Thursday, April 20, 2006

Incident: Alberta Commissioner faults store for inadequate security of personal information after customers' information used fraudulently

In case you were wondering whether printing credit card numbers on receipts is a risky venture, think about Monarch Beauty Supply in Edmonton, Alberta. The company, like many others, prints this information on receipts. And this company threw them out in a dumpster behind the store.

Edmonton Police received from an anonymous informant copies of that confidential information and began an investigation. The Information and Privacy Commissioner of Alberta also received a complaint from a customer of Monarch Beauty Supply that her credit card had been fraudulently used to buy a laptop. The investigation found that other personal information originating with the company had found its way into the hands of criminals.

The Commissioner found that the company did not adequately safeguard personal information, in violation of PIPA. The Commissioner also noted that there was inadequate training of staff because store managers were not trained in privacy.

Lessons learned:

  1. Do not print credit and debit card numbers on receipts.
  2. Do not dispose of personal information by throwing it out.
  3. Make sure that all staff who handle personal information are trained in their obligations under the law.

Under most of Canada's privacy laws, individuals who have been harmed by a company's violation of the law can seek damages from the company that violated the law. Victims of identity theft can seek compensation for all the damage done because of a company's screw up.

See the Commissioner's report:

Investigation Report P2006-IR-003

Information and Privacy Commissioner's investigation finds Monarch Beauty Supply improperly disposed of over 2600 customer receipts by placing them in a dumpster. The Alberta business failed to protect personal information from identity thieves.

Click to view more information Investigation Report P2006-IR-003

See coverage from the Edmonton Sun: Crook used dumped credit data.

No comments: