Guest post by: Sanket Jain

Do you use laptops, USB devices, cameras or GPS? Have you ever returned one you didn’t like? If you answered yes to either of these then please read on…

Computing and electronic devices often come with a manufacturer’s warranty or retailer’s return policy where consumers dissatisfied with the product can return the devices, often at no extra cost.

These devices are then often resold as refurbished products by the retailers. Most consumers may overlook a gaping privacy risk in this process; items resold may still have personal information of previous purchasers resulting in unauthorized disclosure.

Office of Privacy Commissioner of Canada has recently audited Staples Business Depot for such unauthorized disclosure of personal information. As a background, Staples was investigated for similar complaints by OPC between 2004 and 2008. Staples had committed to make necessary changes in its processes to ensure personal information is protected. These changes centred on making sure that personal information is fully wiped before a device is restocked.

Recent audits by OPC have found that the steps taken by Staples are not consistently applied and have lots of room for further improvement. Following are the brief findings of the recent audit:

  • Over one third of tested devices that had undergone Staples’ wipe and restore process (destined for resale) actually contained personal information belonging to previous owners. In some cases, highly sensitive personal information was found on these devices.
  • Some devices were verified as having been wiped clean even though this was not the case.
  • Some devices were not checked by a manager prior to being restocked. I reckon this is a crucial part of the process where control must be applied to mitigate the risk arising from potential vulnerabilities in the wipe and clean process.

“If Staples is unable to remove all customer data from a particular manufacturer’s device, it should not be reselling that device”, says Commissioner Jennifer Stoddart.

In my opinion, the issue is threefold: 1 – Staples should come up with better ways of ensuring that data is wiped clean from any returned devices, 2 – New staff processes need to be built in order to verify that the data cleaning process has been effective before the device is put up for resale, 3 – Some of the responsibility to protect personal information stored in returned electronic devices rests with the owners of such devices.

The good news is that Staples has agreed to the recommendations made by OPC pertaining to finding better and more effective ways to wipe and clean devices; and also to train staff on the importance of such procedures.

What do you think? Please let me know your thoughts in the comments section.

Please follow this link to read the detailed findings by OPC in this issue:
http://www.priv.gc.ca/information/ar/201011/2010_pipeda_e.cfm#sect5

About the author:

Sanket Jain is a recent marketing graduate, working with Emailkarma.net founder Matt Vernhout. Contact him via twitter: @sanketjn