Staples Still Hasn't Quite Got It Right

News, discussion and questions about technology and computers, whether broadcast-related or not.

Staples Still Hasn't Quite Got It Right

Postby jon » Tue Jun 21, 2011 5:06 pm

Audit: Risks to Staples' customer data remained following breaches
Canada NewsWire

Despite previous commitments by Staples Canada Inc. to address problems related to the resale of returned data storage devices, an audit by the Office of the Privacy Commissioner of Canada has found that some returned devices destined for resale still contained data stored by previous customers.

OTTAWA, June 21, 2011 /CNW/ - Staples Business Depot stores failed to fully wipe customer data from returned devices such as laptops and USB hard drives destined for resale, a privacy audit has found. The long-standing problem put customers' personal information at risk, says Privacy Commissioner of Canada Jennifer Stoddart.

"Our findings are particularly disappointing given we had already investigated two complaints against Staples involving returned data storage devices and the company had committed to taking corrective action," says Commissioner Stoddart.

"While Staples did improve procedures and control mechanisms after our investigations, the audit showed those procedures and controls were not consistently applied, nor were they always effective - leaving customers' personal information at serious risk."

A summary of the audit findings is included in the Privacy Commissioner's 2010 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today.

The Staples audit included tests on data storage devices (ie. computers, laptops, USB hard drives and memory cards) that had undergone a "wipe and restore" process and were destined for resale. Of the 149 data storage devices tested, over one-third (54 devices) still contained customer data - in some cases, highly sensitive personal information such as Social Insurance Numbers, and health card and passport numbers; academic transcripts; banking information and tax records.

The audit concluded that, although Staples generally has good privacy practices, it had not met its obligations under Canada's private-sector privacy law with regard to returned data storage devices.

The Office of the Privacy Commissioner recommended that Staples review its procedures and processes for wiping data storage devices and implement enhanced controls to eliminate any risk of personal information being disclosed.

In response, Staples stated that it was actively testing several means of fully wiping data from returned products without damaging or destroying hard drives or operating systems.

"It is disappointing that the issue that prompted our audit in the first place remained unresolved," says Commissioner Stoddart. "If Staples is unable to remove all customer data from a particular manufacturer's device, it should not be reselling that device."

The Office of the Privacy Commissioner has asked Staples to provide, by June 30, 2012, a report from an independent third-party confirming how the company has complied with recommendations stemming from the audit.

The Commissioner's 2010 annual report also includes a section focusing on privacy in an online world, including an investigation of a complaint involving a major Internet dating site.

During the investigation, the Office of the Privacy Commissioner raised concerns that U.S.-based eHarmony was not offering users the clear option of permanently deleting their profile information from the site. In response, eHarmony said it will offer users the option of completely deleting their accounts and implement a two-year retention period for personal information held in inactive accounts. The Office was satisfied with the company's responses.

"These types of issues are increasingly important given the central role the Internet plays in daily life. Protecting the privacy of people who use online dating sites - where so many couples now meet - is very much a mainstream issue," says Commissioner Stoddart.

The annual report also summarizes several other investigations as well as other activities by the Office of the Privacy Commissioner during 2010.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.
User avatar
jon
Advanced Member
 
Posts: 9256
Joined: Mon May 08, 2006 10:15 am
Location: Edmonton

Re: Staples Still Hasn't Quite Got It Right

Postby Mike Cleaver » Tue Jun 21, 2011 7:00 pm

I don't really feel the onus for deleting this information should totally fall on Staples or any other retailer.
The consumer who likely allows this to happen by not wiping or re-formatting discs or sticks is just as culpable.
They probably don't shred their bills, invoices, checks, credit card statements or other documents containing personal information before they throw them in the trash or the recycling bin.
I've worn out thee crosscut shredders over the years.
I smash old hard drives with a small sledge hammer before sending them off for recycling.
It only takes a few minutes to wipe hard drives and sticks before returning them.
Mike Cleaver Broadcast Services
Engineering, News, Voice work and Consulting
Vancouver, BC, Canada

54 years experience at some of Canada's Premier Broadcasting Stations
User avatar
Mike Cleaver
Advanced Member
 
Posts: 2085
Joined: Sat Apr 29, 2006 6:56 pm
Location: Vancouver

Re: Staples Still Hasn't Quite Got It Right

Postby PMC » Tue Jun 21, 2011 7:47 pm

As you point out Mike, the customer should be responsible, but it does point out how the Staples tech staff don't do their work etc.
PMC
 

Re: Staples Still Hasn't Quite Got It Right

Postby jon » Tue Jun 21, 2011 9:15 pm

Mike Cleaver wrote:I don't really feel the onus for deleting this information should totally fall on Staples or any other retailer.

