What happens to the personal information of users when companies that collected that data close up shop?
In the case of RadioShack, a U.S. bankruptcy judge last week sided with the Federal Trade Commission, attorneys general from 40 states, and several consumer privacy groups by severely limiting the number and uses of data acquired by hedge fund Standard General LP as part of a $26.2 million play for the intellectual property assets previously held by the failed electronics retailer.
Standard General, which has also taken over approximately 1,700 RadioShack locations, had originally sought full access to the records of 117 million RadioShack customers. However, the judge ordered that at least 50 million of those customer files to be destroyed and that credit-card data, Social Security numbers, dates of birth, phone numbers and other personally identifying information be removed from the remaining records. Email addresses of customers who downloaded product information over the past two years can be used, but even those people will be able to opt out before that information is transferred to the new owner.
This is a big win for former RadioShack customers specifically and consumer privacy advocates in general. However, for people like me who believe that personal data should not be owned by anyone other than the individual that data is about, we can’t count on individual court decisions to rule in favor of privacy in each case. RadioShack isn’t the first company, nor will it be the last, to include sensitive customer data in the assets it tries to sell to pay off creditors.
So it’s about time we pass legislation requiring that all personally identifiable information possessed by a company going through bankruptcy or acquisition be destroyed rather than treated as an asset that can be sold off to extract the most value for investors and creditors, or left unprotected from hackers.
This is even more critical as companies playing in the “sharing economy” start to fail. It’s one thing for someone to know that I bought batteries and coaxial cables from RadioShack 10 years ago, but what happens when a company that tracks our every move both online and in the physical world shuts down? What information do they possess about us now? Not only do they know where we live or work, but they may also know who we spend time with, what medications we take, and what routes our kids take to school each day.
Do we really want this information being sold to the highest bidder? Or worse. Do we want it sitting on some laptop in an abandoned San Francisco loft that was headquarters to the once hot but now defunct dating, messaging, or same-day delivery app run by a bunch of brogrammers who never thought about protecting that data correctly in the first place?
While legislation would be ideal to cover these scenarios, it’s very unlikely our elected officials will be able or willing to stand up for the privacy rights of their constituents. If that’s the case, then perhaps it’s time for consumers to take matters into their own hands using a model deployed by the Nature Conservancy.
Where the Nature Conservancy purchases environmentally sensitive land from private owners in order to prevent it from being developed for commercial purposes, we could create a similar organization to establish a fund to purchase customer information from companies winding down or looking to sell off that data as part of bankruptcy proceedings or acquisitions.
Besides destroying the acquired data, this “Nature Conservancy for Consumer Data” could also serve as a platform for teaching businesses how to change their mindset and realize they are not “owners” of customer data that must be monetized, but rather “custodians” charged with protecting it.
Are you willing to join this effort to help consumers take back control of their personal information? If so, share your thoughts and join the Personal Information Crusade, where I will be exploring this topic in greater detail.
Suni Munshani is the CEO of Protegrity, a Stamford, CT-based provider of enterprise data security software and solutions. Before joining Protegrity in 2011, Suni was CEO of Novitaz, a customized data provider for the retail and hospitality sectors. He also served as a managing partner at Persephone Investments, where he led the venture capital firm’s investment in Synetics, Inc. He eventually assumed the role of CEO and led Synetics’ acquisition to Affiliated Computer Services, which was later acquired by Lockheed Martin. He also founded several successful software and services companies, including Paradigm Systems Corporation of America (acquired by Platinum Technology/Computer Associates) and Trirex Systems.