With data privacy issues constantly in the news, what do businesses need to know about handling personal information when they’re considering bankruptcy, especially if some personal information – like customer records – may be a valuable asset?
This is the second part of a 3-part series of posts addressing the Bankruptcy Code’s provisions related to personally identifiable information (“PII”), and how transfers of PII in bankruptcy can play out in the real world. [Click here to read Part I]
Part II: Practice Tips
Issues related to the transfer of PII and other personal information can complicate M&A transactions in the bankruptcy context. Businesses contemplating a restructuring can avoid minefields – as well as save time and resources – by taking steps early to understand their data assets and privacy policies and to map out strategies in advance.The focus of this post is to offer practical advice for navigating the privacy-related hurdles a business may face in connection with selling PII and other personal information as an asset in bankruptcy.
Step 1: Locate & Determine Personal Information for Sale
In a perfect world, a business facing bankruptcy is fully informed regarding its data – what data it has, where the data are stored, and the restrictions the business may be subject to with regard to its use and disclosure of data. In reality, this is not always (or even often) the case. But businesses contemplating a bankruptcy proceeding need to think about the PII and other personal information in their possession or control – and, particularly, which categories may be valuable assets in bankruptcy. As an initial matter, it is critical that a business understand:
- Who owns the data. Does the business itself own all of the PII and other personal information that may be sold, or is there another entity or entities that may have an ownership interest? For example, in RadioShack, AT&T and Verizon disputed ownership of customer data acquired by RadioShack through the sale of their respective products and services. Ultimately, the parties (including the buyer) entered a stipulation requiring detailed protocols, including technical steps, to ensure that contested AT&T and Verizon data would not be transferred or sold to General Wireless.1
- Where the data are housed. For example, does the business centralize or segregate its data? Is personal information stored on the business’s servers, in the cloud, with third-party vendors, or (most likely) some combination of these? What technically would be required for the data to be transferred to a buyer?
- How the data are organized. Does the business have the capacity to identify and extract particular categories of data while leaving other categories of data in place and intact? If an eventual court order were to direct the business to transfer certain data categories but destroy others, would that be technically possible for the business?
The answers to these questions will help businesses determine which categories of personal information may be sold and which should be excluded from an auction. Once a business has a handle on the scope of PII and other personal information that may be in play, it can focus on how to ensure that any data transfer is made legally.
Step 2: Compliance with Non-Bankruptcy Laws
With the categories of data assets eligible for sale in mind, a business should assess applicable laws and what restrictions or conditions may be imposed on the transfer. In addition to PII as defined by the Bankruptcy Code, businesses will have other categories of personal information that are governed by non-bankruptcy privacy laws, and a range of laws may apply to the same datasets. It is therefore crucial that a business consider the full scope of applicable laws and regulations, taking into account:
- U.S. laws, which vary at the federal and state level as well as by business sector (e.g., federal healthcare and financial privacy laws and the California Consumer Privacy Act);
- Foreign laws, which may apply even if a business does not physically operate in a particular country if that business collects data from residents of that country (such as under the EU General Data Protection Regulation (GDPR)); and
- Self-regulatory frameworks and standards, like the Payment Card Industry Data Security Standard (PCI-DSS) and the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
Where there may be conditions or restrictions on the transfer or sale of personal information, consider whether the business or an eventual buyer, depending on which party is better positioned, would be able to satisfy those conditions or restrictions. As examples:
- A business contemplating the transfer of Protected Health Information (PHI)2 must comply with HIPAA, which allows for the transfer of PHI with express patient authorization or, in the absence of patient authorization, only where the transfer is from one HIPAA-covered entity (i.e., healthcare provider, health plan or healthcare clearinghouse) to another or to an entity that will become a covered entity following the transaction.3 Depending on the amount of PHI at issue and the difficulty of obtaining consent from all impacted patients, this restriction may significantly reduce the number of viable buyers.
- The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks are approved mechanisms for the cross-border transfer of personal information from the European Economic Area and/or Switzerland to the U.S. that require companies to self-certify their compliance to a set of legally binding privacy and data protection standards. These Frameworks do not expressly contemplate the transfer of covered data in the context of a bankruptcy. A Privacy Shield-certified business facing restructuring will need to determine whether, how, and to whom it may transfer the personal information of European or Swiss individuals.
The interplay between various legal requirements can make it challenging to determine whether and what personal information can be transferred pursuant to a sale in bankruptcy. For this reason, businesses should be upfront and honest throughout the bankruptcy sale process about their data and their privacy practices, and should seek the assistance of counsel (as well as the trustee and the court) where it is unclear whether data can be legally transferred.
Step 3: Privacy Policies
Once a business has vetted a subset of PII and/or personal information that the business believes may be legally transferred, it must determine whether its consumer privacy policies authorize the transfer of that data.
Privacy policies that are silent on data sale and transfer present a different issue. Where a business has a policy that does not address whether personal information may be sold or otherwise transferred pursuant to a sale in bankruptcy, the business should carefully consider whether the policy, read as a whole, implicitly prohibits such a transfer. The key consideration here is what a reasonable consumer would understand about the handling of their data by the debtor, which should be informed by an analysis as to whether the policy or other statements made to consumers (in writing, verbally or otherwise) may give an impression that personal information will not be transferred.
The big takeaway for businesses approaching a restructuring that may involve the transfer of PII or other personal information is to keep privacy considerations at the forefront early and throughout the restructuring process. Understanding what personal information you have and what your public-facing notices say (or do not say) about that information will be critical to developing a plan of action as you move through the process.