Imagine learning that your genetic data, which you thought you had deleted months ago, has been transferred to a company you have never heard of. Despite your careful attempts to remove your DNA profile, family health history and raw genetic data from a genetic testing service, it resurfaces during bankruptcy proceedings as a valuable asset. No further consent required. No real option to prevent the transfer. This nightmare scenario isn’t science fiction; it’s the potential reality facing millions when data-rich companies collapse.
8 Steps to Take During and After Bankruptcy to Protect Your Data
- Submit formal objections to the bankruptcy court if your data is listed as an asset.
- Contact state attorney general’s offices regarding privacy concerns.
- File consumer complaints with the FTC about improper data transfers.
- Monitor for notification of asset transfers that may include your data.
- Monitor your accounts for unusual activity that might indicate data misuse.
- Consider credit monitoring if sensitive financial information was involved.
- Be vigilant about related phishing attempts using company information.
- Exercise opt-out rights with any successor companies that acquired data.
The recent bankruptcy filing by 23andMe highlights a critical truth most consumers overlook: when you delete your data, it may not disappear completely. Even as people rush to delete accounts and request removals following corporate meltdowns, they create a dangerous false sense of security. Behind the scenes, sensitive information often lives on, scattered across servers, data backups and archived databases on equipment likely to change hands.
When Data Becomes a Corporate Asset
Personal data becomes a financial asset during bankruptcy when it is sold, transferred, or auctioned to the highest bidder. Privacy policies might promise protection, but bankruptcy courts may override those agreements, treating your data as corporate property rather than personal information.
In RadioShack’s 2015 bankruptcy, the company attempted to sell 117 million customer records as an asset. Only intervention from the FTC and state attorneys general prevented the sale. Toys R Us and Cambridge Analytica saw similar controversies as they dissolved. Due to budget constraints and policy shifts, the FTC’s ability to intervene in bankruptcy proceedings involving consumer data is declining.
The harsh reality is that bankruptcy prioritizes creditors over consumers. Even if you requested deletion, that request may go unheeded once corporate oversight breaks down.
What Happens to Security Protections?
In normal operations, responsible companies implement layered security to protect your data:
- Regular security assessments and software updates.
- Hardware and software encryption to ensure secure data storage.
- Controlled access and authorization to data centers.
- External audits and compliance monitoring.
But when bankruptcy hits, those protections may deteriorate quickly. IT teams disband. Institutional knowledge disappears. Inadequate oversight may lead to encryption keys being lost, misused, or transferred without appropriate safeguards.
At DriveSavers, we’ve recovered confidential business documents from resold enterprise equipment, personal data from decommissioned systems and customer databases on discarded storage devices. Each case reveals a failure of basic data security, failures that become even more common during a corporate transition.
The Physical Reality of Data Exposure
Following a bankruptcy, the physical hardware storing your data can take several paths. In some cases, it may be transferred to a new owner with data still intact. Other times, it is auctioned off, potentially with minimal checks to ensure the data has been properly removed. In the worst cases, the equipment is simply abandoned or forgotten in warehouses or storage units, leaving sensitive data at risk.
Even when companies attempt to delete data, they may rely on inadequate methods that fail to meet National Institute of Standards and Technology (NIST) or Department of Defense standards. When you delete a file, the computer removes its reference to the file’s location, but the actual data remains and can often be recovered unless overwritten.
While encryption provides some protection, it is not always enough. We’ve seen encryption keys stored alongside protected data, shared over insecure channels, or documented in internal knowledge bases. These practices show even encrypted data is at risk.
The physical reality contradicts the illusion of deletion. When you click “delete my account,” you’re trusting that proper protocols exist and will continue functioning, even as the company’s security operations change.
Why Genetic Data Is Especially Dangerous
Genetic information poses unique risks:
- You can’t change your DNA if it’s compromised.
- It reveals sensitive info about family members who never consented.
- It may influence health insurance or employment decisions.
- It can enable unprecedented tracking and targeting.
This is why the Pentagon warned service members in 2019 against using direct-to-consumer genetic tests. The concern wasn’t hypothetical; it was a warning about the long-term implications of losing control over this data.
When oversight disappears during bankruptcy, your DNA can become a fungible asset, passed to pharmaceutical firms, data brokers, or insurers who use it in ways you never agreed to.
What Can Consumers Do?
Unfortunately, legal protections during bankruptcy are limited. Privacy policies often contain language permitting data transfers during corporate transitions. 23andMe’s own policy allows for the sale of genetic and personal data in bankruptcy, with vague assurances that new owners will honor existing terms. Still, consumers can take some protective steps:
Before Company Financial Troubles
- Request complete data export to maintain your own copy of information
- Submit formal deletion requests through proper channels (not just account deactivation)
- Review privacy policies specifically for language about company transitions or bankruptcy
- Ask specific questions about data retention practices, including:
- “Do you permanently delete my data from all systems, including backups?”
- “What verification processes confirm complete data deletion?”
- “How do you handle my data during ownership changes?”
During Bankruptcy
- Submit formal objections to the bankruptcy court if your data is listed as an asset.
- Contact state attorney general’s offices regarding privacy concerns.
- File consumer complaints with the FTC about improper data transfers.
- Monitor for notification of asset transfers that may include your data.
After Company Dissolution
- Monitor your accounts for unusual activity that might indicate data misuse.
- Consider credit monitoring if sensitive financial information was involved.
- Be vigilant about related phishing attempts using company information.
- Exercise opt-out rights with any successor companies that acquired data.
What Companies Should Be Doing
Organizations that handle sensitive data, especially genetic or financial, have a duty to protect consumers even during worst-case scenarios. That includes:
- Verified deletion protocols: Regular audits, data maps, and permanent deletion of backups.
- Secure transitions: Key transfer protocols, chain-of-custody requirements
- Proper hardware disposal: NIST-compliant sanitization, documentation of equipment handling.
- Ethical governance: Data minimization, consumer notifications, and strict transfer rules
These measures protect both consumers and companies from long-term liability, and they should be part of every company’s data management planning.
Your data’s journey doesn’t end when you click “delete”, and it certainly doesn’t end when a company files for bankruptcy. Only by understanding the risks and asking tough questions can we protect our most sensitive information in an uncertain corporate landscape.
