NJ Legislation Would Protect Copy Machines From Cybercrime

While throwing out an old computer, most users these days are aware that any data left behind can be stolen by cybercriminals. But most users still get rid of digital copy machines, not knowing that files sent through them could still be there.

A new bill was referred to the New Jersey state senate, requiring anyone who leases copy machines to wipe all data from them between each sale, according to a May 29 press release from the New Jersey Assembly Majority Office. It passed in a 51-28 vote in the New Jersey Assembly on May 25.

“Most digital copy machines use internal hard drives, which store every document that has been scanned, printed, faxed or emailed by the machines, many times numbering in the tens of thousands by the time a copier is resold or returned at the end of a lease agreement,” said Paul Moriarty (D-Gloucester/Camden), who chairs the committee, in a press release.

“According to news reports, most businesses do not erase the hard drive on a copier before getting rid of it, putting the highly sensitive information of millions of consumers at serious risk of theft,” Moriarty said. 

Under the bill, the person leasing the copy machine, and the person the machine is leased to, will be responsible for either destroying or arranging the destruction of all data stored on the systems. This could raise costs of renting a machine, however, since since under the bill, the person leasing them can charge for wiping the hard drives—but there’s a cap on how much they can charge.

“Besides the serious threat of identity theft, consumers are also vulnerable to repercussions posed by sensitive medical records or police documents,” said Herb Conaway (D-Burlington) in a press release. “There’s a simple way to eliminate these risks and we need to make sure it’s instituted.”

Not wiping the data can have costly consequences though. If a person “willfully or knowingly” fails to wipe a copy machine they’ve leased, they face a penalty of up to $2,500 for the first offense, and up to $5,000 for all offenses after that. This will be enforced by the state’s Attorney General.

Things get a bit more serious if a person’s business or property is harmed because someone didn’t wipe data from a copy machine. The person can sue whoever failed to remove the sensitive data in the Superior Court, and “may recover compensatory and punitive damages and the cost of the suit including a reasonable attorney’s fee, costs of investigation and litigation.”

Companies will also have new responsibilities if the bill is passed. Copy machine manufacturers will need to include instructions with each copier on how to destroy the digital records, or arrange for destruction of the data.

“It probably wouldn’t even occur to most people that documents they scan or print on a copier are stored on that machine, sometimes for the entire lifetime of the machine,” said Dan Benson (D-Mercer/Middlesex), in a press release. “Given how often electronics are leased or resold these days, it’s important that measures safeguarding against identity theft are put into place.”