E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: Canada.com

Posted on March 25, 2009

      Canada's largest office products store sold a returned computer hard-drive on clearance containing hundreds of personal files on it - a move privacy experts say violates key provisions of a privacy law requiring businesses to safeguard personal information of customers.

      The transaction occurred recently at a Staples Business Depot store in Ottawa, one of about 300 across the country. When the purchaser booted up the Maxtor mini, he found hundreds of files on the external hard drive.

      The files, totalling about 400, belonged to Jill Vickers, a retired political science professor from Carleton University. They included some research papers already in the public domain, but some were sensitive documents.

      "It is especially of concern to me as the files contain some 20 years of reference and assessment letters which are confidential documents," said Vickers, who recently purchased a new computer system for her home that initially included the Maxtor backup drive.

      When her son, who was tasked with transferring her files to the drive, noticed the daily automatic backup function was not functioning properly, he returned it to Staples. He thought he had deleted the files. "Even though it's not in my possession, it's my data. They should wipe it clean," Vickers said of Staples.

      Canwest News Service last week provided Staples with the model and serial number of equipment, as well as the receipt for the clearance purchase. A company spokeswoman said it required more time to gather the facts to comment on the specific incident. "We will continue to look into this," said Alessandra Saccal.

      In a statement, she reiterated, "privacy of any kind is of great concern to us, that is why we have procedures in place to clear any items with memory before being resold."

      In response to queries about how Staples communicates this directive to its 13,000 employees in Canada and whether front-line staff receive training to safeguard personal information of customers, Saccal said the company's internal practices are confidential.

      Another Staples official said that a "warning" about data removal to customers appears at the bottom of all receipts.

      "We can advise you that all returned items that have memory are required to be wiped before being resold," Additionally, a Staples official pointed out that a "warning" about data removal to customers appears at the bottom of all receipts.

      "Customers are responsible for the removal and backup of all data (including personal information) from returned products," all receipts state.

      Lawyer John Lawford, a privacy expert at Public Interest Advocacy Centre, says this statement does not absolve Staples of its legal responsibility to protect the private information of customers under the Personal Information Protection and Electronic Documents Act (PIPEDA).

      Enacted in 2004, the legislation is designed to protect the privacy of Canadians in the private sector by setting out ground rules for the collection, use and disclosure of personal information in the course of commercial activities.

      "This is the de facto collection of personal information, and they're actually distributing it by selling it again. This is like stuffing the wrong envelope. It's like when a bank puts your bank statement in someone else's envelope, except worse," said Lawford.

      He cited two key privacy principles of the legislation of note - the responsibility of a company to safeguard personal information from unauthorized access, disclosure or use, and the duty to limit its use, disclosure and retention.

      "Nowadays, we can expect resellers of computer equipment, their No. 1 thing really should be using a decent - and not just hitting 'delete' on the thing - but using a proper scrubbing program that at least has a good chance of encrypting or writing over the information so it would be very difficult to get back, unless you were an NSA (National Security Agency) operative," said Lawford.

      Scrubbing refers to a process where random data is recorded on a drive and erased over and over, so there is no trace of the original data.

      Lawyer Fazila Nurani, founder of PrivaTech Consulting in Thornhill, Ont., conducts privacy risk assessments for companies and leads training sessions for employees to make sure businesses comply with PIPEDA. She said the "breach" is "embarrassing."

      "If they're going to take possession of that equipment, if they're going to actually own it again when they return it, it's now the property of Staples. Under PIPEDA, they have a responsibility to do everything they can to safeguard people's information," said Nurani.

      The most high-profile case involving the reselling of improperly scrubbed computer equipment dates back to September 2003, when two servers originally owned by the Bank of Montreal and containing thousands of customer files went up for sale on eBay; they were taken down soon after when the seller noticed the bank hadn't properly wiped them clean before selling them.

      Nurani said this case offers an important lesson for companies - privacy policies and protocols are one thing, but investing in the education and training staff about the duties to protect the personal information of customers is important.

      "The bulk of the breaches we're seeing are primarily related to human error, they're got some element of human error involved. That's such an important thing for businesses to learn from this."

      David Fraser, a Halifax-based lawyer who works with businesses to implement compliance programs for Canada's privacy laws, says the Staples case is a good reality check for consumers as well.

      "If anything, the lessons learned from this story is that consumers need to be more careful about what's on computers that they dispose of, whether by returning it to Staples or putting it on the curb or whether they sell it on craigslist. Mistakes happen. That's the reality of the world in which we live. You can have great policies, but things can slip through the cracks, so the first line of defence is the consumer."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.