Issue Overview
Lawmakers often respond to alarming news reports by introducing legislation, and this has been the case in the area of data security. State legislators across America responded to concerns raised by a CBS News Investigative Report detailing how digital copiers can retain images of scanned documents by introducing bills assigning liability for disclosure of private information stored on digital copiers by customers to various parties including, and occasionally specifically targeting, the leasing company.
The net of liabilities placed on finance sources has expanded as legislative proposals spread nationwide to include any multifunction equipment that uses a data storage device to store, reproduce, transmit, or receive data or images with responsibility for destroying personal information after equipment left possession of the customer/end-user assigned to the leasing company.
Since the CBS broadcast, technology now standard on digital copiers automatically erases information placed in memory. A business customer must deactivate this automatic encryption feature before records can be stored. A finance source providing funds for acquisition of the copier could not know the customer has manipulated a copier to disengage this preset encryption, nor information they have stored in memory. ELFA believes the commercial lessee disabling this programmed encryption has willingly assumed responsibility for sensitive data stored in memory that may subsequently be released, and not those advancing commercial finance.
ELFA members provide commercial lease financing nationally which requires adherence to a complex web of state regulations that lack consistency across state lines. The expense of staff and technology resources required to keep pace with these divergent mandates escalates as one state outmaneuvers another in a perpetual search for flawless solutions to security issues without sufficient attention to rational public policy that is within the context of what can be achieved. One state even attempted to stretch the scope of responsibility placed on providers of commercial lease finance beyond the confines of their operations to oversight of vendors with whom they partner.
Commercial finance sources are not aware of sensitive information a business lessee chooses to place on equipment and that customer should bear responsibility for destruction of this sensitive information placed on any leased equipment with data storage capabilities. A business taking possession of leased equipment should be held responsible for the destruction of records that it has stored, rather than a finance source advancing them the funds needed to obtain the machine.