Rodney Hide explains that maybe your financial records won’t be safe with Xero after revealing that Xero has handed over financial records to the Official Assignee outside of the law.
Xero CEO Rod Drury has always said safe. He again reassured NBR readers in July that Xero never releases customers’ financial records to state agents.
Mr Drury said Xero refers requests back to the customer for the information required.
“We are the custodians of our customers’ data,” Mr Drury said.
But one customer knows different. Last year Xero passed her company’s records to state agents, they had no warrant, Xero didn’t tell her, and, indeed, when she asked, Xero denied it.
Deputy Official Assignee Annemarie Foidl had asked Xero to supply the customer’s “user name” and “password” citing s171 of the Insolvency Act 2006. It wasn’t just the records she wanted but access. For a month.
We don’t know what then transpired but we do know Xero “supplied [the Official Assignee] with a report showing the credits and debits of each account connected to the subscription.”
Xero didn’t tell the customer.
That is outrageous. Some more details.
The customer is my friend Kristina Buxton. Her husband, the bankrupt Dave Henderson, is not a shareholder, office holder or employee of her company.
Ms Buxton has not been accused of doing anything wrong. Neither has her company.
It seems the Official Assignee just wanted to have a look. And Xero let them.
The law is clear. The Insolvency Act 2006 provides the Official Assignee the power to issue Ms Buxton a s171 notice seeking documents relating to her husband’s “property, conduct or dealings.” The Official Assignee can also examine company records under s182 but only for those companies for which the bankrupt is an “associated person” and only with court authorisation, that is, a warrant.
The act provides the Official Assignee no power over third parties for company information.
It would seem the Official Assignee bluffed Xero into release, just as the Police bluffed Westpac.
On her inquiry, Xero’s customer service told Ms Buxton, “I can confirm that no one other than the invited have accessed your Organisation AFB Treasury Ltd.”
That wasn’t true. Once Ms Buxton had established incontrovertible evidence she went back to Xero.
Its in-house lawyer, Matt Vaughan, explained the team member “was not aware that information had been provided to the Official Assignee.” So much for Xero’s reassurances.
Mr Vaughan’s response to Ms Buxton’s complaint is that, “these are matters for you to address directly with the Official Assignee, and not with Xero.”
For Xero, Ms Buxton’s complaint is with the Official Assignee for asking, not with Xero for giving.
And what does Mr Drury say? “Our team looked at this and is confident on our position.”
That’s despite Xero’s actions being in direct contradiction to his public assurances.
I am a customer of Xero, and given the attacks on my data in the past this leaves me with little confidence. I can well imagine with the false complaints laid against me with the Police and IRD and WINZ that there may well have been requests made to Xero, and now that I know that they hand over data without checking with the customer it leaves me feeling a little cold about it all really.
I am going to ask these questions directly of Rod Drury. He needs to sort this out very quickly because this could well become Xero’s VW moment.
Rodney Hide asked Whaleoil to add the following