for Affinity started when the lease expired on its photocopiers. The machines were wheeled out of the office and returned to the leasing agent. Out of sight, out of mind, right?
Wrong. The copiers’ hard drives had not been erased before the machines were surrendered and resold. That made the electronic health care information of more than 344,000 people publicly available.
Fax Machines and SmartPhones
In the Affinity case, a purchaser who bought one of the used copiers hit the “print” button and received medical records for nine people, according to CBS News, plus hundreds of pages of driver’s licenses, social security cards, W-2 forms and even a handwritten love note.
When Affinity learned of the debacle, it was required to file a formal breach notification with state and federal regulators. It also had to notify all of its clients and anyone “who might have ever had information on Affinity copy machines, including current and former employees,” reported CBS News. More than 400,000 individuals were notified that their medical or personal data may have been compromised.
In addition, Affinity reached a 2013 settlement with the U.S. Department of Health and Human Services in which it paid more than $1.2 million in civil penalties. The company also agreed to recover the copiers, conduct a comprehensive risk assessment, and come up with a new cybersecurity plan, according to HHS.
“A lot of lawyers aren’t thinking that the copier has a hard drive in it,” says cybersafety attorney Joe Lazzarotti in this ABA Journal article. “These peripheral devices of all kinds present risks that we’re not thinking about.”
Duty of Technology Competence
NC Rule of Professional Conduct 1.1, Comment  says: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.”
Here are some other small devices that can present big risks:
- Smartphone cameras and microphones. Data can be hacked, stolen or re-routed to unknown destinations.
- Phone applications. Some apps for Android phones record user screens and relay the information back to the company, according to research from Northeastern University in Boston.
- USB and thumb drives. One cybersecurity expert calls these ministorage devices the digital equivalent of “dirty needles.”
- Paper shredders. Though there are no set safety standards, the National Security Agency assesses, reviews and rates some security products like shredders and encryption devices.
Have you experienced security problems with seemingly innocuous office products?