Staples Violates Canadian Privacy Laws

It was discovered that Staples wasn’t completely wiping data off of returned goods before re-selling them.

Posted by Joe Gerard in Corporate Security, Information Security on June 23rd, 2011

Staples has violated Canadian privacy law, according to an audit conducted by the Privacy Commissioner’s office. It was discovered that Staples wasn’t completely wiping data off of returned goods before re-selling them. The problem? The personal information the previous owners had stored on the electronic devices were still accessible to the those who purchased the items after.

The CBC article “Staples resold laptops with customer data, audit finds” reports:

“The privacy commissioner’s office tested computers, laptops, USB hard drives and memory cards that had already undergone a “wipe and restore” process intended to delete data. The devices most likely to contain customer data were laptops, where it was found in 17 of 20 cases.”

Since the Privacy Commissioner doesn’t have the authority to impose sanctions on the company, all she can do is provide advice for Staples – and the other companies listed in the annual report that were found to have violated Canadian privacy laws.

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Informing the Consumers

In the blog post “Privacy Commish on Staples & eHarmony: Why Keep Investigations & Audit Results Under Wraps?” Dr. Michael Geist, a law professor at the University of Ottawa who holds the Canada Research Chair in Internet and E-commerce Law, raised some additional issues surrounding the Privacy Commissioner’s annual report:

“While these are important privacy developments, the release of this information weeks or months after the investigation or audit was concluded points to a significant flaw in the current reporting approach. I recognize that that is how the system currently functions – the OPC reports to Parliament on audit findings and only occasionally publicly reports on PIPEDA investigations – yet there is something fundamentally flawed with a system that keeps consumers in the dark for months about privacy risks. This is particularly ironic given the OPC’s emphasis on data breaches and the need for the private sector to disclose breaches as quickly as possible. The same should be true for audits and investigations to allow the public to react to newly identified privacy risks.”

Geist raises a good point – consumers need to know when their information has been compromised. Consumers can’t be left in the dark and notified about an issue months after it has happened, as there could have been some significant damage done between the time their data was compromised and the time they were informed of the incident.


Joe Gerard
Joe Gerard

CEO, i-Sight

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit Website