Failure to properly wipe data from recycled server costs company $250K, an apology and 160,000 letters of notice
In a tale of best intentions gone wrong, the Office of the Information and Privacy Commissioner of Alberta (“Commissioner”) recently found in Bow Valley College (Re), 2013 CanLII 52666 (AB OIPC) that an educational institution that recycled its servers without ensuring the data on them had been wiped had not met privacy requirements. The decision identifies some key considerations for corporations decommissioning and disposing of technology.
Bow Valley College (“BVC”) had 21 servers it was decommissioning. Mindful of environmental concerns, it contacted a third party, the Electronic Recycling Association of Alberta (“ERA”), a not-for-profit society, to handle the data wiping and disposal of the hardware. BVC was also alive to privacy concerns, and prior to obtaining a membership in the ERA, made sure it toured ERA’s facilities and was satisfied with the ERA’s processes.
BVC proceeded to decommission the servers. Four months later, a purchaser of one of the decommissioned servers booted it up and found personal information (including SIN numbers, credit card numbers, and salaries) of 189,900 students and 3,500 employees of BVC spanning almost 20 years. Over the next few months, the Commissioner received complaints from 28 individuals affected.
Meanwhile, BVC went into crisis mode and conducted its own investigation. BVC immediately ceased using a third party for decommissioning servers. It tracked down the remaining 20 servers and found that eight them had personal information on them. It reviewed all the information on the recovered servers to identify the affected individuals and sent out letters to each of them. It also sent emails, set up a telephone number and an email address for information and in some cases, set up face-to-face meetings. It advised affected individuals of their right to make a complaint to the Commissioner and apologized. BVC estimated that its cost to respond to this incident cost over $247,000.
There was no question that the information constituted personal information. The Commissioner’s investigation focused on whether BVC had taken sufficient steps to protect this personal information.
Despite BVC’s diligence in determining ERA’s capacities, reviewing its processes, inspecting the company’s premises, and entering into a written agreement with the company, the Commissioner found that BVC had not taken sufficient steps to protect the personal information.
The Commissioner determined that BVC did have a written agreement with ERA, but it was a membership agreement only. It didn’t include a contract for data wiping and destruction of technology. The ERA offered these services, but it was not part of the membership fees – it was a separate agreement. BVC had failed to distinguish between the two agreements, and assumed it had contracted with the ERA for data wiping and destruction.
The Commissioner was of the view that had BVC closed the loop – examined the invoices it received from ERA to confirm the services it had received – it would have been aware that it had been charged for pickup services, and not data destruction and disposal services.
The Commissioner declined to order any specific remedy as in her view, the matter had been adequately addressed by BVC’s actions subsequent to the breach. BVC agreed to conduct an independent audit of its information security practices implemented in response to this incident.
This case sounds a cautionary note for companies that use third parties for data wiping and hardware disposal. When ensuring a valid contract is in place, confirmation of services completed, both on an administrative level (e.g. invoices reflecting data wiping and hardware disposal) and a on a technical level (e.g. written confirmation or certification by an IT specialist that personal information has been deleted) may be required.