From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds — and more are folding every week given the economy — what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan?
“Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they’ve gone out of business and left those offices,” says Jacqueline Klosek, a senior counsel in Goodwin Procter’s Business Law Department and a member of its Intellectual Property Group.
“In addition, company computers, often containing personal data, will find their ways to the auction block,” she adds. “All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver’s licenses numbers. This is the just the kind of data that can be used to commit identity theft.” […]
Considering the damages that can occur from defunct companies improperly disposing of data, is there any legal recourse for affected consumers and businesses? In a word: no.
“It is exceptionally difficult to prove an actual loss to the victims and it’s hard to show intent to harm. Plus, companies are held responsible rather than individuals and when the company is gone, there is no one left to sue,” says Ted Claypoole, attorney, Data Protection Practice at Womble Carlyle Sandridge & Rice. “However, each state handles the situation differently and there is some movement towards addressing this issue.”