Privacy Commissioner audit finds Staples did not wipe data storage devices prior to resale

Canada’s Privacy Commissioner has called on Staples Business Depot to review and improve compliance with its own privacy policies and procedures after an audit found the company had re-sold computers, hard drives and electronic memory devices without first wiping personal information from them.
In an audit report released on June 21, the privacy commissioner noted its audit of Staples had tested 149 data storage devices, including laptop and desktop computers, USB and internal hard drives, memory sticks and memory cards.
“The audit shows that Staples did not ensure data storage devices are wiped of all customer data prior to resale,” the privacy commissioner concluded in its report. “In summary, we found that 54 of the 149 devices tested contained customer data.
“A number of these devices contained personal information that included government-issued identification numbers, email messages, personal correspondence and photographs, immigration documents, resumés, financial statements, custodial arrangements and personal contact lists.”
The privacy commissioner noted Staples does have a corporate policy requiring that a vendor’s personal information be wiped and removed from electronic devices prior to re-sale. Staples strengthened these policies after a 2009 investigation by the privacy commissioner into the same issue.
“While the revised procedures include key control mechanisms, they are not consistently applied,” the report of the privacy commissioner found. “In 15 of the 17 stores audited, we noted instances where data storage devices were:
• resealed and verified as being wiped when such was not the case;
• not verified by a manager prior to being restocked; or,
• sent directly to the RTV [return to vendor] bin without being processed (wiped) by a technician.”