In This Issue

  • Summer Issue 2010

    • ARRA Funding Leads
      to Big Changes
      Accountability and Transparency Stressed in New Federal Single Audit Guidelines

      SIDEBAR:
      Five Questions for Government
      Entities to Consider
      • SPOTLIGHT:
        Copier Confidential
        Copiers manufactured after 2002 generally have a hard drive device that stores images of every document that is copied

        SIDEBAR:
        When a record is not public

        Personal Information
        Systems Act

      • WEB EXCLUSIVE
        Resources and Responsibilities
        Ohio Auditor of State’s Office provides assistance with ARRA requirements

        SIDEBAR:
        What’s in a FACCR?

        Who is required to enter data in the Ohio Stimulus Tracker?

  • emailSign Up for Best Practices Join the growing numbers of Best Practices readers. E-mail to subscribe or unsubscribe to the online version of Best Practices.

OAS Mary Taylor, CPA Best PracticesOhio Auditor of State's website
OAS Mary Taylor, CPA Best PracticesSearch Best Practices

Spotlight: Copier Confidential

    SIDEBAR:
    When a record is not public:

It is no surprise that Ohio maintains a strong commitment to open government. Each year the offices of the Auditor of State and Attorney General release an updated manual on open records and open meetings.

However, this commitment to giving the public access to records comes with the responsibility for public officials to secure confidential information. Below are some examples of exceptions to the required release of public records.

    • Residential information for peace officers, parole officers, prosecuting attorneys, assistant prosecuting attorneys, correctional employees, youth services employees, firefighters, EMTs or investigators with the Bureau of Criminal Identification and Investigation
    • Medical records that are generated and maintained in the process of medical treatment
    • Social security numbers
    • Taxpayer records maintained by the Ohio Department of Taxation and by municipal corporations
    • LEADS, NCIC or CCH criminal record information
    • Information or records that fall under attorney-client privilege

For complete information on what may and must be kept confidential, see the 2010 Sunshine Laws Manual

SIDEBAR:
Personal Information Systems Act:

Many state agencies maintain databases that contain confidential personal information. In the past, these databases have been susceptible to unauthorized use by people within agencies. As you may recall, the Ohio Department of Job and Family Services had a very public instance when a database was accessed to obtain information on “Joe the Plumber” for unauthorized reasons.

Because these systems can be vulnerable, the Ohio Revised Code now has a section outlining the safeguards state agencies must take to potect these databases. Below are a few elements that must be in place:

    • Criteria stating what employees can access a database and what supervisors can authorize accessr
    • A password or other authentication method for all data that is kept electronically
    • A mechanism for documenting who accesses information on
      the system
    • A procedure to notify individuals who have had their personal information accessed for invalid reasons

Find out more on how confidential information is being protected.

When CBS aired a segment on 60 Minutes regarding copy machine security, government agencies across the country were put on notice to secure confidential information that might otherwise fall into the wrong hands. The report outlined how a copier can maintain information on its hard drive long after an agency has finished using the machine. That’s a scary proposition for every public organization that has reason to copy confidential information.

Copiers manufactured after 2002 generally have a hard drive device that stores images of every document that is copied. For multipurpose devices, this also includes documents that are scanned, printed, faxed or e-mailed from a copier machine.

When it comes time to salvage machines, these hard drives can become gold mines for individuals seeking out confidential information. The images stored on hard drives can be removed, so when an agency retires a machine from service, they may be releasing thousands of documents without ever considering the potential for misuse.

This is an alarming proposition for any government agency or official, but there are ways to protect both yourself and your office from unknowingly distributing documents or information that should be kept confidential. Each agency is different and use of copier machines may vary. Because of this, there is no set best practice to safeguard against images being removed from copier hard drives. However, there are some practices that can help you assess your organization’s risk and ensure the policy you have in place is right for your particular situation.

There are multiple options available to public offices for removing equipment based on Ohio Revised Code regulations. It is first important that you ensure your agency is disposing of unwanted equipment in an approved manner.

Once you have determined how you will remove an old copier machine, you can then determine how best to protect information stored on the hard drive.

The following are a few options that may be available to you:

• If you decide to return a copier machine to the manufacturer, either for trade-in value or because a lease term has ended, contact the vendor to inquire about their privacy policy. Multiple vendors have a policy in place that outlines how sensitive information is wiped from the hard drive when a machine is returned. Determine if your vendor has a policy in place, and ask questions to confirm it is being followed.

• Determine if your copier can be equipped with a security erase function. This function is available on newer machines, and in some cases can be added to machines already in use. The security erase function allows a public office to erase the hard drive in-house without specialized skills.

• Contract with an outside technician to wipe the hard drive before you dispose of a machine. This can be a good option for offices that send equipment to salvage. By choosing this option, the machine has been stripped of sensitive data before it leaves the office.

• Ask your vendor if they are able to physically remove a hard drive from the device. If this is possible, you can retain the storage device and dispose of it as you see fit.

As you upgrade copy machines in your office and invest in the purchase or lease of new machines, ask your vendor questions about machine security. This is a proactive step you can take to identify what security options are available and best fit the needs of your office.

An “out of sight, out of mind” security philosophy might be a tempting proposition, especially if added costs are avoided but confidential information can remain on equipment long after it’s out of your control. A little added effort and expense now can spare your organization from a big headache later.