In my experience, most conversations on how to protect customer data revolve around active companies. Certainly important, but what about bankrupt companies? That data doesn’t simply disappear when the organization declares bankruptcy. And in many cases, the bankrupt company doesn’t destroy the data. So in whose hands does our PII end up?
Who Protects Customer Data When It’s Sold or Abandoned?
According to a Naked Security article by John E. Dunn, Canadian computer and electronics retailer Netlink Computer Inc (NCIX) declared bankruptcy late last year. NCIX abandoned a lot of its equipment. In August, Privacy Fly researcher Travis Doering found that someone was selling the equipment on Craigslist.
The equipment comprised hundreds of pieces of hardware that in total held 13 terabytes of data. The data included 385,000 database records containing names, email addresses, phone numbers, and account passwords. 258,000 records included full credit card payment details.
And that’s not all.
A separate Canadian database contained 3.8 million customer records gathered by NCIX between January 2007 and July 2010.
Doering even turned up numerous files belonging to NCIX’s founder Steve Wu, including personal documents and images of his family, plus large numbers of company emails, and intellectual property related to manufacturing.
Somehow the seller had got hold of passwords to access the databases while significant amounts of the data were not encrypted in the first place. The price for the data on its own: $15,000 (£11,500). — John E. Dunn
Doering guessed that NCIX’s landlord sold the equipment to an auction house. Dunn posits that part of the problem is that “nobody seems to be paying any attention to what happens to customer data when companies die.” Who knows what may have happened if Doering hadn’t come across the listing?
My first question was whether any part of this scenario was legal.
Bankruptcy Law & Privacy Law
Admittedly, law is not my area of expertise, so I sought an expert. John Drennan, CIPP-US, is a privacy-law attorney. In 2016, while a member of law firm Baker Donelson’s counsel, he wrote an illuminating article on how bankruptcy laws protect customer data.
In his article, Drennan states that bankruptcy law and privacy law overlap more than you would expect. The US Bankruptcy Code directly addresses what happens to PII.
Drennan goes on to say that rather than being “written to flatly prohibit any such sale, thereby enforcing the privacy rights of the consumers outside of bankruptcy,” the Code allowed for specific situations where PII could be transferred. This means that where PII transfer would otherwise be prohibited, it could be deemed legal in the event of bankruptcy.
The Bankruptcy Code in Practice
In 2015, RadioShack tried to sell its customers’ data in bankruptcy. But its online privacy said, “We will not sell or rent your personally identifiable information to any one at any time.” They also said as much in several other places—including on signs in its brick-and-mortar stores that said “We respect your privacy” and “We do not sell mailing lists.”
Does “never” stop meaning “never” once an organization goes bankrupt?
Because of these limitations and the destruction of much of the data, the data became a lot less valuable. Drennan draws an interesting conclusion about the relationship between the level of customer data protection and the value of the data.
After this research, it’s harder for me to trust privacy policies. But I can think of one solution to better protect customer data. What if best practice dictated that privacy policies include information on what will happen to your PII if the company declares bankruptcy? I expect that the legality of PII transfer would become a much less murky subject.
To read more about privacy-related law, check out some of our other blogs: