Protecting Data In A Business Failure

Article by Theodore Claypoole and Danielle Benoit Newscasters and politicians repeatedly stress that the current economic downturn is unlike any other before. It is unique because complexity in financial services has blinded executives to true risk. It is unparalleled for its impact on the savings and investments of the middle class. It is exceptional because of its depth, speed of descent and massive numbers of business failures.

This economic crisis is also exceptional for its threat to personal data. The United States is in the midst of the first severe economic meltdown of the information age — an age where data about consumers, employees, patients and borrowers is maintained on computers for companies large and small. Businesses are obligated by law to protect the personally identifiable information (PII) they retain about people. But when these companies disappear, the data remains in existence, and it is difficult to penalize corporate entities, their officers and their managers for losing or distributing the data — whether intentional or unintentional.

When a business ends, none of its managers have incentive, aside from good ethical values, to protect sensitive private information. Sometimes consumer data may be the only asset a company holds which has enough value to sell for the satisfaction of creditors. In other circumstances, employees may simply abandon a failing business, leaving its databases, printed customer lists and other sensitive information for anyone to find. Occasionally, executives and employees may grab computers and paper records from their dying business to help them as they move to their next positions. In all of these cases, personal information is most vulnerable during a time of transition and confusion. More business failures in this economic downturn means more transition and confusion.

If shuttered businesses cannot be trusted to protect sensitive data on their own, then legal obligations may be the only practical incentive to secure our personal information when it is held by a failing company. During bankruptcy proceedings, company trustees may discard private contractual obligations, and are unlikely to impede the reckless actions of business executives who know that, absent broader obligations, a contracting party may only enforce its contract against the dying company that will soon pass from existence. Protective laws and regulations can create broader obligations on a company.

United States data protection law is a wide and varied collection of state statutes, federal legislation and regulations, court decisions and agency interpretations. Businesses handling sensitive, personally identifiable data may be subject to dozens of requirements in information treatment, document retention and disposal, and obligations to provide notice to data owners and government authorities upon loss of data control. The patchwork of data privacy and protection laws includes statutes on the books of at least 44 states that require certain businesses to inform data subjects, public entities and/or credit reporting agencies when personally identifiable data has been placed at risk. These laws were passed to tackle the problem of identity theft, and they address electronic and physical security breaches.

Federal laws protecting data tend to arise around especially sensitive classifications of information. Financial data, both in and out of the banking system, has been regulated for decades, including most famously in the Gramm-Leach-Bliley Act (GLB) and the Fair Credit Reporting Act (FCRA). Medical information is protected by the Health Insurance Portability and Accountability Act (HIPAA), as well as by its subsequent regulations. The Children's Online Privacy...