In the information age people 'phish' for personal information, not aquatic animals and "binning" - the practice of searching through garbage bins for records and documents - are two ways identity thieves are sourcing personal information.

For Monarch Beauty Supplies, a company that distributes beauty and personal care products across Canada and the USA, binning became a serious reality when the company learned that the Edmonton Police Service (EPS) had recovered a bundle of customer credit and debit card reciepts from their Edmonton store.

EPS recovered the first bundle of reciepts in April 2005 from an informant "well placed" in the criminal community. A second bundle was recovered in June 2005 and additional receipts were recovered in an unrelated search in October 2005.

In at least one case the stolen information was used to commit fraud. One customer noticed a $500 charge for a laptop. A few weeks later she was contacted by the EPS, who informed her that a criminal had used one of her credit card sales receipts from Monarch Beauty Supply to purchase the laptop.

In the summer of 2005 Information and Privacy Commissioner Frank Work commenced an investigation of Monarch Beauty Supply's parent company, Beauty Systems Group (Canada) Inc. (BSG), under the Personal Information Protection Act (PIPA). His report, which was released in mid-April 2006, found that the Alberta company failed to protect its customer's personal information from identity thieves. His report brings to light what went wrong and what companies can do to prevent similar occurances.

Moving through the chain of command
BSG has about 800 stores in Canada and the US that are open to customers in the beauty trade industry. The privacy breach occured at a single Monarch Beauty Supply store in Edmonton when both the store manager and district manager as well as two employees from another store were preparing for inventory in April 2005. The investigation found that the two employees failed to properly destroy highly sensitive data because management did not provide them with specific instructions.

The immediate reaction may be to place the blame on the two employees. However, in his investigation privacy commissioner Frank Work noted that the employees did not receive specific instructions on how to dispose of the documents.

"The Store Manager and District Manager were not diligent in safeguarding the documents which contained sensitive customer information," wrote Frank Work in his report. "They believed that the two non-management employees (from another BSG store), would use the shredder to destroy the sales journals. In this instance, the former management personnel gave insufficient instruction on how to proceed with the care and disposal of the documents, despite the organization's memoranda, privacy policies and procedures."

Senior managers at the company had attended a privacy training seminar in March of 2005, but the district manager for the Edmonton store did not attend and the seminar did not include store managers. In addition, the company's official policy regarding the handling and destruction of documents was not current with the company's new policy of machine shredding documents. The official policy on record specified that documents were to be hand shredded and thrown away, which is essentially what the two employees did.

If problems with communication and insufficient instructions led to the theft of confidential customer data, the company's initial response did not help limit potential damage.

After being notified of the privacy breach by the EPS the manager of the Edmonton store contacted her district manager, who in turn contacted BSG's territory manager for Canada. The territory manager spoke with police. He mistakenly believed that as most of the documents had been recovered nothing further was required. His failure to notify the company's privacy officer of the breach at this point delayed the launch of an internal investigation and further exposed BSG customers to the risk of fraud.

On June 2, 2005 the territory manager issued a memorandum to district managers, informing them of the privacy breach and instructing them to purchase shredding devices and ensure that all documents were shredded.

Meanwhile in early June the EPS recovered another bundle of stolen credit card slips. It is around this time that the Office of the Information and Privacy Commissioner (OIPC) launched their own investigation.

However,it was not until August that the senior managers responsible for privacy matters at BSG became aware of the problem. At this point the store cooperated fully with investigators. At the conclusion of the investigation Frank Work found that

• BSG improperly disposed of sensitive customer information by discarding daily financial records, and credit and debit sales transaction receipts in an unlocked dumpster accessible to the public.
• Employees failed to properly destroy records because they did not have specific instructions provided by management personnel.
• BSG contravened Section 34 of the PIPA by failing to follow proper disposal procedures to protect customer personal information.

To address the commission's concerns BSG has agreed to follow an extensive program that will safeguard customer data. These steps include:

• Notifying all their customers of the security breach and providing assistance;
• Developing new security and disposal policy and procedures;
• Amending existing policies and procedures as specified in this report;
• Conducting privacy training for all management on the amendments to their existing policies and procedures and new security and disposal policy and procedures; and
• Implementing more rigorous safeguards, and regularly monitoring the effectiveness of these

One could argue that the path that this highly sensitive information took from the company office to the hands of criminals was fraught with avoidable error. Yet the errors could have occured in many companies. The cautions from this story are clear. With the rising risk of fraud and identify theft, businesses must handle personal client data with the utmost care. Ensuring that receipts are kept in a locked area, that any access to accounting data is monitored and that all private documents are cross-shredded before they are disposed are simple first steps that any business can take to protect its customers.