Insights

Today's Trends in Credit Regulation

Copiers, Printers, and Data Breaches
By Thomas B. Hudson

Until the new federal privacy laws came along, who knew that those printers and copiers in the back room were storing in their little electronic memory banks copies of every document that you were running through them? Now, of course, we all know, but what if that knowledge has come too late. What if, for example, your company has leased printers and copiers and, at the end of the lease term, the leasing company has taken the machines with their clever little memory banks away? Do you have a data breach that will require you to do a lot of expensive stuff to mitigate the loss of any private customer information that might have been stored on the machines? And if you do have a problem, can you deflect the blame by suing the leasing company? That happened in a recent case. Let’s see how it worked out.

Ikon Office Solutions, Inc. leased photocopiers and printers to various companies, including Putnam Bank. Putnam claimed that Ikon’s machines stored images of documents that Putnam had faxed, printed, or scanned, and that Ikon failed to disclose this storage capability and re-leased the machines to other businesses without destroying the stored images. Putnam claimed that this conduct triggered application of Connecticut’s data breach notification law, with which Ikon failed to comply. Putnam also claimed that Ikon violated the Connecticut Unfair Trade Practices Act and that the conduct constituted negligence, negligence per se, negligent misrepresentation, breach of contract, and breach of implied contract.

Putnam also sought class certification for these claims. Ikon moved to dismiss Putnam’s complaint, and the U.S. District Court for the District of Connecticut granted Ikon’s motion.

The court explained that the state breach notification law applies to businesses that collect or keep personal information and concluded that Putnam’s complaint failed to allege that Ikon satisfied this standard. The fact that Ikon may have come into possession of covered information was not sufficient. The court also noted that Putnam did not allege that a breach had occurred or that there were facts supporting a reasonable belief that an unauthorized person had accessed the information. As a result, the court declined to permit Putnam to proceed with this claim.

With respect to the other claims, the court reasoned that Ikon did not have a duty to disclose the machines’ storage capability to Putnam. That lack of duty meant that Putnam’s other claims failed as well.

So, Ikon is off the hook. But what if the lawsuit had been filed by a Putnam customer, alleging that Putnam had suffered a data breach? The plaintiff would no doubt argue that Putnam knew or, in the exercise of due diligence, should have known that the printers and copiers were retaining images, and that letting the machines go back to the lessor without erasing their memories violated various state and federal privacy laws and regulations. That might end up being a bad day for the bank.

Now that we all know how these machines work, you can expect to see more claims like this. To avoid those claims, you need to review your contracts with the leasing companies and your end-of-lease term disposal processes to make sure you have your information locked down as tightly as possible.

Putnam Bank v. Ikon Office Solutions, Inc., 2011 U.S. Dist. LEXIS 71593 (D. Conn. July 5, 2011).

Thomas B. Hudson is a partner in the Maryland office of Hudson Cook, LLP. Tom can be reached at 410-865-5411 or by email at thudson@hudco.com.

Article Archive

2022   2021   2020   2019   2018   2017   2016   2015   2014   2013   2012   2011   2010   2009