With data privacy issues constantly in the news, what do businesses need to know about handling personal information when they’re considering bankruptcy, especially if some personal information – like customer records – may be a valuable asset?

This 3-part series of posts will offer an overview of the Bankruptcy Code’s provisions related to personally identifiable information (“PII”), and how transfers of PII in bankruptcy can play out in the real world; recommendations of best practices for businesses contemplating the possible transfer of PII or other personal information as an asset in bankruptcy; and, finally, a Q&A with two experts in the field sharing war stories and advice.

Part I: The Code and its Application

Introduction

Twenty years ago, an online toy store, Toysmart, filed for Chapter 11 bankruptcy. As part of the resulting public auction, Toysmart sought to sell its customer records, which included customer names and addresses, as well as shopping preferences and, in some cases, children’s names.1 In an action that was unprecedented at the time, the Federal Trade Commission (“FTC”) sued Toysmart in federal court, alleging that the proposed sale violated section 5 of the Federal Trade Commission Act (“FTC Act”), which prohibits unfair and deceptive business practices.2 The basis for the claim was that, like many businesses at the time, Toysmart’s privacy policy stated that Toysmart would not share its customers’ data with third parties.3 Toysmart settled with the FTC, agreeing to sell its customer data only to a family-oriented buyer that would abide by the Toysmart privacy policy, and moved for approval of the settlement by the bankruptcy court. But several state attorneys general then intervened in the action, alleging that even under the FTC settlement terms, the proposed sale of customer data was an unfair or deceptive business practice under state consumer protection laws. The bankruptcy court rejected the Toysmart-FTC settlement, and Toysmart ultimately withdrew its customer records from the auction.4

Congress then, in 2005, amended the Bankruptcy Code to protect personal information while also allowing for the maximization of the value of a distressed company’s assets.5 Specifically, the amendments limit a debtor’s ability to sell or lease Personally Identifiable Information (“PII”) under certain circumstances, and require the trustee to appoint a “consumer privacy ombudsman” to oversee the process of transferring PII in certain situations.

The 2005 amendments have now been in place for nearly fifteen years. But with data privacy issues now constantly in the news, and many businesses collecting and using information that may go far beyond basic contact information, consumer information is a subject of increased focus for debtors, buyers, trustees, and courts. This post provides an overview of the Bankruptcy Code’s provisions related to PII, including how and when an ombudsman may be appointed to a bankruptcy proceeding and how and when other stakeholders with privacy interests (such as the FTC and state attorneys general) may seek to intervene.

1.         Personally Identifiable Information

The Code defines PII as personal information provided by an individual to the debtor business “in connection with obtaining a product or a service from the debtor primarily for personal, family, or household purposes.”6 In other words: information collected through a consumer transaction. Notably, the definition does not include employee information, or information shared business-to-business or collected from third party sources.

The Code’s limitations on the sale or lease of covered PII in bankruptcy are also narrow. First, PII may not be transferred outside “the ordinary course of business” (i.e., in a manner that is not an existing business practice).7 In other words, if a business sells personal information in the ordinary course, it can continue to do so; if not, then the Code’s PII provisions will apply. Second, PII may not be transferred if, on the date the bankruptcy case commences, the debtor’s privacy policy promises consumers it won’t transfer PII to unaffiliated third parties.8 In those two circumstances, the sale of PII is permitted only if found to be consistent with the debtor’s privacy policy or, if not, then only if approved by the court after appointment of an ombudsman and a hearing.9

Although the Code defines PII narrowly,10 privacy laws outside of bankruptcy define “personal information” or “personal data” increasingly broadly, and any personal information falling outside the PII definition is likely governed by other privacy and consumer protection laws, as is a business’s maintenance of appropriate practices with respect to data transfers and privacy policies. As a result, the 2005 amendments to the Code can be thought of as baseline requirements for approaching data about individuals as an asset in bankruptcy, but not the end of the inquiry. The role of the ombudsman is broad enough to encompass a holistic review of implicated data, including applicable legal requirements and the interests of all stakeholders.

