Legal Recourse Limited
Considering the damages that can occur from defunct companies improperly disposing of data, is there any legal recourse for affected consumers and businesses? In a word: no.
"It is exceptionally difficult to prove an actual loss to the victims and it's hard to show intent to harm. Plus, companies are held responsible rather than individuals and when the company is gone, there is no one left to sue," says Ted Claypoole, attorney, Data Protection Practice at Womble Carlyle Sandridge & Rice. "However, each state handles the situation differently and there is some movement towards addressing this issue."
Claypoole cites the FTC v. Toysmart.com case in 2000: the FTC filed suit alleging that Toysmart had misrepresented it would "never" disclose, sell, or offer for sale consumers' personal information to third parties. Later, the FTC filed an amended complaint alleging that Toysmart had also collected names, e-mail addresses, and ages of children under 13 without notifying parents or obtaining parental consent, as required under the Children's Online Privacy Protection Act (COPPA).
The FTC's allegations arose after Toysmart began soliciting bids for its assets, including customer information, through its Web site and major newspapers.
The FTC settled its charges with Toysmart, proposing a federal district court order that would require Toysmart to delete any information collected in violation of COPPA, prohibit Toysmart from misrepresenting its information collection practices, and bar the company from disclosing customer information, except as allowed by a related bankruptcy order. As part of the settlement, a proposed bankruptcy order would allow the company to sell its customer information to a "qualified buyer" that would take over Toysmart's Web site and adhere to Toysmart's privacy policies as its successor-interest. Customers would be required to give their affirmative consent ("opt-in") to any new uses of their information.
However, the Bankruptcy Court rejected a motion by Toysmart to enter a settlement with the FTC, stating that the court would impose no pre-set restrictions on the sale of Toysmart's assets since no buyer had come forward. The court indicated it would hear objections to an asset sale if a new buyer made an offer.
"What this case showed us was that the FTC is willing to step in and say 'even after death, companies are to be regulated on data,'" explains Claypoole. "We'll see where that kind of thought goes."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.