CBC reports that Staples Business Depot has breached Canadian privacy law by not wiping customer data from laptops and storage devices that are returned by customers before reselling them, according to Canada’s privacy commissioner. Banking information, tax records, social insurance numbers, health card and passport numbers, as well as academic transcripts were among the information found during an audit by the office of Privacy Commissioner Jennifer Stoddart on 54 of 149 data storage devices destined to be resold by Staples.
Staples has 300 stores across the country. Customer data was found on devices from 15 of 17 stores audited in B.C., Alberta, Manitoba, Ontario, Quebec, Nova Scotia, and Newfoundland and Labrador. The privacy commissioner cannot impose sanctions, but recommended that Staples implement controls to ensure personal data is not disclosed. In a statement Tuesday, Staples said it co-operated fully with the privacy commissioner’s office and responded “positively” to all recommendations. Contrary to what is in the report, Staples claims that its practices “meet the level requested by the Privacy Commissioner.”
Stoddart said her findings were “particularly disappointing” given that her office had already investigated previous complaints against Staples involving returned storage devices in 2004 and 2008. Both times, Staples had committed to corrective action.
What can we learn here?
- As a consumer, if you return an item to Staples (or other vendors) that could contain personal or sensitive information, find out what their data policy is IN WRITING.
- If you are uncertain about their ability or interest in carrying out what the policy says they do, don’t return the device.
- Encryption would have really helped here. Encrypt your personal data. It also helps protect your data if your PC is stolen.
- Weigh the cost of the storage device against the risk of the data being exposed, then decide if YOUR policy should be a drill bit and sledge hammer.
- It is your data and your money. Spend it wisely.
- I love power tools!
Staples hasn’t learned a damn thing, because they just keep on doing what they have been doing. Except the fact that the Privacy Comissioner is a well meaning tiger, but has false teeth.
One desk drawer in my office at home holds a number of hard drives. They are there because they have either failed, alerted me to their imminent death, or because I no longer have a subsystem for connecting them to a modern PC. Some are SCSI drives from when I used to have a rack of servers, some are old IDE drives, some are SATA or even USB or firewire. The latter 3 types might have been stuck in the drawer while still being under manufacturer’s warranty, but the manufacturer wants you to send the drive to them for testing, examination, refurbishing or replacement. Each one will eventually get cooked by me with a degausser, get drilled out by me, and/or physically obliterated by me with a 25 lbs sledge. As soon as I get my tools back from my kids, or locate a working degausser…