With data privacy issues constantly in the news, what do businesses need to know about handling personal information when they’re considering bankruptcy, especially if some personal information – like customer records – may be a valuable asset?

This is the final installment of a 3-part series of posts addressing the Bankruptcy Code’s provisions related to personally identifiable information (“PII”), and how transfers of PII in bankruptcy can play out in the real world.  [Click here to read Part I] [Click here to read Part II]

The authors sat down (over Zoom) with Elise Frejka, founding member of Frejka PLLC, which concentrates in the areas of creditor rights, corporate restructuring, privacy, and litigation. Ms. Frejka has served as a consumer privacy ombudsman in numerous bankruptcy cases, and is a Certified Information Privacy Professional. We asked her to tell us about her career, her experiences as a consumer privacy ombudsman appointed under section 332(a) of the Bankruptcy Code (a “CPO”), and what she wishes debtors and creditors knew about the process of selling assets that include personal information in connection with a bankruptcy proceeding.

Randi Singer: So tell us about yourself. Going all the way back – before privacy, how did you get from law school to bankruptcy law?

Elise Frejka: I had the opportunity to appear before now-retired S.D.N.Y. bankruptcy judge Prudence Carter Beatty early in my career. At that point, I was struggling to find my passion. I really didn’t know what type of law I wanted to practice. Throughout my case before Judge Beatty, I found the bankruptcy process fascinating. I was enchanted with the whole concept. I liked that the issues were new and novel and that the proceedings involved many repeat participants, resulting in somewhat of a rapport in the courtroom. Above all else though, I liked the equity component of the proceedings. As lawyers, we’re so often in adversarial, “fight to the death” settings. I found bankruptcy’s focus on fairness and justice refreshing. When the case resolved, I called the law clerk and said “I’m sad it’s over!” And they called shortly after to say they had an opening, and I got a clerkship with Judge Beatty. She really changed the trajectory of my career and I am forever grateful.  Because of Judge Beatty I try to mentor often. I subsequently spent a number of years working in the bankruptcy and restructuring groups of several large law firms, including Dechert and Kramer Levin, before starting my own practice, which focuses on restructuring, privacy and creditor rights.

RS: How did you initially get involved in privacy work, and then how and when did that transition to the consumer privacy ombudsman work you do so much of now?

EF: On the one hand, throughout my bankruptcy experience in big law, I witnessed the value consumer data has as an asset that can be monetized. On the other hand, to me, the core issue is I am the consummate consumer. I love to shop and I love to get promotional communications and I assume other people sign up or stay subscribed for the same reasons I do, and I think that needs to be respected. But it also needs to be respected in terms of what the marketing department actually does with the information that’s collected. So when I wanted to leave big law, transitioning to focus on privacy-related issues in the bankruptcy context felt like kind of a natural next step. I got credentialed as a Certified Information Privacy Professional. The CIPP certification is generally considered necessary for practitioners in the privacy and data security space, and carries ongoing CLE requirements. Getting certified meant studying and sitting for an exam that in many ways is harder than the bar exam – and I mean that! Anyway, I left Kramer Levin in 2015 to start my own bankruptcy practice. Since then, I’ve worked on various privacy-related issues, including serving as a consumer privacy ombudsman in more than 10 cases. It’s a great area for me because I don’t have institutional conflicts, and I bring common sense insight into the issues at a price point that isn’t prohibitively expensive.

RS: How are you typically brought into a bankruptcy case?

EF: There are two main ways I’m brought into any given case. The most common way is by the U.S. Trustee. It depends a bit on the jurisdiction but essentially when a bankruptcy sale is teed up, the U.S. Trustee’s Office will request recommendations for a consumer privacy ombudsman from the debtor or, much less frequently, from the buyer. The U.S. Trustee will then review the recommendations and make an appointment. I do occasionally get calls from counsel that are confused about the process and ask if I can serve as the ombudsman on their case, but I have to explain that that is not how the appointment process works. It is always up to the U.S. Trustee to decide who serves as ombudsman.

That said, there’s another way that I think can be more beneficial for everyone, and that’s pre-petition. The reality is, this needs to be a due diligence item early in a potential sale process. How are you going to monetize these assets? Do you understand the restrictions on the sale of the assets? These questions really should be considered pre-petition if the company wants to come out stronger and leaner.

RS: How can a consumer privacy ombudsman help companies pre-petition?

