Owners and managers of a failed company face a range of responsibilities: Making sure there is an orderly winding down of the business, looking employees after as best they can, preserving assets.
Often, erasing data on hard drives isn’t on the list.
However, the discovery of huge amounts of unencrypted personal data on Canadian and U.S. customers in servers and PCs offered for sale on Craigslist that once belonged to the bankrupt computer electronics chain NCIX prove some businesses aren’t following Canadian law.
“[Personal] data never belongs to the company,” says Imran Ahmad, leader of the cybersecurity and data breach practice at the Miller Thompson law firm in Toronto. “They are only the custodian, no matter if you look under federal or provincial legislation. Personally identifiable information always belongs to the individual.”
In other words, it cannot be held as an asset for a bankruptcy trustee to dispose of.
Ahmad noted Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) specifically states personal data can only be held for the purposes for which it was collected. If a company is bankrupt, then it has ceased operation and you have no purpose to keep it, he said. The only exception is if the company is being sold or restructured as a going concern and its operations continue.
But if the company is going bankrupt, Ahmad said, “the information should be destroyed.”
Nor, obviously, should personal information be left on abandoned servers and PCs when a company goes out of business.
“It’s just appalling,” Ann Cavoukian, head of Ryerson University’s Privacy by Design Centre of Excellence, said of the NCIX data discovery. “It just goes to show how poorly companies protect data, especially when they’re getting rid of their hardware devices. Of course the data wasn’t encrypted, but they could at least take the time to destroy the data before getting rid of the equipment.”
“When you are preparing to apply for bankruptcy you have an obligation to your customers to destroy the personal data … The data doesn’t belong to you. You may have custody and control over the data, but it belongs to the data subject.”
Richmond, B.C.-based NCIX, which had about a dozen stores in B.C. and Ontario, filed for bankruptcy in December, 2017.
Eight months later, Travis Doering, owner of Vancouver security consultancy PrivacyFly, discovered the data hoard after spotting this ad on Craigslist: “NCIX Database Servers – $1,500,”
As he recounted in a blog last week, Doering – who is researching an article on data brokers – went to a warehouse to find out what was available. He was given access to was one server that included database files he initially couldn’t open because they had been on a network. But the person selling the server said he had the entire NCIX database farm and hundreds of other PCs and servers from the retailer’s corporate offices. Feigning interest in a purchase, Doering returned later to examine more of the NCIX hardware. He was able to open one PC to find what he calls a “treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, bills” and one NCIX employee’s T4 income tax slip.
Another server had a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data; customer service inquiries including messages and contact information; 385,000 names, serial numbers, dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords; and full credit card payment details in plain text for 258,000 users in various tables.
One Canadian file had several versions of customer databases, one of which had 3.848 million records covering a three year period between 2007 and 2010 with individual names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Another file had data from a financing program, employee records and vendor pricing.
Allegedly copied data
As Doering dickered to buy the hardware the salesman said he was also selling a number of hard drives to a purchaser after copying the data. The salesman also said he had already sold several hundred office NCIX desktop computers that hadn’t been wiped.
The salesman told Doering the servers, PCs and hard drives he was disposing had been just left by NCIX in a warehouse.
According to the CBC, the RCMP and British Columbia’s privacy commissioner are investigating the incident. In a tweet the RCMP said it now has possession of the hard drives.
The office of the federal privacy commissioner (OPC) has reached out to the B.C. privacy commissioner but hasn’t opened a formal investigation. Tobi Cohen, a senior communications advistor at the OPC, said in an email the office hasn’t established guidance on what a company on the verge of bankruptcy should do with personal information. There may be legal obligations that would require a company to preserve data in bankruptcy, she noted. However, she added, PIPEDA or other applicable provincial privacy laws may apply to bankruptcy trustees in respect of their handling of personal information.
Doering believes NCIX had a responsibility to encrypt all corporate drives when the company was alive, and wipe all corporate hard drives before abandoning them.
Ahmad said most large or sophisticated organizations know they have to destroy personal data on computers when the company is closing. “It’s the smaller SME’s that make me nervous.”
He added, “This kind of scenario, where you basically chuck your hardware out in the back bin and don’t bother to delete it, that, unfortunately, happens more often than it should.”
“Businesses will only provide the level of security that consumers demand of them,” Doering wrote in his blog. “It is time for all of us to demand more. The next time you hand over personal information don’t be afraid to ask three simple questions. Is the data you hold encrypted?, Which departments have access to it?, and Why do you require this information?”
(This story has been updated from the original to include comments from Tobi Cohen)