A lot depends on just what Staples is telling their customers.

For example, I believe it was Seagate that I dealt with about a year ago that had a warranty return process that included very strong language promising to erase all returned hard drives using "Defense-grade" methods.
User avatar
jon
Advanced Member
 
Posts: 9256
Joined: Mon May 08, 2006 10:15 am
Location: Edmonton

Re: Staples Still Hasn't Quite Got It Right

Postby Howaboutthat » Tue Jun 21, 2011 9:24 pm

jon wrote:
Mike Cleaver wrote:I don't really feel the onus for deleting this information should totally fall on Staples or any other retailer.

A lot depends on just what Staples is telling their customers.

For example, I believe it was Seagate that I dealt with about a year ago that had a warranty return process that included very strong language promising to erase all returned hard drives using "Defense-grade" methods.


And if you believe that, you're asking for trouble.
I am sick of people not taking responsibility for their own actions, protection and security.
There is so much information out there, there is NO excuse.
Houston, We're dealing with morons!.
User avatar
Howaboutthat
Advanced Member
 
Posts: 2509
Joined: Fri Jul 13, 2007 9:28 pm
Location: Vernon

Re: Staples Still Hasn't Quite Got It Right

Postby jon » Tue Jun 21, 2011 9:57 pm

Howaboutthat wrote:And if you believe that, you're asking for trouble.
I am sick of people not taking responsibility for their own actions, protection and security.
There is so much information out there, there is NO excuse.

There has to be a limit to all this. Consumers need at least some level of protection because few of us can afford to hire a lawyer to sue every incompetent organization out there.

I frankly am sick to death of the victims of Identity Theft that results from retailers failing to properly protect their customers' information having to shoulder the burden for sorting out the mess.

Otherwise, the only prudent course of action is to do all your business with cash. Banks have to track your social insurance number and many other pieces of information. You cannot file your income tax, get a passport or receive medical attention without giving a lot of personal information that Identity Thieves would love to have.

Sorry, but I don't see a practical way to survive in this society today without trusting a fair bit of your personal information to quite a number of organizations.
User avatar
jon
Advanced Member
 
Posts: 9256
Joined: Mon May 08, 2006 10:15 am
Location: Edmonton

Re: Staples Still Hasn't Quite Got It Right

Postby Mike Cleaver » Tue Jun 21, 2011 11:50 pm

Don't kid yourself.
ALL of your information already is out there in one computer database or another.
Banks, insurance companies, your doctor, hospitals, the medical insurance plan, the federal and provincial governments, municipal governments, CPIC, merchants you patronize with credit and debit cards, websites you visit, clubs, organizations and on line forums and social media all have information about you.
Eventually, it will all be recorded on one giant computer database, especially if governments ever get their shit together and combine all the information they now have in various databases.
There's even more information stored if you've ever been a news person or journalist who has covered any VIP event which needed accreditation.
A friend of mine who once worked for CSIS showed me my file which included information going back to the mid sixties!
One of the most extensive checks involved my visit to Cheyenne Mountain in Colorado where a small group of us was admitted to the top secret situation room with the giant map showing the position of every aircraft flying at the moment, it's point of departure and intended destination, airline, flight number, number of people on board, etc.
When they run your passport at the border, all of your info becomes available to the border crossing agent in the US and any other country with which Canada has an information sharing agreement.
Same as when a police officer runs your license on CPIC.
Everything is there.
If someone wants to find out anything about you, it can be done, especially with the technology available today.
It's up to the individual to attempt to protect his/her information but it's a losing battle.
Mike Cleaver Broadcast Services
Engineering, News, Voice work and Consulting
Vancouver, BC, Canada

54 years experience at some of Canada's Premier Broadcasting Stations
User avatar
Mike Cleaver
Advanced Member
 
Posts: 2085
Joined: Sat Apr 29, 2006 6:56 pm
Location: Vancouver


Return to Computer & Technology News

Who is online

Users browsing this forum: No registered users and 105 guests