EF: Proactive companies contemplating bankruptcy that want to realize the value of their consumer data but know that they’re going to have issues transferring that data, either because they have a privacy policy that indicates they will never sell data or they previously had that kind of policy or for some other reason, occasionally come to me for advice prior to filing their case. I’ll review their privacy policies and practices, identify areas of concern, advise them on whether they should purge certain consumer data that’s no longer being held for legitimate business or legal purposes, and then put together a plan. And then I’ll prepare a declaration that can be submitted on the day the case is filed to support a sales process or support continuation of customer programs and answer the court’s questions early on. The courts are very focused on privacy. If you address it early, you’re set if this goes to a sale.  Plus it is easier if you do it when your marketing people and all the people with the institutional knowledge are still there.

I would say don’t fear this process, because by the time you finish throwing all you have at defeating the ombudsman appointment, you could have been through the process and cleansed the data. I feel strongly about that – you either need to do the work pre-petition and get a declaration or say “okay, we’ll go along.” You can budget it, which is perfectly acceptable, but just don’t fight it. Unless you have really good grounds, it’s just not helpful.

RS: I would imagine that you could also help companies figure out what categories of data may be transferring by operation of law, so you don’t even need to deal with it. The pharmacy data we had in the A&P bankruptcy is a really good example.

EF: Exactly.  It’s fine, and why do we need to engage in the difficult justification of it and expect the judge to be up on all of it when I can just throw all of that in the report and explain it’s okay and then it’s blessed. It’s the wrong fight to have because you’re going to get to the same result but you’re going to be up in arms versus having a good process.

RS: There have been cases where I’ve talked to the Trustee and explained why the case doesn’t need an ombudsman, but that only works when you’ve done your homework.

EF: That’s right, and I’ve done it in a declaration where I’ll explain provisions of a privacy policy focusing on when you can transfer and how long it’s been there, and what are the notice requirements and if it’s changed. Notice and knowledge is how you succeed on this.

RS: So that’s when the company is looking down the pike. For companies that are not yet distressed or not yet in a position to bring someone in proactively, what can and should they do? What do you look back on, when you’re confronted with a company in that position, and say “I wish you had done x, y, or z”?

EF: It’s mostly the process, the outward-facing process, that a consumer is confronted with when clicking the subscribe button. Am I seeing a link to the privacy policy? Is it on there and on me, the consumer, to have read it or not read it? Does every marketing email have a link to the privacy policy and an unsubscribe link? When the company is collecting information, is there the warning that it’s governed by the privacy policy? Have I, as a consumer, while I may not have read it, been given the opportunity to do so, and have I given informed consent? Where’s my opportunity to know? That’s the hole I find when I do that consumer-centric review. If the company had just closed the loop, then everything could transfer.

RS: We talked about your approach, but let’s talk about the process.  In an ideal world, what would your process be like? Who would you be talking to and what kinds of questions would you be asking?

EF: I think the Sears bankruptcy [which we worked on together] is the gold standard in many ways, because everyone was available, everyone was—after some initial hesitation—willing to talk to me and understand I wasn’t looking to erode or destroy their ability to do business. It took time, and you definitely helped with this, but I think we got to a point of trust and understanding. What was so important is that the right people were made available to talk about what specific data was important to the continuation of the business, and the company did the work to have it be an interactive process. Compare that to a company in Chapter 7 where there’s no one there to talk to, or a company not willing to make people available to discuss the nuts and bolts of how the company operates and what they do with their information. Then it’s much harder. You can get to the same result, but it’s like pulling teeth. The most important thing is to talk to the people on the ground, the people touching the data and using the data.

The answer that “I’m paying a lot and should just get everything” is not constructive to the process. And buyers shouldn’t really get everything, because if the debtors were really respecting the data lifecycle, they would have purged some of it a long time ago. And I know there’s this fear of not having everything and I wish I knew how to get people over the hump of that. Marketing knows what they need, but there’s this fear of “what if?” In bankruptcy, you’re forcing people to think about what they really need. That’s where the push and pull comes in. It’s me trying to explain – I’m not looking to destroy your business. This is a collaborative process. Tell me what you really need and why you need it, and I will do my best to figure out a way for you to have it.

RS: And what are some kinds of creative ways you’ve come up with to help companies get or keep the information they need?

EF: As the consumer, my information is only valuable if I come back to your website or store and take advantage of your programs. So it’s all about giving notice in ways that are not cost-prohibitive and can be creative. Is it expensive to put a banner on your website announcing a transfer and providing opt-out language? No.

