Bankruptcy is a part of business world. It happens more often than you think and when it does everyone seems to focus on the business impacts of a closure but I think about something different, the data. You can search the internet for bankruptcy and breach to find hundreds of articles about it, however they are talking about breaches causing bankruptcy not bankruptcy causing breaches. What happens to the data when the doors are suddenly closed and the employees in charge of protecting the data are released without preparation?
Unfortunately I have first hand experience in this situation recently. I worked at a health care company, one of the largest in Florida for the services they provided, for almost 4 years and at the end was the primary security officer, I was a Director not the CISO (we didn’t have one) but had all the roles and responsibilities as one. During my time there we had made great strides to improve and strengthen the security posture of the company and our clients. I conducted regular audits, had 3rd party security vulnerability and penetration testing done, a HIPAA Security Risk Assessment completed, and re-wrote all the policies and standards to start to create a processes oriented governance based information technology environment. In 12 months we started from basically zero after a huge organizational shift and felt we had created the foundation of a strong security framework to carry us forward. The much publicized breaches at Anthem, Premera and other health organizations helped the executive support and visibility of the security initiatives.
I knew for a year the company was financially struggling and during the last 5 months things got worse. I ended up laying off my security team gradually to the point that I was the only security expert in the company. Then last week I was told my position was being eliminated and security was going to be absorbed into IT. I had two weeks to prepare transition of all my processes, audits, reports, alerts, actions, etc… to the IT team. Two days later I was told that there was no more RIF (Reduction In Force) but instead the company was going bankrupt and filing Chapter 7, which means let everyone go in the next few days, shut the doors and liquidate. All said and done in two weeks.
I began to scramble to a) figure out if I was going to be around during the shutdown process and b) come up with a plan to protect the 5 million+ records we had sitting in databases, backups, tapes, offsite storage to prevent a breach as long as I could. A day later I got the answer to the first one and myself along with hundreds other people we sent on our way and I have no idea if item B was ever addressed. As I am looking for a new security opportunity I keep thinking about the situation and what happens to the data. Millions of people’s lives are sitting there with no one now ensuring the data’s protection. Worse, if there was a breach how would anyone know when critical security systems are shut off and not maintained?
When companies goes Chapter 7 they no longer exist, all contracts are basically null and void, creditors can’t chase you down, assets go into an estate for a judge to decide who gets what piece of the money pie in the liquidation. What about the data? Where does that go? What are the laws to continue to ensure the data’s protection? Who is now liable to the millions of people if something were to happen to it after the company disappears?
With all the systems shut down, access disabled and stripped in a mass event, all the eyes on the security of the company are now gone. That data is still sitting there, along with all the file shares, laptops that are never collected and disposed of properly, servers and data in cloud services, tape backups sitting in offsite storage, all of these things with no one to manage the handling anymore. In two weeks the company will have gone from fully operational to non-existent. Poof. Like any company we couldn’t get small, fast projects done in two weeks with all the reviews and approvals but the entire company will be shut down with no process, flips the switches and leave. Eventually those facilities and offices will go into foreclosure and the landlords may send crews in there to clean out everything, where does all that go and who watches the movers to not take anything? The list goes on.
When a company has a layoff of any size that’s the prime target for theft or malicious acts. When 90% of the employees are let go on the same day with the remaining 10% a week later you have a recipe for disaster. As far as I know there is no government agency or requirement to have any type of 3rd party oversight when companies prepare for Chapter 7. If there is after the filing is complete the damage is already done when the employees are removed. Much like the WARN letters and government notices that are required to be sent out ahead of time there should also be a flag to have the government send in a team to monitor and ensure the customer data is protected and maintained during the wind-down process.
I don’t know the answers, especially when the empowered and experienced are removed. I have never experienced this before and I hope I don’t again. This will occur to someone else and when this happens to people’s PHI/PII/PCI and other critical data that could lead to identity theft, fraud and abuse when the company stops being a company where do they turn? Who do the victims hold responsible? Is this a lost cause for our identity protection in situations like this? Sure, the data might be sold off as part of the bankruptcy process because it does have significant value to others but who’s watching it to see if disgruntled employees or service providers don’t take a copy first and sell it themselves to the Russian or Chinese cyber-mobs?
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.