When A Company Folds, Who Guards Your Data's Privacy?

IT and business both understand the need to protect regulated customer and business data -- so long as they're in business, analysts say. Here's a look at how some folding businesses are falling short protecting data and the possible liabilities for the IT group and CIO.

Legal Recourse Limited

Considering the damages that can occur from defunct companies improperly disposing of data, is there any legal recourse for affected consumers and businesses? In a word: no.

"It is exceptionally difficult to prove an actual loss to the victims and it's hard to show intent to harm. Plus, companies are held responsible rather than individuals and when the company is gone, there is no one left to sue," says Ted Claypoole, attorney, Data Protection Practice at Womble Carlyle Sandridge & Rice. "However, each state handles the situation differently and there is some movement towards addressing this issue."

Claypoole cites the FTC v. Toysmart.com case in 2000: the FTC filed suit alleging that Toysmart had misrepresented it would "never" disclose, sell, or offer for sale consumers' personal information to third parties. Later, the FTC filed an amended complaint alleging that Toysmart had also collected names, e-mail addresses, and ages of children under 13 without notifying parents or obtaining parental consent, as required under the Children's Online Privacy Protection Act (COPPA).

The FTC's allegations arose after Toysmart began soliciting bids for its assets, including customer information, through its Web site and major newspapers.

The FTC settled its charges with Toysmart, proposing a federal district court order that would require Toysmart to delete any information collected in violation of COPPA, prohibit Toysmart from misrepresenting its information collection practices, and bar the company from disclosing customer information, except as allowed by a related bankruptcy order. As part of the settlement, a proposed bankruptcy order would allow the company to sell its customer information to a "qualified buyer" that would take over Toysmart's Web site and adhere to Toysmart's privacy policies as its successor-interest. Customers would be required to give their affirmative consent ("opt-in") to any new uses of their information.

However, the Bankruptcy Court rejected a motion by Toysmart to enter a settlement with the FTC, stating that the court would impose no pre-set restrictions on the sale of Toysmart's assets since no buyer had come forward. The court indicated it would hear objections to an asset sale if a new buyer made an offer.

"What this case showed us was that the FTC is willing to step in and say 'even after death, companies are to be regulated on data,'" explains Claypoole. "We'll see where that kind of thought goes."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags data security

More about AladdinAladdin Knowledge SystemsBillBurton GroupetworkFTCGoodwin Procter

Show Comments