A Staples logo is seen at a store, Monday, Dec. 1, 2008 in Boston.Lisa Poole/AP
Consumers' social insurance numbers, banking information and tax records were discovered on used electronics that Staples Business Depot "wiped" for resale, Canada's Privacy Commissioner has found.
Her annual report chastised Staples, an office supplies chain, for not fully deleting sensitive data from returned devices such as laptops and USB hard drives, leaving customers at risk of identity theft or fraud.
As more and more personal information takes a digital shape, calls for companies like Staples to protect consumer data have become louder.
"I'm hugely disappointed looking at the whole Staples situation," said Privacy Commissioner Jennifer Stoddart in an interview.
"The onus should not be on consumers to wipe their devices clean."
The privacy office conducted a year-long, country-wide audit of Staples after a series of complaints.
More than one-third of the 149 "clean" devices audited still held the previous owner's information, according to the report.
Although Staples complied with most of the audit's recommendations, it has not committed to properly destroying consumer data, Ms. Stoddart said.
Staples took issue with the report in a statement released Tuesday. Staples "responded positively to all of the Privacy Commissioner's recommendations well before the release of this audit," according to the statement.
"Further, Staples has implemented changes that exceed current industry practice to remove personal data from returned memory devices. This meets the level requested by the Privacy Commissioner," it continued.
But in its original response to the audit, Staples said overwriting data was "commercially unviable" and the company was "actively testing" ways to remove personal information that would not damage or destroy a hard drive.
Wiping a hard drive can cost up to $100 per computer, but it's harmless, said cyber forensic specialist Daniel Tobok, president of Digital Wyzdom.
"You cannot hurt the operating system or the hard drive by doing a DOD standard wipe on the hard drive," he said.
"It's done by governments and financial institutions every day."
There have been no reports of identity theft or fraud connected to an improperly wiped Staples device, but consumers should be aware, Ms. Stoddart said. If the company does not comply with her recommendations by June of 2012, as verified by a third party, she said she will launch a formal investigation.
.......
Crisis management
An employer learns what an emergency contact list is for
Emergency contacts: People to call in a crisis or people whom managers should advise on the home front?
A manager at a small trucking company evidently felt the latter, according to the Privacy Commissioner's annual report.
The manager sent a letter to every driver's emergency contact – be it their spouse, mother, or sibling – to give them advice on the employee's health and safety.
"I am hoping that we can count on you to do your part to make sure that your loved one is coming to work rested," the manager wrote in the letter.
"Things like saving their 'honey do' list or other physically or emotionally draining tasks for days they are not working are a good start."
After an employee anonymously complained about the letter, a privacy officer gave the manager a honey-don't list for when to call emergency contacts.
The manager destroyed the mailing list and the problem was resolved without a formal complaint.