Data Encryption: Staples Business Depot (Canada) Terrible At Wiping Data. Why Are They Responsible?.
An audit report by Canadian privacy commissioner Jennifer Stoddart laments the fact that Staples Business Depot has failed to get a grip on its continuing data breaches. This is one instance where the use of drive encryption software like AlertBoot doesn’t make sense (kind of).
Not Really Staples’s Fault
When a story involves a giant corporation, customer data, and data breaches, it’s usually the corporation that is in the wrong. In this particular story, Staples is at fault, as one would assume; however, I cannot bring myself to blame them. Ultimately, they are having data breaches because its customers’ are being idiotic.
The official travesty on Staples’s part is this: Despite the implementation of new procedures, an audit of resold used computer equipment shows that 1/3 of products for resale contain sensitive data. It’s not quite clear how many of these products originally contained sensitive data, which leads me to speculate: so how many products are successfully scrubbed of data?
For example, are we to assume that 100% of all returned products contain sensitive data, and hence the 1/3 figure means a 66% scrubbing success rate on Staples’s part? Or do 33% of returned products contain sensitive data, meaning that there is a 0% scrubbing success rate? Most probably, it’s a figure in between.
On the other hand, I’m not sure that I should be asking this question. The real question is, “why are customers returning stuff to Staples with personal data in them?”
It’s Convenient, But It Shouldn’t Be That Way
It’s a weird arrangement. Why is Staples charged with scrubbing the data? Probably because it’s the most convenient method of ensuring data security. But it seems to be something of a moral hazard, too.
Consider a wallet. Let’s say you get a wallet from an on-line retailer. You use it for a couple of days, placing in it cash, identification, credit cards, etc. You find out that it’s not quite what you were looking for so you return it. Without removing the cash, ID, and cards. If stuff gets lost or stolen, whose fault is it?
Consider another scenario. You put up for an auction a used computer on eBay. Someone makes a bid and you send it to that person after checking the money’s in your bank (or PayPal account). But, you don’t delete the data on that computer, and soon find that someone is accessing your on-line banking account. Whose fault is it?
Of course, the right thing to do in the first case is to return the cash, ID, and cards to the rightful owner. And, in the second case, the buyer of the computer doesn’t obtain the right to do whatever he wants with the data on it. But, pragmatists will likely observe that in both cases the victims were acting stupidly.
In Staples’s case, you’ve got a situation where 33% of items for resale still had sensitive data on it. This means that at least 3 in 10 people don’t do anything to scrub data, or at least don’t check to see if their data is actually scrubbed after they think it’s been deleted. That’s a significant number of people not exercising proper data security.
I’m sorry to point out that, perhaps there is a bigger problem here than Staples’s data scrubbing policies not working.
Related Articles and Sites: