Copy Machines Pose a Major Risk of Confidentiality Breaches

A recent CBS News expose on the potential security problems associated with copy machines should be of concern to every fire and EMS organization in the country. The potential for violations of patient and employee confidentiality are enormous, not to mention the risk of identity theft. A big thank you to John Murphy for finding this for us.

About Curt Varone

Curt Varone has over 40 years of fire service experience and 30 as a practicing attorney licensed in both Rhode Island and Maine. His background includes 29 years as a career firefighter in Providence (retiring as a Deputy Assistant Chief), as well as volunteer and paid on call experience. He is the author of two books: Legal Considerations for Fire and Emergency Services, (2006, 2nd ed. 2011, 3rd ed. 2014) and Fire Officer’s Legal Handbook (2007), and is a contributing editor for Firehouse Magazine writing the Fire Law column.

  • John Murphy

    Thank you.

  • John
    Do you see the potential for ECPA issues for employers who’s privacy policies do not specifically mention that their copiers store an image of copied documents? (Note: case law does not seem to recognized the “Gee, I didn’t realize we were digitally recording that” defense for other types of digital information.)

  • John K. Murphy

    Great question. The Electronic Communications Privacy Act (ECPA) sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. The law was enacted in 1986 and covers various forms of wire and electronic communications. According to the U.S. Code, electronic communications “means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce.” ECPA prohibits unlawful access and certain disclosures of communication contents. Additionally, the law prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure. Title 18 of the U.S. Code, encompasses ECPA.
    Is the standard now on digital storage “known or should have known” for these types of electronic storage devices? Who knew? But now that we do know, there needs to be a storage and release policy similar to the email policy most departments should have. Most policies address computer workstations and not copiers. It opens up another avenue for attorneys to request documentation from department copiers. This will open up yet another can of worms to determine the specificity of the request for information if you have 200,000 images on your copier hard drives. Which ones can you have access to and who is authorized to review all of those digital images.
    Several court cases have raised the question of whether e-mail messages are protected under the stricter provisions of Title I while they were in transient storage en route to their final destination. In United States v. Councilman, a U.S. district court and a three-judge appeals panel ruled they were not, but in 2005, the full United States Court of Appeals for the First Circuit reversed this opinion. Privacy advocates were relieved; they had argued in Amicus curiae briefs that if the ECPA did not protect e-mail in temporary storage, its added protections were meaningless as virtually all electronic mail is stored temporarily in transit at least once and that Congress would have known this in 1986 when the law was passed. The seizure of a computer, used to operate an electronic bulletin board system, and containing private electronic mail which had been sent to (stored on) the bulletin board, but not read (retrieved) by the intended recipients, doesn’t constitute an unlawful intercept under the Federal Wiretap Act, 18 U.S.C. s 2510, et seq., as amended by Title I of the Electronic Communications Privacy Act of 1986,Title I. Government may track cell phone, in real time, without search warrant, under Electronic Communications Privacy Act (ECPA), by analyzing information as to antennae being contacted by cell phones, so long as tracking does not involve cell phone being used in private place where visual surveillance would not be available.
    The ECPA has been met with criticism through the years including its failure to protect all communications and consumer records. Under the ECPA it is relatively easy for a governmental agency to demand service providers hand over consumer data that has been stored on servers. All that is required of the agency is a written statement certifying that the information is relevant to an investigation of foreign counterintelligence with no judicial review required. It also increased the list of crimes that can justify the use of surveillance as well as the number of judicial members who can authorize such surveillance. Data can be obtained without a warrant on traffic and calling patterns of an individual or group allowing an agency to gain valuable intelligence and possibly invade privacy without coming under fire because the actual content of the communication is left untouched. While workplace communications are in theory protected an employer must simply give notice or a supervisor must feel that the employee’s actions are not in the company’s “interest” to gain access to communiqué. This means that with minimal assumptions an employer can monitor communications within the company. The ongoing debate is where to limit the government’s power to see into civilian lives while balancing the need to curb national threats. The ECPA falls directly in the middle of this debate both sides wanting revisions and clarifications made by the courts and legislation.
    Again, case law will provide a solution.

  • John
    Wow. I hadn’t thought about the discovery issues associated with copiers. Add to that the potential for spoliation of evidence claims that haunts emails and other forms of electronic communications and digitally stored data – and it is evident that the copier problem is a multi-headed monster that cannot be ignored. HIPAA, privacy, EPCA, electronic monitoring in the workplace laws, identity theft laws, and now discovery issues…. Its mond-boggling.
    Litigation wise, attorneys who are seeking to compell their opponents to preserve evidence, as well as counsel representing any party to litigation, need to be attentive to the preservation of potentially relevant evidence on copiers – in addition to the more traditional forms of evidence such as documents, emails, text messages, etc.
    And for public agencies – let’s add open records laws to the mix.


Check Also

Denver Firefighter Claims ADA Violation For PTSD

A Denver firefighter has filed suit claiming the department’s handling of his post-traumatic stress disorder violated the Americans With Disabilities Act, and that the reaction of his officers to his military reserve commitment violated the Uniformed Services Employment and Reemployment Rights Act.

Medical Confidentiality and HIPAA Hysteria

Today’s burning question: I work for a fire department as a Firefighter ...