When A Company Folds, Who Guards Your Data's Privacy?

From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan?

"Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they've gone out of business and left those offices," says Jacqueline Klosek, a senior counsel in Goodwin Procter's Business Law Department and a member of its Intellectual Property Group.

"In addition, company computers, often containing personal data, will find their ways to the auction block," she adds. "All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver's licenses numbers. This is the just the kind of data that can be used to commit identity theft."

Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. "Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data," says James DeLuccia, author of IT Compliance & Controls. "Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay."

In some cases, the courts insist data be sold during a bankruptcy. "Company servers, once I restore them to operation, are handed over to the bankruptcy trustee's representative," says Bill Horne, a consultant at William Warren Consulting, a computer and network installations, security and service company. "The data they contain is considered to be a corporate asset and it is conveyed to the new owners in every situation I've seen."

Horne says his business is booming as more companies fail and more buyers await the goods.

Even companies still in business but looking to discard excess hardware abandoned by laid-off workers are exposing customer data to hordes of thieves. "Outdated or unused desktop machines, which might contain all kinds of sensitive data, are either sold to recycling firms or to the general public, with no attention to data security," says Horne.

Most recyclers expect PCs to arrive with software intact, says Horne, because it raises their resale value. Few computer service firms bother to tell their customers about the danger of letting old machines go out the door without first erasing their disks, he says.

"When I accept machines from my customers, either for resale or recycling, they know I will 'flatten' the machines before passing them on," he says. "Unfortunately, I'm the exception rather than the rule."

(For more on data cleansing, see "Why Information Must Be Destroyed", from CSO.)

Soon to be laid-off employees can also ransack sensitive company data, analysts warn. "In the case of business closure, there is lots of room for error, neglect, and even malfeasance," says Lyn Robison, senior analyst and research director of Data Management Strategies at Burton Group. "A disgruntled employee could make off with sensitive data on the way out the door."

There's been a lot of buzz around this topic this week due to a recent survey by a security industry company, but some security gurus say the threat is being taken out of context: For more advice, see our sister publication CSO's Bill Brenner's take on exiting employees and risk.

No One Left to Pay the Fines?

With so much at risk, why do failing companies not take more care with data? "When a company fails there is less concern about fines for non-compliance when there is no one left to pay the fines," says John Gunn, general manager at Aladdin Knowledge Systems North America.

Protecting or erasing data may require a significant additional investment in security infrastructure at a time when companies can least afford it, he says. "The result is that many will try to fly under the radar, especially if they simply cannot afford it," says Gunn.

Individuals are likely to be hurt by this behavior, but so are businesses. "The company that goes out of business is rarely the one that gets hurt," says Michael Fleming, chairman of the American Bar Association Business Law Section, Cyberspace Law Committee. "Rather, it's the other businesses that entrusted their data to the now-defunct company who may find they've failed to account for a contingency."

For example, says Fleming, consider a health-care provider that has entrusted a third-party data processor to store its patient records. If that third-party data processor fails, the surviving health-care business may find its own customer data the subject of a bankruptcy asset proceeding, or worse, simply lost. None of this activity releases the health-care provider from liability under the various state and federal regulations.

"Companies who entrust their data to others should not presume that the law will fully protect them from the consequences of that other company's bankruptcy or insolvency -- and should therefore plan for the worst before the data is sent out by negotiating a contract which may survive a bankruptcy," Fleming says.

The new best practice in data security is to shore up contracts with third-parties to retain the rights and accessibility of data stored off-site, be that in the cloud or on a third-party server or service, in the event that the company goes bust. "That said, there are not as many easy mechanisms out there that can protect data in the same manner as a lender might protect the borrower's collateral in a bankruptcy," warns Fleming.

Legal Recourse Limited

Considering the damages that can occur from defunct companies improperly disposing of data, is there any legal recourse for affected consumers and businesses? In a word: no.