With data privacy issues constantly in the news, what do businesses need to know about handling personal information when they’re considering bankruptcy, especially if some personal information – like customer records – may be a valuable asset?
This 3-part series of posts will offer an overview of the Bankruptcy Code’s provisions related to personally identifiable information (“PII”), and how transfers of PII in bankruptcy can play out in the real world; recommendations of best practices for businesses contemplating the possible transfer of PII or other personal information as an asset in bankruptcy; and, finally, a Q&A with two experts in the field sharing war stories and advice.
Part I: The Code and its Application
Congress then, in 2005, amended the Bankruptcy Code to protect personal information while also allowing for the maximization of the value of a distressed company’s assets.5 Specifically, the amendments limit a debtor’s ability to sell or lease Personally Identifiable Information (“PII”) under certain circumstances, and require the trustee to appoint a “consumer privacy ombudsman” to oversee the process of transferring PII in certain situations.
The 2005 amendments have now been in place for nearly fifteen years. But with data privacy issues now constantly in the news, and many businesses collecting and using information that may go far beyond basic contact information, consumer information is a subject of increased focus for debtors, buyers, trustees, and courts. This post provides an overview of the Bankruptcy Code’s provisions related to PII, including how and when an ombudsman may be appointed to a bankruptcy proceeding and how and when other stakeholders with privacy interests (such as the FTC and state attorneys general) may seek to intervene.
1. Personally Identifiable Information
The Code defines PII as personal information provided by an individual to the debtor business “in connection with obtaining a product or a service from the debtor primarily for personal, family, or household purposes.”6 In other words: information collected through a consumer transaction. Notably, the definition does not include employee information, or information shared business-to-business or collected from third party sources.
Although the Code defines PII narrowly,10 privacy laws outside of bankruptcy define “personal information” or “personal data” increasingly broadly, and any personal information falling outside the PII definition is likely governed by other privacy and consumer protection laws, as is a business’s maintenance of appropriate practices with respect to data transfers and privacy policies. As a result, the 2005 amendments to the Code can be thought of as baseline requirements for approaching data about individuals as an asset in bankruptcy, but not the end of the inquiry. The role of the ombudsman is broad enough to encompass a holistic review of implicated data, including applicable legal requirements and the interests of all stakeholders.
2. The Consumer Privacy Ombudsman Process
The level of detail with which courts and trustees delve into the privacy policies and practices of a debtor can vary greatly and often depends upon the particular circumstances, including the nature of a business and the types and volume of PII and personal information at issue. Even where a policy has a data transfer provision, some courts look very closely at the language used and may require appointment of an ombudsman if such language does not expressly disclose a potential transfer specifically in the context of an asset sale in bankruptcy. This was the case in Tweeter Home Entertainment Group, where the notice concerning disclosure of personal information in connection with an acquisition or merger did not explicitly state that personal information might be transferred in connection with a bankruptcy.13
Ultimately, the role of the ombudsman is to help the court—and the parties and trustee—to understand the likely effect of the proposed sale on the consumers whose information will be transferred, and to advise on ways to structure the sale, if necessary, to better protect consumers. The role also, as discussed in the next section, can extend to mediating between parties and non-parties who may have differing interests regarding the transfer of PII.
3. Other Stakeholders
The Toysmart case made it clear that both the FTC and state attorneys general (“AGs”) would not hesitate to step in and challenge planned transfers of customer data in connection with bankruptcies. The revisions to the Bankruptcy Code were in part a response to regulators’ concerns, but in practice the ombudsman provisions were not widely used for the first several years after the statute was amended. A review of bankruptcy dockets since 2005 suggests that there were only about 100 ombudsman appointments between 2005 and 2015, but upwards of 85 ombudsman appointments between 2015 and 2020.
Following a day-long mediation with RadioShack, General Wireless (the proposed buyer), and representatives of the state AGs—and reportedly with the involvement of FTC representatives—a deal was proposed that would permit a much more limited sale to go forward, with stringent restrictions.17 RadioShack agreed to destroy the majority of records it held about customers, including payment card information, social security numbers, dates of birth, and telephone numbers; and General Wireless was prohibited from selling or sharing any of the remaining consumer data it would receive to or with any other entity going forward.18 The bankruptcy judge overseeing the matter approved the deal.19
A business considering the potential sale of personal information in connection with a bankruptcy will need to bear in mind that asset value maximization must be accomplished consistent with the privacy provisions in the Bankruptcy Code, as well as privacy laws. The next post in this series will offer practical, step-by-step tips for navigating the privacy-related challenges businesses may encounter in bankruptcy, including what to do when it appears that a restructuring is likely on the horizon.