Banner: Maryland Attorney General Douglas F. Gansler
  Home | Protecting Consumers | Safeguarding Children | Seniors | Law Enforcement | Site Map Search



For Immediate Release

Media Contact:
Raquel Guillory, 410-576-6357

Business Alert: Digital Copiers Could Be an Identity Theft Threat

BALTIMORE, MD ( May 18, 2010) -Attorney General Douglas F. Gansler is cautioning businesses to take protective measures with their photocopiers. Similar to computers, hard drive installations have become routine for midsize to large photocopiers, especially those built since 2005. All images scanned on the machines are stored in the hard drive, including documents with personal data such as medical history, social security numbers and bank account numbers.

Photocopiers are often connected to an office network and businesses may fail to place a strong password in order to gain access. The lack of a password or a weak password could enable web-savvy hackers to gain access to the network and steal stored data. Maryland business owners and office administrators have several options to protect stored data:

  • “Disk Scrubbing.” Businesses can purchase software that scrubs the disk or removes all the data from hard drives. This prevents even the smartest cyberthief from finding any data to steal.
  • Encryption software. Software to prevent data from being stored at all or to encrypt data can be found online. Some photocopier manufacturers, such as Sharp or Xerox, offer packages with their products.
  • Passwords. Place a password on the copier that cannot be easily guessed, such as a numerical password similar to a PIN. The copier would then require the password to gain access to the stored data.

“Business owners are required under Maryland’s Personal Information Protection Act (PIPA) to take steps to protect consumers’ personal information,” said Attorney General Douglas F. Gansler. “Without taking necessary precautions, copier hard drives could be resold to third parties, possibly in a foreign country, where identity theft is harder to control.”

PIPA requires businesses that maintain personal information to protect that information and dispose of it in a manner that renders it unreadable. In addition to violating PIPA, improperly disposing of consumers’ personal information could be considered a security breach. In the event of a security breach, notice must be given to consumers as soon as reasonably practicable following an investigation.

For more information on business obligations to protect personal information, visit To report a security breach or for additional information, contact Hugh Williams, Administrator of the Identity Theft Program, at 410-576-6574 or visit


Attorney General of Maryland 1 (888) 743-0023 toll-free / TDD: (410) 576-6372
Home | Site Map | Privacy Policy | Contact Us