Wiping Out the Data
In her recent report, Canada's Privacy Commissioner noted that Staples, the large business supplier retailer, took in numerous computers on trade and then failed to wipe out the data before re-selling them. This meant that the people turning them in did not wipe out the data themselves. She stated that of 149 computers involved, 54 of them still had previous owners' data on them.
The report points to the responsibility of people for their data. Of course, some of these previous users would be running small businesses and some would have sensitive data on them.
The first responsibility for the data rests with the owners. The people who traded their computers should have wiped out the data right away. In my opinion, they should have re-formatted their hard drives, which is the only way to make sure the data is removed and beyond the reach of recovery tools. As we all know, deleting files simply doesn't do the job, as recovery is usually easy to accomplish.
Then Staples had a responsibility to make sure the computers they sell do not contain any data from the previous owner. The company in its response said that they are investigating data wiping software to determine which will do the job most completely.
Business owners need to have policies for situations like this, even if only to serve a reminders of what to do when old computers, or in fact any equipment containing processors, like fax machines and printers, are traded or sold.
A single loss of data can be catastrophic to a company. All businesses need to have strict policies around the disposal of such equipment. They shouldn't be looking to Staples to protect their data. They should be doing it themselves.