In Netlink Computer Inc. (Re), the British Columbia Supreme Court dismissed an application for leave to sue a trustee in bankruptcy for the an alleged improper disposal of assets of a bankrupt company that contained the personal information of the company’s customers.
The issues at the heart of the application first reached public attention in September 2018 when a security expert described in a blog post how he noticed that servers from the defunct company were listed for sale on Craigslist. Posing as an interested buyer, he examined the computers and found that their unwiped hard drives contained what he reported as significant amounts of sensitive customer data, including credit card information and photographs of customer identification documents. Following the blog post, the RCMP and the BC Privacy Commissioner both launched investigations. Kipling Warner, who had been a customer of the defunct company Netlink, filed law suits against Netlink, the trustee in bankruptcy which had disposed of Netlink’s assets, the auction company Able Solutions, which and sold the assets, and Netlink’s landlord. All of the law suits include claims of breach statutory obligations under the Personal Information Protection and Electronic Documents Act, breach of B.C.’s Privacy Act, and breach of B.C.’s Personal Information Protection Act. The plan was to have the law suits certified as class action proceedings. The action against Netlink was stayed due to the bankruptcy. The B.C. Supreme Court decision deals only with the action against the trustee, as leave of the court must be obtained in order to sue a trustee in bankruptcy.
As Master Harper explained in his reasons for decision, the threshold for granting leave to sue a trustee in bankruptcy is not high. The evidence presented in the claim must advance a prima facie case. Leave to proceed will be denied if the proposed action is considered frivolous or vexations, since such a lawsuit would “interfere with the due administration of the bankrupt’s estate by the trustee” (at para 9). Essentially the court must balance the competing interests of the party suing the trustee and the interest in the efficient and timely wrapping up of the bankrupt’s estate.
The decision to dismiss the application in this case was based on a number of factors. Master Harper was not impressed by the fact that the multiple law suits brought against different actors all alleged the same grounds. He described this as a “scattergun approach” that suggested a weak evidentiary foundation. The application was supported by two affidavits, one from Mr. Warner, which he described as being based on inadmissible ‘double hearsay’ and one from the blogger, Mr. Doering. While Master Harper found that the Doering affidavit contained first hand evidence from Doering’s investigation into the servers sold on Craigslist, he noted that Doering himself had not been convinced by the seller’s statements about how he came to be in possession of the servers. The Master noted that this did not provide a basis for finding that it was the trustee in bankruptcy who was responsible. The Master also noted that although an RCMP investigation had been launched at the time of the blog post, it had since concluded with no charges being laid. The Master’s conclusion was that there was no evidence to support a finding that any possible privacy breach “took place under the Trustee’s ‘supervision and control’.” (at para 58)
Although the application was dismissed, the case does highlight some important concerns about the handling of personal information in bankruptcy proceedings. Not only can customer databases be sold as assets in bankruptcy proceedings, Mr Doering’s blog post raised the spectre of computer servers and computer hard drives being disposed of without properly being wiped of the personal data that they contain. Although he dismissed the application to file suit against the Trustee, Master Harper did express some concern about the Trustee’s lack of engagement with some of the issues raised by Mr. Warner. He noted that no evidence was provided by the Trustee “as to how, or if, the Trustee seeks to protect the privacy of customers when a bankrupt’s assets (including customer information) are sold in the bankruptcy process.” (at para 44) This is an important issue, but it is one on which there is relatively little information or discussion. A 2009 blog post from Quebec flags some of the concerns raised about privacy in bankruptcy proceedings; a more recent post suggests that while larger firms are more sophisticated in how they deal with personal information assets, the data in the hands of small and medium sized firms that experience bankruptcy may be more vulnerable.