News

News Release

Audit: Risks to Staples’ customer data remained following breaches

Despite previous commitments by Staples Canada Inc. to address problems related to the resale of returned data storage devices, an audit by the Office of the Privacy Commissioner of Canada has found that some returned devices destined for resale still contained data stored by previous customers.

OTTAWA, June 21, 2011 – Staples Business Depot stores failed to fully wipe customer data from returned devices such as laptops and USB hard drives destined for resale, a privacy audit has found. The long-standing problem put customers’ personal information at risk, says Privacy Commissioner of Canada Jennifer Stoddart.

“Our findings are particularly disappointing given we had already investigated two complaints against Staples involving returned data storage devices and the company had committed to taking corrective action,” says Commissioner Stoddart.

“While Staples did improve procedures and control mechanisms after our investigations, the audit showed those procedures and controls were not consistently applied, nor were they always effective – leaving customers’ personal information at serious risk.”

A summary of the audit findings is included in the Privacy Commissioner’s 2010 Annual Report  to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today.

The Staples audit included tests on data storage devices (ie. computers, laptops, USB hard drives and memory cards) that had undergone a “wipe and restore” process and were destined for resale. Of the 149 data storage devices tested, over one-third (54 devices) still contained customer data – in some cases, highly sensitive personal information such as Social Insurance Numbers, and health card and passport numbers; academic transcripts; banking information and tax records.

The audit concluded that, although Staples generally has good privacy practices, it had not met its obligations under Canada’s private-sector privacy law with regard to returned data storage devices.

The Office of the Privacy Commissioner recommended that Staples review its procedures and processes for wiping data storage devices and implement enhanced controls to eliminate any risk of personal information being disclosed.

In response, Staples stated that it was actively testing several means of fully wiping data from returned products without damaging or destroying hard drives or operating systems.

“It is disappointing that the issue that prompted our audit in the first place remained unresolved,” says Commissioner Stoddart. “If Staples is unable to remove all customer data from a particular manufacturer’s device, it should not be reselling that device.”

The Office of the Privacy Commissioner has asked Staples to provide, by June 30, 2012, a report from an independent third-party confirming how the company has complied with recommendations stemming from the audit.

The Commissioner’s 2010 annual report also includes a section focusing on privacy in an online world, including an investigation of a complaint involving a major Internet dating site.

During the investigation, the Office of the Privacy Commissioner raised concerns that U.S.-based eHarmony was not offering users the clear option of permanently deleting their profile information from the site. In response, eHarmony said it will offer users the option of completely deleting their accounts and implement a two-year retention period for personal information held in inactive accounts. The Office was satisfied with the company’s responses.

“These types of issues are increasingly important given the central role the Internet plays in daily life. Protecting the privacy of people who use online dating sites – where so many couples now meet – is very much a mainstream issue,” says Commissioner Stoddart.

The annual report also summarizes several other investigations as well as other activities by the Office of the Privacy Commissioner during 2010.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

- 30 -

For more information (media only), please contact:

Valerie Lawton
Office of the Privacy Commissioner of Canada
E-mail: Valerie.Lawton@priv.gc.ca