Back-Up Data-Goldmine or Landmine?

Imagine that you've just been appointed as the receiver for a company specializing in electronic components. At its peak, the company was shipping components across Canada, and earning revenues in the seven-figure range. But sales plummeted after a new CEO took over the reins. Orders stopped being filled; invoices were no longer being paid on time; and the seven figures that once looked so impressive dwindled down to five, then four, then three.

Eventually, the company was forced into receivership.

As the newly appointed receiver, you've been called in to sell the company's assets and, if possible, determine what transpired to turn a profitable company into an unprofitable one. Rumours abound that the CEO, COO, and CFO all collaborated to bring down the company, but anyone associated with the organization has either left for greener pastures or isn't talking. The paper records exist, but are scattered and incomplete. How can you determine what occurred at the company in its final days? Is all hope of retrieving information lost?

Actually no, all hope is not lost...

In the race to uncover gems of information contained in a company's paper documentation, people often overlook the wealth of electronic data available on the company's computer network.

A corporate computer network can be home to hundreds of thousands-if not hundreds of millions-of pages of information. For example, a 60-gigabyte hard drive, which is the standard size used in most notebook computers, can contain the equivalent of 6.7 x 106 double-sided pages of information. This means that if you're dealing with a medium-sized company that has, 20 employees-each with their own notebook computer-and a network file server 300 gigabytes in size, you would have a total of approximately 1.5 terabytes of data, or 1.6 x 10^sup 8^ potential pages of information to review. That's a whole lot of data.

Preservation is the first step

As far as electronic data is concerned, the most important step to take in a receivership is to preserve the electronic evidence. Even the simple act of turning on a computer or server could destroy crucial time and datestamp information; overwrite important data contained in the unallocated clusters1; or even unleash a virus that would encrypt the hard drive, thereby preventing access. To ensure that potentially valuable information remains unchanged, data preservation should be undertaken, regardless of whether or not the receiver suspects any wrong doing. In fact, the electronic preservation of documents should be the first course of action before any computer systems are turned on or any files are accessed manually.

The preservation of electronic records is inexpensive and relatively quick, and-provided that proper procedures are taken-it ensures that all data is preserved in a format that's acceptable to the BC Supreme Court, should the investigation lead to legal proceedings. After the data is preserved and set aside in a secure location, the receiver can use the original computer hardware without fear of destroying key information.

Why go to the trouble of preserving the data?

Appropriate data preservation techniques, exercised prior to the deletion of the original data, enable the receiver to gain access to the original electronic information. This data capture need not be limited to accounting records, and can include email correspondence, Internet-surfing histories, deleted document recovery, and information detailing which files were copied and/or removed from the computer network in the later days of the company's operations.

Perhaps the greatest benefit to taking proper precautions when preserving data is the ability to recreate email correspondence. The very nature of email is that it tends to stay in an electronic format. Unlike files created in Microsoft Word or Excel, for example, which might end up as part of a work file that gets printed, email frequently stays on a user's computer in "soft" (electronic) format. While diligent users will file their email messages in the appropriate client folders within their email programs, many users will leave important, client-related email messages sitting in their "Sent" or "Inbox" folders.

Another important aspect of email is that users tend to consider it a more casual form of conversation than other business correspondence. Did the CEO, COO, and CFO know about the company's true status well before its last days? Were they taking active steps to reverse the company's financial downfall or were they simply coasting? The answers to these and other questions will often emerge from staff members' email correspondence with external suppliers and with friends.

The receiver's roles and responsibilities

There are two levels of data retention with which the receiver should be concerned:

1) General corporate confidentiality, which is usually administered in the case of bankruptcy by the bankruptcy and Insolvency Act, and

2) The Personal Information Protection and Electronic Documents Act (PIPEDA).

Bankruptcy and Insolvency Act

Under the Bankruptcy and Insolvency Act, receivers have a duty to "act in a commercially responsible way and in good faith."2 This statement helps to ensure that receivers take appropriate precautions when administering data-retention and deletion plans. For example, it could be argued that a receiver who does not take the proper precautions in the handling of data is not acting responsibly.

Moreover, General Rule 68 of the Bankruptcy and Insolvency Act states that: "Unless the court orders otherwise, a trustee shall keep, for at least four years after the date of the trustee's discharge, the books, records, and documents relating to the administration of that estate."3

Note that no differentiation is made between paper and electronic documents. And since the court has demonstrated-through the successful use of applications such as the Anton Pillar Court Order, which provides for the right to search premises without prior warning and is often used to prevent the destruction of potentially incriminating evidence-that electronic documents are to be treated as paper documents, it stands to reason that Rule 68 would apply to electronic data as well.

That said, holding on to numerous computer servers and desktop computers is a costly, space-wasting endeavour; and when all that is really required is the data held within those systems, employing proper data-retention techniques makes good sense.

Personal Information Protection and Electronic Documents Act (PIPEDA)

In addition to general corporate concerns, the receiver must also keep PIPEDA in mind. Receivers are bound by this legislation in so far as it pertains to specific information regarding individuals. The goal of PIPEDA is "to support and promote electronic commerce by protecting the personal information that is collected, used, or disclosed in certain circumstances."4 Thus, the intention of the Act is not to provide specific direction for a receiver with regard to their role and how it relates to data retention and/or destruction policies; however, the Act does provide guidelines on how data can be used once it has been collected (for instance, who can see it and how long it can be retained).

In addition to providing guidelines on how data can be handled after it has been collected, the Act also outlines the recourses available to an individual if they feel their information has been misused. section 5 of PIPEDA states that: "Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law."5

Consequently, it is conceivable that if an individual provided their information to a facility selling widgets, only for this facility to go bankrupt and have its assets sold to a water-bottling company, the individual could nonetheless expect their information to remain confidential.

For the receiver, this means selling off any computer equipment that contains personal information could be construed as misuse. This dilemma can be avoided, however, if the receiver takes the appropriate measures to properly remove data from electronic devices prior to their surplus. Proper destruction methods ensure that confidential records do not mistakenly fall into the hands of people they were not intended for, and help to ensure that the receiver is compliant with the Bankruptcy and Insolvency Act, as well as with section 5 of PIPEDA.

Data retention - for better or worse

Due to their widespread nature and ease of use, computers are likely to be present whenever a company goes into receivership. Ensuring that the data contained on the computers is approached in a logical way is something the receiver will have to consider. Acts like PIPEDA and the Bankruptcy and Insolvency Act stipulate that proper steps be taken. And with some advance preparation and a discussion with an individual experienced in data preservation, the task of what to do with the computers need not be a stressful one.

© 2006 Institute of Chartered Accountants of British Columbia Provided by ProQuest LLC. All Rights Reserved.