I view strict application of an opt-in procedure as the death of a company. You know, I’ve always adored Loehmann’s – I bought my prom dress at Loehmann’s – and they were completely destroyed because they were forced to do an opt-in. They didn’t have a chance. If you’re going to do opt-in, you might as well not sell the data.

My first exposure to consumer data issues in bankruptcy was representing the buyer of the Circuit City e-commerce business. We agreed data would be transferred to a third party who would do an opt-out for a large percentage of the customers, but also an opt-in for others. It added a layer of expense that in retrospect wasn’t necessary and didn’t do what it needed to.

I want to avoid having consumers who have already agreed to receive marketing communications to be forced to click a box to continue to receive them. So I want to find an alternative – it’s a rah-rah message of notice, and it can be in existing communications. You want companies to succeed. How do we get this brand to continue with a different owner? So whatever it takes to continue.

RS: Let’s talk about your role, including your diligence into a debtor’s privacy policies and practices. My experience with you is that you cut to the chase on this and ask for the documents you want rather than sending over a huge list and getting a document dump.

EF: What I like about privacy diligence in the bankruptcy context is you can cut right to the chase and just ask for the documents you need. Compare that to general litigation where lawyers request anything and everything and the discovery process alone can take years. Bankruptcies occur on an expedited basis so my requests need to be targeted.

I’m not so concerned with understanding every iteration of your privacy policy and if you gave notice and checked all the boxes. I’d rather have a substantive conversation about what the needs are as far as the company being able to continue to operate as it is and what the buyer really needs, so that the process benefits the company and gives the buyer a chance of success on a brand that has had a market space. And then the core question is, how are you going to meet consumer expectations? That’s where I focus, as opposed to “Well, you gave notice, so it’s all fine.” I think in bankruptcy you should be forced to pare down.

RS: Yes, and you do that in really practical ways. So in one case we worked on together you said, “look, if I purchased a washing machine with a lifetime warranty I expect that you’ll have my info when I call you in year 15, but that is different than when I bought a sweater and I don’t expect you to be calling me 15 years later.”

EF: That’s right, and that’s in Sears when I think everyone was surprised to find how much information there was. And you also realize that 15 years later a customer might not actually be outraged if you didn’t have their information. Because the driver here is how you drive consumer traffic to your store or your website. I don’t think it’s reaching out to someone who hasn’t interacted with the company in several years.

And, as a side note, there are a lot of companies in the pandemic that have really dusted off their records. It’s unbelievable who I’ve heard from.

RS: It’s really true.

EF: And, as a consumer, I’ll look at a marketing email once but then it becomes overload and I’ll unsubscribe from everything.

RS: Are there particular documents that you consider critical to your process?

EF:  It all starts with the privacy policies, and I mean all of the privacy policies and not just the company’s current one. I come armed with information even before my first call with counsel. I will spend time on the waybackmachine exploring the evolution of a company’s privacy policy focusing on how consumers were notified of changes to the policy and what the policy provides about transferring customer information as part of a business transaction. 

RS: Ideally, who at the company do you speak with, and what are the questions you prioritize?

EF: The ideal person to begin with is the person who understands the customer database. I need to understand what personal information the company has and how it is maintained before we can have a discussion about what the buyer needs on a go-forward basis. I want to know how many unique customer files are collected and what fields are saved, how opt-outs are processed and other more technical things. This becomes really important if the company sells videos of any sort since the titles cannot be linked to a specific customer. Sussing out the fields helps define the scope. Next up is the marketing person to understand how data is used. In a perfect world I would like to speak with the buyer to understand how the buyer will use the information it is acquiring. But speaking to the buyer tends to be pie in the sky because many buyers have not really focused on the issue. 

RS: How do you interact with the relevant parties, including the debtor, U.S. trustee, and judge? What about with intervening state Attorneys General and other regulators?

EF: After my appointment as the CPO I have limited interaction with the U.S. Trustee, as the U.S. Trustee has vetted the need for a CPO so there is a handoff. The debtor is integral to the process and I will start with the debtor’s counsel and try to get to company people as quickly as possible. As the Weil team knows well, a lot of it is trust and getting people comfortable with the fact that I am not looking to make a recommendation that will destroy the future prospects of the company. As for the court, different judges have different levels of comfort with the CPO process and privacy in general. Some want a full explanation about my recommendations and other are comfortable making a ruling based on the report. It varies depending on the situation and whether the particular court is familiar with my bona fides.

