From HIPAA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds—and more are folding every week given the economy—what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan?
“Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they’ve gone out of business and left those offices,” says Jacqueline Klosek, a senior counsel in Goodwin Procter’s Business Law Department and a member of its Intellectual Property Group.
“In addition, company computers, often containing personal data, will find their ways to the auction block,” she adds. “All too often, the discarded documents and computer files will have sensitive data, such as credit card numbers, social security numbers and driver’s licenses numbers. This is the just the kind of data that can be used to commit identity theft.”
Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. “Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data,” says James DeLuccia, author of IT Compliance & Controls. “Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay.”
In some cases, the courts insist data be sold during a bankruptcy. “Company servers, once I restore them to operation, are handed over to the bankruptcy trustee’s representative,” says Bill Horne, a consultant at William Warren Consulting, a computer and network installations, security and service company. “The data they contain is considered to be a corporate asset and it is conveyed to the new owners in every situation I’ve seen.”
Horne says his business is booming as more companies fail and more buyers await the goods.
Even companies still in business but looking to discard excess hardware abandoned by laid-off workers are exposing customer data to hordes of thieves. “Outdated or unused desktop machines, which might contain all kinds of sensitive data, are either sold to recycling firms or to the general public, with no attention to data security,” says Horne.
Most recyclers expect PCs to arrive with software intact, says Horne, because it raises their resale value. Few computer service firms bother to tell their customers about the danger of letting old machines go out the door without first erasing their disks, he says.
“When I accept machines from my customers, either for resale or recycling, they know I will ‘flatten’ the machines before passing them on,” he says. “Unfortunately, I’m the exception rather than the rule.”
(For more on data cleansing, see “Why Information Must Be Destroyed”, from CSO.)
Soon to be laid-off employees can also ransack sensitive company data, analysts warn. “In the case of business closure, there is lots of room for error, neglect, and even malfeasance,” says Lyn Robison, senior analyst and research director of Data Management Strategies at Burton Group. “A disgruntled employee could make off with sensitive data on the way out the door.”
There’s been a lot of buzz around this topic this week due to a recent survey by a security industry company, but some security gurus say the threat is being taken out of context: For more advice, see our sister publication CSO’s Bill Brenner’s take on exiting employees and risk.
No One Left to Pay the Fines?
With so much at risk, why do failing companies not take more care with data? “When a company fails there is less concern about fines for non-compliance when there is no one left to pay the fines,” says John Gunn, general manager at Aladdin Knowledge Systems North America.
Protecting or erasing data may require a significant additional investment in security infrastructure at a time when companies can least afford it, he says. “The result is that many will try to fly under the radar, especially if they simply cannot afford it,” says Gunn.
Individuals are likely to be hurt by this behavior, but so are businesses. “The company that goes out of business is rarely the one that gets hurt,” says Michael Fleming, chairman of the American Bar Association Business Law Section, Cyberspace Law Committee. “Rather, it’s the other businesses that entrusted their data to the now-defunct company who may find they’ve failed to account for a contingency.”
For example, says Fleming, consider a health-care provider that has entrusted a third-party data processor to store its patient records. If that third-party data processor fails, the surviving health-care business may find its own customer data the subject of a bankruptcy asset proceeding, or worse, simply lost. None of this activity releases the health-care provider from liability under the various state and federal regulations.
“Companies who entrust their data to others should not presume that the law will fully protect them from the consequences of that other company’s bankruptcy or insolvency — and should therefore plan for the worst before the data is sent out by negotiating a contract which may survive a bankruptcy,” Fleming says.
The new best practice in data security is to shore up contracts with third-parties to retain the rights and accessibility of data stored off-site, be that in the cloud or on a third-party server or service, in the event that the company goes bust. “That said, there are not as many easy mechanisms out there that can protect data in the same manner as a lender might protect the borrower’s collateral in a bankruptcy,” warns Fleming.
Legal Recourse Limited
Considering the damages that can occur from defunct companies improperly disposing of data, is there any legal recourse for affected consumers and businesses? In a word: no.
“It is exceptionally difficult to prove an actual loss to the victims and it’s hard to show intent to harm. Plus, companies are held responsible rather than individuals and when the company is gone, there is no one left to sue,” says Ted Claypoole, attorney, Data Protection Practice at Womble Carlyle Sandridge & Rice. “However, each state handles the situation differently and there is some movement towards addressing this issue.”
Claypoole cites the FTC v. Toysmart.com case in 2000: the FTC filed suit alleging that Toysmart had misrepresented it would “never” disclose, sell, or offer for sale consumers’ personal information to third parties. Later, the FTC filed an amended complaint alleging that Toysmart had also collected names, e-mail addresses, and ages of children under 13 without notifying parents or obtaining parental consent, as required under the Children’s Online Privacy Protection Act (COPPA).
The FTC’s allegations arose after Toysmart began soliciting bids for its assets, including customer information, through its Web site and major newspapers.
The FTC settled its charges with Toysmart, proposing a federal district court order that would require Toysmart to delete any information collected in violation of COPPA, prohibit Toysmart from misrepresenting its information collection practices, and bar the company from disclosing customer information, except as allowed by a related bankruptcy order. As part of the settlement, a proposed bankruptcy order would allow the company to sell its customer information to a “qualified buyer” that would take over Toysmart’s Web site and adhere to Toysmart’s privacy policies as its successor-interest.
Customers would be required to give their affirmative consent (“opt-in”) to any new uses of their information.
However, the Bankruptcy Court rejected a motion by Toysmart to enter a settlement with the FTC, stating that the court would impose no pre-set restrictions on the sale of Toysmart’s assets since no buyer had come forward. The court indicated it would hear objections to an asset sale if a new buyer made an offer.
“What this case showed us was that the FTC is willing to step in and say ‘even after death, companies are to be regulated on data,'” explains Claypoole. “We’ll see where that kind of thought goes.”
Indeed, the territory is new and uncharted at least at these depths. “A lot depends on what the data was intended to be used for,” says Claypoole. “For example, if DNA was collected from employees as part of a health screening, that information is generally protected. But, if the DNA was collected as part of an employee ID system, the DNA can be sold.”
Liability Issues for IT Increasing?
For now, CIOs are in a precarious position. “CIOs and CEOs can’t destroy the data or they could be charged with destroying a company asset,” explains Claypoole. “Yet, you can’t ignore the issue because it could come back to haunt you later.”
In a desperate effort to either cope or profit, some CIOs and CEOs are taking their own steps and storing data elsewhere or even taking servers home, says Sanjay Anand, president of consulting and training firm GRC Group, and dubbed “Mr. Sarbanes-Oxley” by many in the industry.
“Generally the CIO’s personal liability is very limited as long as adherence to guidelines is demonstrated,” says Anand. “But we are hearing of cases where CIOs are directly responsible for the drives going missing, and in those cases we have already seen the first signs of litigation.”
The thorniest problem is when IT people working offshore for U.S. companies make off with servers, drives or data, he says. It’s hard for U.S. companies to track the IT people down, though the firms have started to litigate the issue, Anand says.
Eventually the matter may be sorted out in a regulatory way, but don’t look for immediate answers, Anand says. “The new administration has its hands full with broader financial issues, and is unlikely to focus on just this narrow aspect anytime soon,” says Anand.