How safe is its customer data?

When a retailer goes bust, how safe is its customer data, or can it just be sold to the highest bidder?

The recent raft of shop closures on the UK high street, from Jane Norman to Borders, raises the question of how safe a company’s customer data is, when it falls into the hands of the administrators and all its assets are up for sale.

After filing for bankruptcy protection, Borders noted that among its assets available for sale included a “proprietary database of customer information tracked by customer E-mail address and including customer data captured at the point of sale on Borders.com and through the Borders rewards and Borders Rewards Plus programs,” which included records relating to more than 23 million customer interactions with the now-defunct bookseller.
But this is no ordinary asset. This is information that reveals the reading and purchasing habits of millions of people. It could reveal political philosophies, sexual orientations and religious beliefs—all types of sensitive information.

The Borders policy says that the retailer and its subsidiaries and affiliates “believe that your personal information—including your purchase history, phone number(s), E-mail and residential addresses, and credit-card data—belongs to you. We collect this type of information to serve you better when you provide it to us, but we do not rent or sell your information to third parties.”

After starting with that laudable goal, Borders (like many retailers) goes on to say that it can collect and share information with third parties to “improve your experience” and provides that users can “opt out” of certain uses. Borders also tells its customers that, in the event of an “acquisition or divestiture” customers’ personal information may be an asset transferred, stating explicitly, “In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.”

While bankruptcy law prohibits the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor, this is the case unless the sale is consistent with the retailers privacy policy or if the court appoints a consumer privacy ombudsman who allows the sale under certain conditions.
So whether our data is protected still remains a grey area, watch this space to see what happens next.

Contributions from Mark Rasch, former head of the U.S. Justice Department’s computer crime unit