CBC News reports that Staples (Business Depot) in Canada has violated privacy law by not fully wiping consumer data off laptops and storage devices that are returned by customers.
According to the report, Privacy Commissioner Jennifer Stoddart conducted an audit on 17 out of 300 Staples stores across the country, 15 of which had devices slated to be resold that weren't fully wiped. These devices included desktops, laptops, USB hard drives and memory cards that supposedly already endured a wipe and restore process before returning to the retail shelf.
But overall, the audit discovered that 54 of the 149 audited devices still contained banking information, tax records, social insurance numbers, health card numbers, passport numbers and additional information left behind by prior owners. Laptops were the biggest offenders, with 17 out of 20 still holding on to old user data.
Stoddart said that she didn't have the authority to impose sanctions, but did suggest that Staples re-evaluate the way it removes old data. "Until our recommendation on wiping customer data is fully implemented, personal information will continue to remain at risk and Staples will not meet its obligations under PIPEDA," Stoddart's report said.
Staples followed up with an official statement claiming to have cooperated fully with the privacy commissioner's office during the audit. "Further, Staples has implemented changes that exceed current industry practice to remove personal data from returned memory devices," the company said, adding that it was currently testing several ways of wiping data from returned storage devices.
But the office retailer also stated that overwriting the data, which was suggested by the privacy commissioner's office and one of the most reliable methods of eradicating old data, would not be an option, claiming that the process could damage some of the devices.
Stoddart's recent audit isn't he first time the privacy commissioner's office investigated user-data complaints relating to Staples. She called the latest findings "particularly disappointing" given that the same problem surfaced in 2004 and 2008, and that Staples committed to corrective action to resolve the privacy issue both times.
Sounds like Staples based in the U.S. may need to be audited too.