Soon to be laid-off employees can also ransack sensitive company data, analysts warn. "In the case of business closure, there is lots of room for error, neglect, and even malfeasance," says Lyn Robison, senior analyst and research director of Data Management Strategies at Burton Group. "A disgruntled employee could make off with sensitive data on the way out the door."
There's been a lot of buzz around this topic this week due to a recent survey by a security industry company, but some security gurus say the threat is being taken out of context: For more advice, see Bill Brenner's take on exiting employees and risk.
No One Left to Pay the Fines?
With so much at risk, why do failing companies not take more care with data? "When a company fails there is less concern about fines for non-compliance when there is no one left to pay the fines," says John Gunn, general manager at Aladdin Knowledge Systems North America.
Protecting or erasing data may require a significant additional investment in security infrastructure at a time when companies can least afford it, he says. "The result is that many will try to fly under the radar, especially if they simply cannot afford it," says Gunn.
Individuals are likely to be hurt by this behavior, but so are businesses. "The company that goes out of business is rarely the one that gets hurt," says Michael Fleming, chairman of the American Bar Association Business Law Section, Cyberspace Law Committee. "Rather, it's the other businesses that entrusted their data to the now-defunct company who may find they've failed to account for a contingency."
For example, says Fleming, consider a health-care provider that has entrusted a third-party data processor to store its patient records. If that third-party data processor fails, the surviving health-care business may find its own customer data the subject of a bankruptcy asset proceeding, or worse, simply lost. None of this activity releases the health-care provider from liability under the various state and federal regulations.
"Companies who entrust their data to others should not presume that the law will fully protect them from the consequences of that other company's bankruptcy or insolvency -- and should therefore plan for the worst before the data is sent out by negotiating a contract which may survive a bankruptcy," Fleming says.
The new best practice in data security is to shore up contracts with third-parties to retain the rights and accessibility of data stored off-site, be that in the cloud or on a third-party server or service, in the event that the company goes bust. "That said, there are not as many easy mechanisms out there that can protect data in the same manner as a lender might protect the borrower's collateral in a bankruptcy," warns Fleming.