How safe is your information when a company goes bankrupt?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dallasnews.com/business/headlines/20150404-how-safe-is-your-information-when-a-company-goes-bankrupt.ece

Gadget-minded fans of Fort Worth-based RadioShack cheered this week as a
federal bankruptcy judge in Delaware approved a path out of insolvency for
the venerable retailer.

But the case also highlighted something else: how vulnerable consumers’
privacy can be when the companies they let keep tabs on them go belly up.

Last week, as the deal that ultimately would give RadioShack a second
chance at survival was being worked out, it became clear that if the
company were liquidated, it would almost certainly sell off its massive
customer list.

As with many bankrupt firms, that list would have been worth a fortune to
the right buyer, especially if the data could be sold free of any
obligation to keep it private. Like most large and reputable companies,
RadioShack had promised customers not to sell the data it collected to
third parties.

But bankruptcy court is a unique setting in American law, and one of its
chief purposes is to maximize the value of a bankrupt company’s assets even
if it must sever otherwise valid contracts.

In RadioShack’s case, that prospect had alarmed more than just privacy
watchdogs. Dallas-based AT&T Inc. filed a letter with Judge Brendan Shannon
arguing that it, and not RadioShack, owned tens of millions of profiles
collected by RadioShack over the years it had spent selling AT&T-branded
devices and wireless service in its stores.

Keeping promises

Texas Attorney General Ken Paxton, joined by a host of other state
attorneys general and government agencies, also objected. He argued that
state laws against deceptive trade practices required RadioShack to make
sure that whomever it sold the data to would keep the same promises it had
made when it collected the information initially.

Both those concerns were alleviated, at least temporarily, by agreements
approved by Shannon as he approved RadioShack’s sale to hedge fund Standard
General. The fund had been one of RadioShack’s largest creditors.

It’s not unusual that a company as large and as old as RadioShack has a
list of customers — their names, addresses, billing information and buying
habits — that would be worth millions to third parties.

“I learned early on that customer lists always have value,” said Dallas
bankruptcy lawyer Martin Sosland, a partner with Weil.

But just how valuable is often hard to tell, since those lists can be just
part of the pile of assets gobbled up during a liquidation. When Dish
Network bought Blockbuster’s assets for $320 million four years ago, it got
millions of records that showed what movies Blockbuster’s customers had
watched and how often and in what format.

“Dish never said what value they put on that list,” Sosland said. “But it
was probably most interested in the smaller subset of data that dealt with
customers who had signed up for Blockbuster’s new streaming service.”

There were no privacy concerns raised when Blockbuster’s customer data was
transferred to Dish. The company had readily agreed to abide by whatever
promises Blockbuster had made to its own customers. That’s common when the
acquiring party is in roughly the same business as the one that failed,
Sosland said.

Troves of data

But what the RadioShack case highlighted is just how vulnerable customer
data can be when it’s sold as a stand-alone asset to the highest bidder.
Its initial inclusion of the AT&T records also underscored how complex
ownership of that data can be.

“This hasn’t been litigated much, and there isn’t really good case law,”
Solsman said.

Fights over customer lists are as old as bankruptcy itself. But they’ve
taken on more importance in the Internet era. Ten years ago, President
George W. Bush signed into law a bankruptcy reform act that included
language giving consumers more protection.

A spokesman for the Federal Trade Commission said that the worry then had
been that as more and more companies were doing business on the Internet
they were collecting far more information than had ever before been
available.

But that concern has risen sharply since then, as companies like Facebook,
Google and many others acquire enormous troves of extremely personal data
on hundreds of millions of customers. And while those firms may be unlikely
candidates for bankruptcies or takeovers, the hundreds of newly created
companies selling apps through mobile phones often gain access to those
same customer lists.

Customers who trade permission for a convenient sign-on can be leaving
their data open for entirely unexpected uses should the companies who’ve
created those apps go out of business, even if they’ve made promises to
keep the data secret.

The FTC says it regularly sends letters urging bankruptcy judges to require
that firms that buy customer data abide by the original privacy promises.
But those letters aren’t binding.

The 2005 law provides that if a buyer during bankruptcy wants to use the
customer list in new ways and ignore previous promises, the judge has to
appoint a privacy ombudsman to look after customer privacy interests.

Legal limits

But that protection can easily be bypassed.

Sosland, the Dallas bankruptcy lawyer, said the purview of the privacy
ombudsman is limited. “They get involved if the buyer plans to use the data
in a way that is contrary to the original privacy policy,” he said. “But
what they look for is whether the intended uses violate other laws outside
of bankruptcy.”

A plan to sell Social Security numbers or reveal individuals’ health
information, then, would certainly violate other laws.

In those cases, the ombudsman is empowered to recommend that the bankruptcy
judge disallow the sale.

But if the new uses don’t violate other laws — and many uses consumers
would probably recoil from would be legal — then there’s nothing in the
bankruptcy law to prevent the sale.

When the sale was announced Wednesday, Paxton’s office took credit for
having helped keep the data private. But it also conceded that the issue
isn’t over, since the new RadioShack remains in troubled territory. He
called on RadioShack to “entirely rule out any such sale in the future.”

Without such a guarantee, the customer data could be on the market again in
six months. That’s how long the judge gave the new RadioShack to implement
its new strategy, which involves shrinking from 4,000 to 1,700 stores and
deep in-store partnerships with Sprint.

During that time, one of its other creditors will keep the rights to its
intellectual property, including its name and customer data. If the new
plan works, RadioShack will probably buy back those assets in six months.
If not, the data will likely be up for sale.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!