5 Ways Your Faxing Might Not Comply With Privacy Laws

crefc 2833 bnr idg blog 1200x800 might not comply
eFax Corporate

(And What to Do About It)

If your organization continues to require faxing capability, and your IT team is still supporting that need with desktop fax machines, in-house fax servers, and analog fax lines, I have some bad news, some good news, and some more bad news.

Let’s get some of the bad news out of the way first.

If your company uses fax today, the need for fax capability is probably here to stay for a while. When IDC surveyed hundreds of organizations across several key industries—including healthcare, manufacturing, and financial services—they found that all of these industries were experiencing an increase in fax usage year over year.

year to year fax growth1200

When they asked these businesses why they were still supporting a legacy communication protocol, and even using it more frequently year over year, the most common response the researchers received was that “Customers and suppliers use it, which forces us to use it.”

Which means whatever troubles you and your IT team have propping up your in-house fax infrastructure—fax machine paper jams, crashed fax-server hard drives, etc.—aren’t going away anytime soon.

The Good News: An Unencrypted Analog Fax Might Be More Difficult to Hack Than an Unencrypted Email

The good news is that although maintaining your legacy fax infrastructure might be costly and time-consuming, in one way it can give your company a security advantage over sending the same confidential or proprietary data as an unencrypted email.

Indeed, because the typical analog fax traverses the Public Switched Telephone Network, even though it is not encrypted, it is still difficult to hack while in transit. Whereas an email is sent as plain text—easily intercepted and read or altered if it’s traveling over the Internet without the benefit of encryption—a standard fax is transmitted essentially as a voice call, so the hacker would need some sophisticated fax-decoding technology to grab the data in transit. And to do that they would need physical access to a secure telephone company central office, or direct access to the right pair of copper phone wires leaving your office.

If you and your IT team are still maintaining an infrastructure of old fax hardware connected to legacy phone lines, that’s your one bit of good news: It’s almost certainly more secure, and as a result probably more likely to comply with your industry’s data privacy regulations, than unencrypted email, which should never be used to transmit confidential information about your customers.

The Bad News: There Are Plenty of Ways Your Company’s Fax Processes Might Be Violating Data Privacy Law Right Now

But there’s a lot of other bad news—and it’s serious. If your team is continuing to prop up aging in-house fax hardware like fax machines, fax-enabled multifunction printers, and onsite fax servers, your staff could be unknowingly violating your industry’s data privacy laws—HIPAA, GLBA, SOX, FERPA, etc.—every day.

Here are five possible ways your company could be in noncompliance without even knowing it.

1. Your staff leaves paper faxes containing personal customer data in public areas.

This is probably the easiest way to land on the wrong side of any of the major federal laws protecting customers’ personally identifiable information (PII).

No matter how secure your fax transmissions are, if an inbound or outbound fax containing PII sits unattended on a fax machine in your office, particularly if the machine is in a common area where other employees or even visitors might see it, this could be deemed a compliance violation.

Because all these privacy laws—HIPAA, SOX, etc. and their state-level equivalents—demand that businesses who handle PII maintain a tight chain of custody on this data at all times, you have to assume that if auditors were to review how you transmit PII via fax, they would probably consider this part of your process a red flag.

2. Your fax records retention processes fall short of compliance.

The major data privacy laws all have requirements for retaining records that contain PII —for example, that such records be maintained for some number of years, that they are stored securely, and that they’re accessible if auditors ask to review them.

One of the problems with using paper-based faxing to send and receive PII data is that this type of faxing is largely a decentralized process that the organization’s IT team or other administrators can’t fully track or document.

If someone in one of your company’s office receives a fax containing personal data about your customers—in other words, a fax regulated under your industry’s privacy laws—what’s your IT team’s process for ensuring you receive a copy of that fax and any relevant metadata about the transaction, so you can log it and secure it for record-keeping purposes? How would you even know that the transmission took place?

There are plenty of ways your company’s faxing processes might be violating data privacy laws right now.

