Much has been written of late about data breaches and the liabilities for the unauthorized acquisition of Personally Identifiable Information (PII) from institutions, including financial institutions. But what about when the alleged “breach”--the release of information --is voluntarily and/or legally compelled? What are the risks for creditors who take collateral, in security for the repayment of debt, containing PII data? What are the risks to businesses when they transfer assets that include PII? What liabilities do they face? What are the rights of customers?
In February [?of 2015?], one of the original and legendary tech chains, RadioShack (RS), filed for Chapter 11 bankruptcy. (For years RS labeled itself as “America’s technology store”. In 1977, RS introduced the TRS-80, one of the first personal computers). As a result, PII collected by RS over many years along with a number of its other assets, was almost sold by a bankruptcy trustee to a third party to help pay off Radio Shack’s debts.
For years, RS had collected email addresses, telephone numbers and other PII from customers. (Remember Kramer asking, ˝Why does Radio Shack ask for your phone number when you buy batteries?” Answer: “I don’t know.”).
Indeed, RS pioneered the collection of PII data. And by the time it filed bankruptcy RS had dutifully collected over 13 million email addresses and 65 million customer names and physical addresses, as well as information about some 117 million customers’ shopping habits.
In a last-minute revision to its offer, the purchaser of the RS assets agreed that customer data would not be part of the sale. The planned inclusion of PII had prompted objections from government authorities in several states.
A key issue, however, is whether the customers can be said to have knowingly “consented.” Indeed, whether consent was validly, freely and knowingly given can often create litigation issues. See for example Kirch v Embarq Management Co. , 2011 WL 3651359 (D. Kan. ,2011), Deering v. CenturyTel Inc. 2011 WL 1842859 (D. Mont. 2011), In re Google Inc. Gmail Litigation 2014 WL 1102660 (N.D.Cal. 2014). The FTC requires that there be clear and conspicuous notice and affirmative consent.
In any event, assuming the policy permits the sale, consumers would be hard pressed to show damages as a result of the sale (i. e., they have no standing) and absent the violation of some specialized regulations or statutes (such as GLBA, HIPAA or credit card protection statutes and regulations), there is little that could be challenged. Again, FTC requirements for customer consent must be met.
Thorny issues arise, however, in the more common situation when the seller decides to sell PII arguably in a manner not consistent with its policy, where customers have not clearly consented or the purchaser decides not to follow the policy once the transaction is completed.
First, some states, such as Texas and Tennessee, actually specifically prohibit companies from selling PII in ways that violate the company’s own privacy policies. (In the RadioShack case, 24 states legally challenged the PII sale.)
- The PII not be sold as a standalone asset;
- The buyer of the PII be engaged in substantially the same line of business;
- The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under ToySmart’s policy.
And, of course there is the threat of customer litigation. Standing and damage requirements offer hurdles to such litigation. However, in Texas and Tennessee (and perhaps other states) the mere violation of the statute (and the policy) provides the requisite standing. Moreover, customers can claim that they paid for a product with the expectation that their privacy in connection with the transaction would be protected. Arguably, the violation of this expectation means they overpaid for the product and this provides the standing. As implausible as this sounds, similar theories have been asserted. See our recent post on automobile hackability:
The issues get even thornier in a third situation where the holder of the PII is in bankruptcy. How for example does a bankruptcy trustee meet its obligations to creditors while balancing the customers’ privacy interests? Is there an obligation to sell the data in order to pay the creditors? What obligation does a bankruptcy trustee have to maintain customer privacy?
Certainly, bankruptcy courts have a great deal of leeway in overriding policies. Information, such as customer data, is an asset that is owned by the company. A bankruptcy court has an obligation to maximize the recovery of the creditors of a company — not an obligation to protect privacy interests of the bankrupt’s customers. And the Bankruptcy Act does leave the door open for the sale of such assets albeit with some safeguards.
The Act provides that if the debtor has a policy in place prohibiting the transfer of PII, the trustee may not sell such information unless that sale is consistent with the policy or after a hearing and the appointment of an ombudsman, the court approves the sale giving due consideration to the conditions for such sale and finding that the sale would not violate non bankruptcy law.
So at the end of the day, the final say so seems to be in the hands of the bankruptcy court itself, meaning the real losers could be the customers.
The potential pitfalls as demonstrated by these situations seem clear. So what’s a business to do to minimize the risk?
- It should carefully prepare and review its privacy policies to see what obligations it might have upon a sell or transfer.
- If the business wants the freedom to sell the information it collects in the future, it should draft a policy accordingly.
- Notice of any changes to the policy giving it the right to sell its PII data should be prominently posted on its website.
- It should carefully consider what it is willing to do and not do with respect to its customers in the PII context.
- It should consider whether to clearly provide notice that bankruptcy or other economic or legal developments may occur and that such a scenario could affect what happens to the information.
- Businesses should take into account what possible liabilities and rights customers may have and what enforcement power the FTC has in evaluating the value and sale of PII.