Finders, keepers? Can you just auction off lost USB drives left on trains without regard to whether they contain sensitive information? Maureen Shelley reports:
A bunch of USB memory sticks, which hold private photos and data, left by passengers on Sydney trains were sold by Railcorp at a lost property auction.
Computer security company Sophos, which bought the sticks, said they contained thousands of photographs, work projects, minutes of meetings and university assignments as well as a job application and resum aac (sic).
NSW Information and Privacy deputy commissioner John McAteer said that his office was investigating a possible breach of the Privacy Act by RailCorp and whether it had kept passengers’ private data safeguarded.
Read more on The Daily Telegraph.
Updated 12-14-11: RailCorp isn’t saying whether it erased any data before selling devices, leading to concerns about what they’ve done in previous auctions. Read more on The Sydney Morning Herald
It is quite possible that once an item like a USB stick is lost, there is no statutory obligation on the finder to protect the privacy of the contents.
At best, it’s difficult to see how such an obligation could ever be enforceable.
Anything’s possible, but what do their laws proscribe? There may be no statutory duty to protect it (and I’m not sure about that as I don’t know AU law), but can an entity sell personal data without the consent of the data subject under AU law? We need an AU privacy lawyer here.
I am sure if you look at this in the light of anything else, its purely wrong. Courts want to ensure that companies follow the prudent man rule, and with that said, this action is far from it.
The “finders keepers” side of this is just that. If you have ownership or custody for something, and you are about to sell it, you are deemed responsible for what you are selling. This is no different than someone buying/selling hacked website info or PII. Ignorance may play a part, but 99.9% of the time it doesn’t fly in the courts.
I’d be interested in seeing the actual description of the auction and how much the bid was initially started for, and the end price paid.
It’s not all on the sellers here. I am sure the people who lost this data probably did not notify their company, let alone set out on a long hard search to recover it. It seems like its a process that this company has that’s broke. The people in charge of the so-called lost and found are probably lost themselves – anyone with any knowledge of computers or watches TV knows that USB sticks are a potential pandora’s box when they are lost.
I guess if they like free negative publicity, then they got what they asked for.