3. The hard drives of your fax machines and multifunction printers contain records of transmitted PII.

Many organizations miss this faxing compliance vulnerability, so take note of it now. The desktop fax machines and multifunction printers your employees use to send and receive faxes actually store records of those faxes on their hard drives—and the records stay there until they are written over by new fax data.

This means that if your staff is transmitting PII data through your fax hardware, the drives of that hardware become a weakness in your data security process. To bring the devices up to compliance levels, you would need to secure their hard drives, implement a process for frequently wiping the data from them, or find some other way to tighten up this weak link in your regulated data’s chain of custody.

And if you’re thinking this sort of oversight would never come to the attention of federal regulators, consider this news item reported in the healthcare publication 4Medapproved. HIPAA auditors fined one healthcare provider $1.2 million for returning leased copy machines that still had patient records on their hard drives.

It can happen. You’ve been warned.

4. Purging your fax servers’ hard drives creates another compliance vulnerability.

Let’s assume the in-house fax servers your IT team manages have secured hard drives. (If they don’t, the drives themselves are another security and compliance weakness.)

Even though the digital copies of your faxes, which are stored as image files, can be considered secure as long as they’re on the fax servers’ hard drives, eventually these drives reach capacity and have to be purged to make room for the records of new fax transmissions.

Often in these situations, someone in the organization will be tasked with printing out the contents of the drive so the archived faxes can be filed away for auditing and record-keeping purposes.

But here again we have a chain-of-custody issue for any of those faxes that contain PII or other regulated data. Someone not authorized to view this personal customer information could walk by and see it. Someone might mistakenly leave it in an open and accessible area of the office.

Unless you have implemented a secure method of purging, printing, scanning, and filing all fax records from your servers—a process that includes a tight chain of custody around both the digital and hardcopy versions of the records your company is purging—you should assume this part of your fax infrastructure also fails to meet data privacy compliance requirements.

5. Your company lacks a documented process for securing faxed PII.

Finally, it’s important to understand that one thing all major data privacy laws—HIPAA, GLBA, SOX, FERPA, etc.—have in common is a requirement that regulated businesses develop and maintain a documented process detailing how they secure and safeguard the personal customer data under their care.

As a company in a regulated industry, you are obligated not only to secure your customers’ personal information—you’re also obligated to document how you do it, and to have that documentation handy if compliance auditors ask to review it.

And although your business may well have this documentation detailing how you protect PII on your servers, in your email network, and through your cloud service providers, I’m guessing you haven’t yet documented a step-by-step description of how your team fortifies your faxing processes or secures your archived fax data after you’ve sent or received it.

For these and other reasons, your existing fax infrastructure likely falls short of compliance in at least a few ways. And unfortunately, if you maintain these legacy fax processes, you will find it difficult to bring the entire process up to regulatory standards.

remain compliant with hipaa sox glba fax 1200

Bring All of Your Fax Processes Up to Compliance—Migrate to a Cloud Fax Partner Like eFax Corporate

But you can solve all of the compliance issues I’ve discussed here by making one simple migration—to a fully hosted cloud fax service like eFax Corporate.

For two decades, our enterprise-caliber service has been helping businesses in the most highly regulated industries receive, send, and securely store their sensitive fax data. And today we are the cloud fax solution trusted by more regulated organizations—in healthcare, financial services, the law, real estate, manufacturing, and government services—than any other provider.

With a cloud fax platform designed to meet the data transmission and storage needs of highly regulated businesses like yours, eFax Corporate knows how to deploy a custom solution that meets your firm’s needs for robust faxing capability, that helps bring your processes in line with regulators, that protects your fax data with the most advanced security available, and that will even lower your overall fax costs. Cloud-based faxes are encrypted in transit and while in storage. Every fax has a detailed audit trail and can be stored on off-site secure cloud servers, for as long as your document retention policies allow. 

Learn more…read our white paper: Why Highly Regulated Businesses Make the Switch.


Copyright © 2019 IDG Communications, Inc.