In my experience, most conversations on how to protect customer data revolve around active companies. Certainly important, but what about bankrupt companies? That data doesn’t simply disappear when the organization declares bankruptcy. And in many cases, the bankrupt company doesn’t destroy the data. So in whose hands does our PII end up?
Who Protects Customer Data When It’s Sold or Abandoned?
According to a Naked Security article by John E. Dunn, Canadian computer and electronics retailer Netlink Computer Inc (NCIX) declared bankruptcy late last year. NCIX abandoned a lot of its equipment. In August, Privacy Fly researcher Travis Doering found that someone was selling the equipment on Craigslist.
The equipment comprised hundreds of pieces of hardware that in total held 13 terabytes of data. The data included 385,000 database records containing names, email addresses, phone numbers, and account passwords. 258,000 records included full credit card payment details.
And that’s not all.
A separate Canadian database contained 3.8 million customer records gathered by NCIX between January 2007 and July 2010.
Doering even turned up numerous files belonging to NCIX’s founder Steve Wu, including personal documents and images of his family, plus large numbers of company emails, and intellectual property related to manufacturing.
Somehow the seller had got hold of passwords to access the databases while significant amounts of the data were not encrypted in the first place. The price for the data on its own: $15,000 (£11,500). — John E. Dunn
Doering guessed that NCIX’s landlord sold the equipment to an auction house. Dunn posits that part of the problem is that “nobody seems to be paying any attention to what happens to customer data when companies die.” Who knows what may have happened if Doering hadn’t come across the listing?
My first question was whether any part of this scenario was legal.
Bankruptcy Law & Privacy Law
Admittedly, law is not my area of expertise, so I sought an expert. John Drennan, CIPP-US, is a privacy-law attorney. In 2016, while a member of law firm Baker Donelson’s counsel, he wrote an illuminating article on how bankruptcy laws protect customer data.
In his article, Drennan states that bankruptcy law and privacy law overlap more than you would expect. The US Bankruptcy Code directly addresses what happens to PII.
In the 2005 amendments to the Bankruptcy Code (BAPCPA), Congress passed legislation to protect consumers against the sale of personal identifiable information (PII) by the debtor when the sale would violate that debtor’s privacy policy outside of bankruptcy (e.g., if the privacy policy says that such information would not be shared with any unaffiliated third party). — John Drennan
Drennan goes on to say that rather than being “written to flatly prohibit any such sale, thereby enforcing the privacy rights of the consumers outside of bankruptcy,” the Code allowed for specific situations where PII could be transferred. This means that where PII transfer would otherwise be prohibited, it could be deemed legal in the event of bankruptcy.
The Bankruptcy Code in Practice
In 2015, RadioShack tried to sell its customers’ data in bankruptcy. But its online privacy said, “We will not sell or rent your personally identifiable information to any one at any time.” They also said as much in several other places—including on signs in its brick-and-mortar stores that said “We respect your privacy” and “We do not sell mailing lists.”
Does “never” stop meaning “never” once an organization goes bankrupt?
In this case, the FTC and multiple State Attorneys General intervened. Ultimately, the sale could only go forward under limited conditions. This included restricting the types of information sold, providing consumers an opt-out option, and requiring that the buyer agree not to sell email addresses and that the buyer abide by RadioShack’s privacy policy. Furthermore, most of the data was destroyed before the sale.
Because of these limitations and the destruction of much of the data, the data became a lot less valuable. Drennan draws an interesting conclusion about the relationship between the level of customer data protection and the value of the data.
The level of privacy protection provided by a company’s privacy policy is inversely proportional to the value of its private consumer data in bankruptcy. Strong restrictions in a privacy policy on sharing private customer data, for example, will likely limit the pool of potential purchasers of a company’s customer list, effectively reducing the value of what at first might appear to be a highly valuable company asset… such restrictions could even change a potential asset into a liability, because the purchaser will need to pay to have the data destroyed. — John Drennan
In Conclusion
After this research, it’s harder for me to trust privacy policies. But I can think of one solution to better protect customer data. What if best practice dictated that privacy policies include information on what will happen to your PII if the company declares bankruptcy? I expect that the legality of PII transfer would become a much less murky subject.
To read more about privacy-related law, check out some of our other blogs: