The continued failure of retail giant Staples Canada Inc. to wipe personal information from all data storage devices resold in its stores after various consumer complaints is “very surprising and hugely concerning,” says Canada’s Privacy Commissioner Jennifer Stoddart.
In her annual report tabled in Parliament today, Stoddart noted that 54 of 149 resale storage devices – more than one-third – tested in Staples stores still contained customer data despite having gone through Staples’ wipe and restore process. Some of the data, stored on devices such as laptops, USB hard drives and memory sticks, included personal information regarding banking, credit cards, driver’s licences, health cards, passports, social insurance numbers and tax records.
Stoddart said she found the privacy breaches especially disappointing because Staples had assured her office it would implement new privacy procedures following two similar consumer complaints against it between 2004 and 2008.
“So you would think the messaging would have gotten through (to Staples),” Stoddart said. “This is not an encouraging tale about how a major corporation implements Canada’s privacy legislation.”
Data wiped using the wipe and restore tools provided by manufacturers “is in fact still recoverable by using forensic software” Staples said in a statement. Overwriting processes may damage a computer’s hard drive and original software, it added. The company said it is now testing various wiping tools that can completely wipe data without incurring such damage.
Related Story: Full encryption drives to become standard on all PCs
The report’s harsh spotlight on Staples shows that “organizations are beginning to be held more accountable than ever before by the privacy commissioner,” said David Fraser, a privacy blogger and partner at the Halifax law firm McInnes Cooper LLP. “It’s a real warning shot. This is her (Stoddart) beginning to get more proactive.”
Staples describes its office supplies stores and e-commerce sites as catering to businesses of all sizes and consumers. It has specifically targeted small businesses with marketing programs such as Staples Business Delivery, offering free delivery for online orders over $50. Based in Richmond Hill, Ont., Staples sells office supplies, equipment and furniture from over 300 locations across Canada.
“It was extremely disappointing to read that Staples continued to have problems in this area,” said Roberta Fox, president and senior partner at Fox Group, a small business and technology consulting firm based in Mount Albert, Ont. “If companies like Staples are going to move into providing IT technology support services that involve information management, it’s critical that they have the technical staff, practices and processes to ensure that their customers’ information is not at risk,” she wrote in an e-mail.
But one small business advocate said retailers cannot bear all the responsibility alone.
“It’s a challenge for any retailer to keep on top of. There has to be better (consumer) awareness of how to make these devices clean” before they are returned to stores or passed on to other users, said Ted Mallett, vice-president and chief economist at the Canadian Federation of Independent Business.
It can’t just be a case of faulty data wiping technology used by Staples, Stoddart said. During her audit, technicians were able to successfully wipe all of the data from Staples storage devices destined for resale.
Stoddart said she has no plans to look into any other technology retailers or the entire sector, noting that so far the only retailer to have privacy complaints filed against it is Staples.
The Alberta Office of the Information and Privacy Commissioner received a complaint that a Staples store in Calgary sold a computer to a customer with data from the previous customer remaining on the disc. Staples agreed to the office’s recommendation that it implement procedures to avoid this from happening again, including a “wipe and restore” procedure on any returned computer.
Staples “did improve” its privacy processes since the initial complaints were made, but “the audit showed those procedures and controls were not consistently applied, nor were they always effective – leaving customers’ personal information at serious risk,” Stoddart’s report says.
Staples now has a year to prove, through an independent third-party audit, that it has complied with the privacy commissioner’s recommendations to put better data wiping and other privacy processes in place.
While Stoddart said she is hopeful Staples will completely rectify the data wiping issue by that deadline, she said if it doesn’t, the next steps would be an investigation by her office. If that was not dealt with to her satisfaction, her office could take Staples Canada to Federal Court for violating customer privacy.
There are no fines in place for such violations but the court could ask Staples to pay all audit, investigation and court costs, she said.
Christine Wong is a Staff Writer at ITBusiness.ca