RS: So, getting into some of the nitty gritty details of interpreting the PII provisions of the Bankruptcy Code, how do you think about a privacy policy that says nothing about transferring data? There are fewer and fewer, but we’re still seeing them.

EF: It’s problematic. There’s likely something that can be transferred but it will need bells and whistles around it, and on something like that I think there needs to be more notice then I might otherwise look for. And how you choose that notice depends on the company. For instance, Instagram is not the right way for a lot of companies, but there are a fair number where that’s their audience so we have to be creative about that notice. I am real clear that a public notice in the New York Times is not effective to reach the target audience.

It’s ultimately all about knowledge and the ability to share that knowledge. And the U.S. Trustee is going to be first to ask those questions, and debtors counsel is going to need to be able to answer those questions intelligently. Just sending over the current policy is not going to be enough.

RS: The Bankruptcy Code indicates that a consumer privacy ombudsman is to be appointed where a debtor’s privacy policy, in effect on the date of the bankruptcy filing, prohibits the transfer of personally identifiable information. How do you think about the “in effect” language here?I’m often faced with “we’re about to file, can we just change our policy so we can transfer everything?”  And my response is usually, “yes, that will be great for new customers, but not historically.” Am I right, and how do you look at that?

EF: It really depends on the history of the policy. If you have a “we will never sell your information” policy and you change it, you don’t have the ability for it to be effective immediately upon publication. And then you’re behind the eight ball because I don’t know how you’ll be able to change it in time. The question is always, what are you telling people you’re going to do, and how do you notify people of a change? If you don’t have the notification piece, you can’t change your policy quickly. And companies typically are unwilling to send emails to a bunch of subscribers and risk them all unsubscribing. That’s the hurdle on waiting until the last minute.

RS: What about a privacy policy that says nothing one way or the other about the transfer of PII – is that a policy “that prohibits the transfer” of PII? What about entities that have no consumer privacy policy?

EF: These cases, thankfully, are few and far between these days because the lack of a privacy policy or a silent privacy policy gives me a headache just thinking about it.In this situation, there is a balancing of customer expectations and corporate needs. I have found that when a company does not have a policy there is very limited use of personal information and therefore the value is significantly diminished. Buyers tend not to want to jump through the necessary hoops to acquire PII where this is no policy or past usage.

RS: How has the focus on privacy matters in bankruptcy changed throughout your time as a consumer privacy ombudsman?

EF: I give the drafters of the ombudsman provisions [of the Bankruptcy Abuse Prevention and Consumer Protection Act or BAPCPA, a 2005 act that amended the Bankruptcy Code] a lot of credit for their foresight. The drafters were well ahead of the rest of the country in recognizing there’s an asset here—consumer data—that can be monetized, and came up with a process to allow for the transfer. And it was very smart to do that, to codify it so there isn’t an asset that’s left behind, because that can be the difference between success and failure of a business. They were very forward-thinking in that sense.

You know, I applaud what California has done [in enacting the California Consumer Privacy Act, or CCPA]. As a consumer, I view my unsubscribe as an affirmative statement to a company that I don’t want to hear from them again – ever, and I applaud the right to be forgotten in that sense. If I come back, I come back. I appreciate that these companies want to maintain optionality and know what I bought if I come back, but I’m not convinced it needs to be associated with my name, address, telephone number and date of birth; we can build a new relationship if I come back.

I think the CCPA and the [EU General Data Protection Regulation, or] GDPR have really scared people, and I’ve seen incredible fear about the GDPR penalties which has led to a real willingness to purge databases. This is the first area where I’ve seen that willingness, and it’s because of what the penalties are. I think that’s a start—to get people taking this seriously. The fear of California is still on the horizon because we haven’t seen much in the way of enforcement, but with that first case—you can pick the perfect storm, a company that’s on the cusp of revenue and had a good year, and didn’t think they were servicing California much but reached the financial threshold, it wasn’t intentional, and then they get a big fine. Then I think there will be recognition of the risks.

And I do think at some point we’ll get to a national data protection model. I don’t think it will be as strong as the GDPR, but I think we’ll get there.

RS: I stopped saying that a while ago because it was getting embarrassing to keep being wrong.

