Data Destruction and Bankruptcy
A lot of interest and attention is focused on issues relating to the security and storage of data, but there is also a lot to understand and consider regarding the final phase of data life: destruction. Perhaps it is due to the optimism with which one builds a business, but it is not built often enough with its end in mind. An end can happen in a number of ways, such as closure or acquisition, but today we will consider the implications for data when a business ends in bankruptcy. Like any unexpected death, a bankruptcy forces one to quickly, and sometimes hastily, tie up loose ends, liquidate assets, conference with stakeholders/family members, and also to contend with the many emotions that arise during this process. Some aspects of bankruptcy, such as liquidating IT equipment, are fairly straight forward. Others, such as data destruction, require more consideration and consultation.
Bankruptcy
The process of data destruction must be managed skillfully and with the utmost care in order to comply with the myriad of legal, moral, and practical constraints imposed by your situation. Otherwise, serious complications could arise from mishandling these tasks. The level of complexity of the handling and destruction of data will depend on several factors including which state you have filed bankruptcy in, what type of bankruptcy you have filed for, conditions imposed by courts and/or stakeholders, and what types and formats of data that your organization has in its possession. It is also likely that some types of data will require responsible destruction while others require secure retention.
A debtor filing for bankruptcy has an obligation to protect personally identifiable information (PII) and other confidential information to comply with data privacy protections under data security laws as well as non-bankruptcy privacy legal frameworks and bankruptcy-specific statutory provisions regarding information1. PII can include name, mailing address, email address, phone number, social security number, credit card information, birth date or place, and other information that can be used to identify or contact an individual. There is no single, comprehensive data privacy law in the US, but rather a mixture of state and federal laws. Some of these laws can pertain to the sale or transfer of PII, destruction of medical records, cybersecurity, biometric and genetic data, and state laws that govern the disposal of personal data by businesses.
State attorneys general often play a large role in consumer protection through the enforcement of state laws regarding data disposal and data breach notification, and the Federal Trade Commission regulates data disposal and data breach notification as well. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines national standards to prevent the disclosure of protected health information (PHI) including identifiable demographic and other information relating to an individual’s past, present, or future physical or mental health condition, information concerning the provision of health care or payment of health care costs, and PHI under the Genetic Information Nondiscrimination Act of 2008 (GINA). Section 107 of the Bankruptcy Code requires bankruptcy case filings to be public records, but certain types of information must be protected- names of minor children, disclosure of scandalous or defamatory matter, and information that creates an undue risk of identity theft or other unlawful injury. Other types of information that are required to protect the estate or entity can be protected by motion or request such as trade secrets, confidential research, development, or commercial information, scandalous or defamatory matter contained in any paper filed in the bankruptcy case, and governmental matters that are made confidential by statute or regulation.
End of Data Life Cycle
Once it has been determined through the bankruptcy proceedings which data is to be destroyed (and possibly, how it is to be destroyed) it is time to go about destroying it. The life of big data can be organized into five phases: collection, storage, analytics, utilization, and destruction2. In this destruction phase you are permanently removing the data that you have collected. Some possible solutions for destruction include physically destroying hard disks or other storage devices through a process such as degaussing. Degaussing is the process of reducing or eliminating an unwanted magnetic field (data) stored on tape and disk media such as computer and laptop hard drives, diskettes, reels, cassettes, and cartridge tapes. The powerful magnetic field of a degausser neutralizes the magnetic data on a tape or hard disk- effectively erasing it. Software overwriting is another data destruction solution that involves eliminating a path that a computer uses to access a file and then reassigns the space so that it is available for future use.
These methods can destroy the data that you hold in your physical possession, but what about data in distributed environments and web storage, such as the cloud? Since the cloud is a distributed storage space based on virtualization technology, it can be more difficult to track down specific datasets. A virtualized storage environment may move databases across a few different storage arrays and hard disks, depending on demand for storage capacity or processing performance at a given time. Cloud environments are built to streamline these processes for vendors, but vendors must also back up client data so copies of the datasets must also be found. It’s possible you may need to use a virtual method to pin down the hard disks where the data was deleted, but this method may allow some information to remain on the disk which leads to the existence of “zombie data”, data that was thought to be deleted but it actually still exists in servers and storage devices.
In summary, data destruction is a complex task that may require specialized skills and equipment in order to ensure that the data is fully and permanently destroyed.
Data Retention Policy
As previously noted, the data in your possession will fall into several categories, and the management and destruction of the data in some of those categories are dictated by a myriad of policies, regulations, best practices, business needs, and the particular stipulations of a bankruptcy case. In the event of a bankruptcy, you will be tasked with tracking down every piece of data that needs special treatment. Considering that your organization could have created a thousand documents every single day, a clear and concise document retention policy is recommended. While there are many factors that can influence a robust document retention policy, some basic steps to develop one may include: selecting a point person or committee, taking inventory of your data, reviewing rules on document retention requirements, creating a retention schedule and instructions, setting rules on document destruction, noting litigation holds and other exceptions, implementing documentation retention training, and reviewing and updating the document retention policy as needed3. Having this policy in place can save your organization a tremendous amount of tedious work in the event of a bankruptcy in the future, but it could also help to save on storage costs and help you to keep your data more organized, secure, and properly maintained in the present.
1 Brountzas, 2018, “Data Privacy in Bankruptcy”
2 Koo et al., 2020, Sustainability, “Security and Privacy in Big Data Life Cycle: A Survey and Open Challenges”
3 Halliburton, 2020, “Manage Risks by Developing a Robust Document Retention Policy”