The big data dilemma: what happens to consumer data when a startup shuts shop
A month ago, 27-year-old Amit (name changed to protect identity) was forced to abruptly leave the apartment he had taken on lease via co-living startup Homigo. This was just after news emerged that the startup had run out of cash and that its founders were absconding.
Less than a month later, the calls started to come in. Not just for Amit, but for many other Homigo customers like him. Representatives claiming to be from other real estate firms began offering them furnished properties on lease or rent, in exchange for a deposit and rent that would have to be paid via their firms – a model similar to what Homigo followed.
For many aggrieved tenants, already reeling under the loss of their homes and their money, the calls from these so-called real estate agencies added to their worries – this time, about the safety and security of their personal information that they had earlier shared with the startup.
Indeed, the worries plaguing the erstwhile Homigo customers brings to fore the one question most experts contend there is no clear answer for: what happens to consumer data when a startup shuts shop?
Novojuris Legal Founder Sharda Balaji says legal and ethical protocol demands that all consumer data be deleted from the servers when a startup shuts down.
“There are two scenarios here. If the failed startup gets acquired, the data too gets acquired along with all other assets. In case of a shutdown, legal and ethical protocol demands that all the data is deleted from the servers,” says Sharda Balaji, Founder, Novojuris Legal.
It is the founder’s responsibility to delete the consumer data and information that a startup owns from all servers – especially when they stop paying for the usage of those servers, Sharda adds
The reality, however, is vastly different.
As one startup analyst says, on the condition of anonymity,
“When the founders are in a soup, consumer data and information is possibly the last thing on his or her mind.”
In the business of volunteering data
Today, at a time when data has become the biggest asset for companies across the world, ensuring the security of the vast pool of data acquired by these firms has become equally necessary.
The truth is, customers like you and me voluntarily share our personal information with the growing crop of new-age tech startups and companies. These include data about our spending patterns, our home or work details, our likes and dislikes related to products and services, and even our financial information, among other information.
“The problem is that culturally, we have been very giving of data. It is only recent hacks and incidents that have thrown light on how dangerous unprotected data can actually be for an organisation. Bringing in a shift will take time,” points out Sharda.
This means companies have a vast storehouse of consumer data by the first few years of their existence – enough to be a cause for concern to consumers in the event of a shut down. This is particularly true for startups, where the rate of failure is higher.
According to a report by the IBM Institute for Business Value and Oxford Economics, close to 90 percent of startups fail in the first five years of inception.
Different scenarios in shutdowns
There are different scenarios when startups shut down, explains BS Rao, Vice President of Marketing at Bengaluru-based cloud server provider CtrlS Data Centres Ltd.
“If it is a normal shutdown, which is planned by the board and the founders, all vendors, including the technology vendors are paid, and the data then is either taken by the company or is deleted. This goes on for a period of a few months,” he says.
Usually, the consumers themselves take that recourse of deleting the data.
Recently, when the San-Francisco-based startup Zirtual shut shop, many customers were scrambling to do damage control. This was soon after they received an email informing them of the shutdown. Zirtual was a platform that matched small-business owners with remote assistants. Many customers went about changing the passwords used by their Zirtual-provided assistants, and even got a new credit card.
In the case of a family-owned or sole proprietor business, the server provider is issued a letter saying the company will be shutting down and that the vendor can take over the server.
“Now if there is a lack of funds or bankruptcy, then a different recourse works, such as legal recourse or even conversations with lawyers, basis which the data remains in the server’s cold storage,” says Rao.
According to the vendor’s compliance and governance terms, the data needs to remain in the vendor’s server for three to five years. Rao says, “This is usually in cases where the startup cannot pay the vendor.”
Radhesh Kanumury, CEO and Managing Partner, Arka Venture Labs, states that many companies retain the code and many might even choose to use the same for some future venture. This is primarily because the ownership of the data in many cases lies in the hands of the startup and not the consumer.
But what about when a company suddenly shuts shop, as was the case with Homigo?
“In such cases, vendors need to take all the legal recourse, wait for 100 days, and then possibly write off the data. Again here, we have to keep the data for three to five years inside our servers. And this is because the cost of non-compliance is usually much higher than the cost of retaining the data,” says Rao.
Languishing in data limbo?
The more common reality is that data continues to remain in a state of limbo. As a founder of an early-stage data analytics startup says, “Most times, the data and the code happen to be joined at the hip for startups. And both end up languishing in some developer’s hard-drive.”
This makes it easy for people with the right know-how to access and use the data, as well as potentially sell it.
However, Rao believes otherwise. “If the data is in the server for compliance issues, then every possible wall is built to protect that data, because the liability now falls in the hands of the vendor.”
And yet, there is no law in place that protects customer data, although that does not mean consumers cannot turn to the law.
“The consumer can ask a founder and the business to delete all the data. If not, there can be legal recourse taken,” says Sharda.
Few consumers, however, know that legal recourse is an option. Or even how to go about seeking legal recourse.
While there’s no legal framework in place for data privacy in India as yet, the Supreme Court of India has upheld the Right to Privacy in legal cases related to data and information. According to a note by the law firm Rodl & Partner,
“A list of items has been provided which are to be treated as “sensitive personal data” which include passwords, biometric information, sexual orientation, medical records and history, credit/ debit card information, etc. but any information which is freely available or accessible in the public domain is not considered to be sensitive personal data.”
How to stop being easy pickings
Data privacy experts explain that the data languishing in the servers is the most vulnerable of its kind. It’s open to theft and misuse by anyone with a little knowledge of coding and software – something Homigo customers like Amit fear may happen with their personal data.
Still, the fate of consumer data after a company shuts down will be determined by its ownership, say other white-hat hackers, who are however divided on whether the company or the consumer owns the data.
While some say the data belongs to the startup because they’ve taken the consumer’s permission, others say the data is owned by the consumer, particularly when the company it shared it with is no longer in business.
To be clear, the responsibility of protecting consumer data lies as much as with the startup, as with the consumer, say data and privacy experts.
As one white-hat hacker aptly says,
“Whoever owns the data, it is important that as a consumer you protect your own data. Delete information given, read the check boxes, and why you are checking them. Most importantly, if you receive an email that a company is shutting shop, ask to have your data deleted.”