2.         The Consumer Privacy Ombudsman Process

The trustee must appoint a consumer privacy ombudsman in certain circumstances before PII can be transferred. But, in practice and in response to vastly increased focus on and concerns about consumer privacy, trustees increasingly may request an ombudsman, even where the proposed sale or lease of PII appears to align with the debtor’s current privacy policy and/or is being sold in connection with the business. This can occur if it appears that other personal information may be in play, if there are concerns about the debtor’s historic privacy policies and/or practices, if there are questions about whether sufficient notice has been provided to consumers that their information may be transferred in the event of a restructuring, or if there is simply a great deal of personal information at stake and the trustee believes that the expert oversight of an ombudsman is required.

The scope of the ombudsman’s purview is notably wide: the ombudsman must provide “information to assist the court in its consideration of the facts, circumstances, and conditions” of the proposed sale or lease of PII.11 The statute provides that such information might include the debtor’s privacy policy, the potential impact of the proposed sale or lease of PII on consumers both with respect to privacy specifically and generally with respect to “costs or benefits,” and alternatives that might mitigate privacy concerns or other potential costs to consumers.12

The level of detail with which courts and trustees delve into the privacy policies and practices of a debtor can vary greatly and often depends upon the particular circumstances, including the nature of a business and the types and volume of PII and personal information at issue. Even where a policy has a data transfer provision, some courts look very closely at the language used and may require appointment of an ombudsman if such language does not expressly disclose a potential transfer specifically in the context of an asset sale in bankruptcy. This was the case in Tweeter Home Entertainment Group, where the notice concerning disclosure of personal information in connection with an acquisition or merger did not explicitly state that personal information might be transferred in connection with a bankruptcy.13

Ultimately, the role of the ombudsman is to help the court—and the parties and trustee—to understand the likely effect of the proposed sale on the consumers whose information will be transferred, and to advise on ways to structure the sale, if necessary, to better protect consumers. The role also, as discussed in the next section, can extend to mediating between parties and non-parties who may have differing interests regarding the transfer of PII.

3.         Other Stakeholders

The Toysmart case made it clear that both the FTC and state attorneys general (“AGs”) would not hesitate to step in and challenge planned transfers of customer data in connection with bankruptcies. The revisions to the Bankruptcy Code were in part a response to regulators’ concerns, but in practice the ombudsman provisions were not widely used for the first several years after the statute was amended. A review of bankruptcy dockets since 2005 suggests that there were only about 100 ombudsman appointments between 2005 and 2015, but upwards of 85 ombudsman appointments between 2015 and 2020.

The change came in 2015, when RadioShack filed for Chapter 11 bankruptcy. RadioShack proposed a stand-alone sale of its customer records database, which included email addresses and phone numbers of approximately 117 million consumers. The proposed sale was inconsistent with RadioShack’s privacy policy, which stated it would not “sell or rent” any “personally identifiable information to anyone at any time,” so the trustee appointed an ombudsman to investigate and assist the court.14 As the bankruptcy proceeded, regulators began to take notice of the proposed sale of customer records. Eventually, no fewer than 36 state AGs intervened, objecting to the proposed sale as irreparably inconsistent with RadioShack’s representation to consumers in its privacy policy.15 The FTC then wrote a letter to the ombudsman making specific recommendations as to how a sale of RadioShack’s customer data might proceed.16

Following a day-long mediation with RadioShack, General Wireless (the proposed buyer), and representatives of the state AGs—and reportedly with the involvement of FTC representatives—a deal was proposed that would permit a much more limited sale to go forward, with stringent restrictions.17 RadioShack agreed to destroy the majority of records it held about customers, including payment card information, social security numbers, dates of birth, and telephone numbers; and General Wireless was prohibited from selling or sharing any of the remaining consumer data it would receive to or with any other entity going forward.18 The bankruptcy judge overseeing the matter approved the deal.19

Conclusion

A business considering the potential sale of personal information in connection with a bankruptcy will need to bear in mind that asset value maximization must be accomplished consistent with the privacy provisions in the Bankruptcy Code, as well as privacy laws. The next post in this series will offer practical, step-by-step tips for navigating the privacy-related challenges businesses may encounter in bankruptcy, including what to do when it appears that a restructuring is likely on the horizon.