Highway litter turns out to be customer data from company

Incident Summary #7

Incident

A third party alerted our Office that documents containing sensitive financial information appeared to be strewn across a vast section of a highway.

We identified the organization responsible for the documents, and promptly brought the matter to its attention. The organization explained that in closing one of its stores, it placed most of its customer records and financial documents into a large number of sealed boxes. These boxes were securely transferred by a records management/shredding firm to one of its storage facilities.

Customer documents that were not contained in the sealed boxes should have been securely destroyed, but some of these records were mistakenly placed in the trash for disposal at a landfill and subsequently appeared to have flown off the back of a truck and scattered across the highway during transportation. The company confirmed that although it had procedures in place for the destruction of customer records, those procedures were not followed in this case. 

The company could not confirm how much of the data from the closed store had been securely destroyed. From the data that was diverted to the landfill, the company could not determine how many of the documents contained personal information. In light of this, the company was unable to identify and notify individuals affected by the incident.

Outcome

This incident was caused by human error.  Based on a risk-benefit assessment conducted in the circumstances, there was no further action that could be taken to mitigate the harm resulting from this incident, given that the store location had already closed.

Final Comment

This case vividly illustrates the unwanted consequences of improperly disposing of personal information when closing a business.  While organizations are increasingly addressing technological threats to personal information for which they are accountable, it is also important that organizations be mindful of physical threats that can equally result in significant data breaches.  Also, this incident demonstrates that an organization’s policies and procedures for the appropriate handling of personal information are only meaningful if those policies and procedures are put into practice, and that the need to put such policies and procedures into practice extends throughout an organization’s life cycle, including when an organization is closing a store or winding-up its operations.

For more information, organizations are encouraged to consult the OPC’s guidance document, Personal Information Retention and Disposal: Principles and Best Practices.