EF: What’s amazing is the lack of outrage over the Experian breach, where our most precious information that’s drilled into you from childhood to not give out—your social security number—was hacked. All your credit information. There was more outrage over RadioShack selling its customer data without peeling back the layers to see what it was and whether it was relevant. The outrage over that compared to the number of people who got outraged about Experian was so unequal. That complacency bothers me because here we are advocating for consumers and they don’t care themselves, and in my opinion we need to elevate the importance of privacy.

I recognize that my personal information has value, and there is probably an amount of money I would pay annually to have none of it shared. I would prefer not to Google a product and then suddenly see it advertised in my social media feed. It flips me out.

RS: And I hate when the fridge follows me around the internet, but I also hate when I get served irrelevant stuff.

EF: Right, there are pluses and minuses. But we need to be mindful of how invasive that is into our lives and recognize we’re making decisions about what we’re letting in, and companies need to respect that.

That’s something that bankruptcy applies universally to industry regardless of whether there are specific laws to protect consumers in that particular industry, like the financial or healthcare industries. We need to protect consumers more. The fact that they may not exercise it doesn’t mean we shouldn’t protect them. Even though California now has a right to be forgotten, you don’t have to be forgotten. You can be emailed as much as you want.

So those are the trends. I see the courts as being incredibly protective of consumer privacy and very willing to be creative and recognize real risks in ways that are not available in just private litigations. As a throw-off of the ombudsman provisions of the Bankruptcy Code, bankruptcy courts have been exposed to more expansive efforts to protect consumer privacy. I like where it’s going.

RS: They’re thorny problems.

EF: They are.

RS: Can you talk about what has been your thorniest matter, and how you handled it?

EF: Well, let’s start with a good story before turning to the bad. I really applaud how everyone handled Sears. It was truly a testament to having trust in the process, competent counsel all around, and having an evolving process that recognized the needs of the business and what was required to launch the new company and give it an opportunity to succeed and also meet consumer needs. Because of the cooperation between all of the parties involved, because the debtor and the buyer were all willing to do that work and have those conversations, there was a very broad data transfer that I never would’ve anticipated to be possible at the start of the proceeding.

As for the war stories, they’re always the same. They always involve companies that fight the process or that aren’t immediately forthcoming about their privacy policies or practices. Just talk to me candidly and we’ll solve the problem. This is equity. You’re getting an equitable remedy to a problem that is contrary to what you told consumers, and we need to solve that but the debtor needs to take it seriously from the first inquiry from the U.S. Trustee.

RS: Sears was also a good example of a creative solution because we had this vault with credit card numbers and they weren’t going to transfer but we didn’t have time to destroy them, so we came up with a process where they could be transferred under certain conditions. It was complicated but it worked.

EF: Right. Look, to me it’s great that when I go into a store and I give you my name and you can have my card on file and refund me immediately. But step back, because nothing is sacred and there are breaches all over the place. That may be outside my strict mandate as ombudsman, but keeping those cards has the potential to expose consumers to something they never expected when they gave their name or address.

The really bad situations are where everyone has left a company, because IT professionals are employable and they’re the first to go. When you have a homegrown data set that only the people who work there know how to deal with and those people are gone, and then the state Attorney General wants to take a deposition, the last man standing doesn’t necessarily know what they shouldn’t say and can unintentionally cause big problems. For instance, announcing you have 130 million customer files is probably not the best thing to put out there when you don’t have the context of what comprises that number—there’s a big difference between a bulk count of the files a company has and the number of actual usable consumer records it has. That can create a disaster because no one really looked at what it was.

I feel strongly that putting it out there early is really the smart move, especially for a retail case. And just being honest about what you’ve got. When you do that, and you file the creditor matrix redaction for your noticing and claims information, your whole case is received differently because you’ve shown that you respect data. You demonstrate respect from a consumer perspective and with regard to other individuals like your creditors. More and more judges have experienced identity theft and they’re worried about it, and the debtor wants to convey to the court that you take this seriously.

RS: What do you wish the parties knew going in that would help to make the process smoother?

EF: I think that debtors can definitely assist with the process by doing their due diligence pre-petition. Another related and important aspect is who the debtor hires to market the asset, because those who have done this before, where it’s their area, market differently and understand up front what the problems are and what data fields are going to transfer and what are not. So debtors should understand that on the diligence checklist pre-petition, this might need a different investment banker.

Just like you’re looking at your contracts, look at your privacy policy as early as you can because there’s dollars there. Don’t leave them on the table just because you didn’t look at that asset.