With data privacy issues constantly in the news, what do businesses need to know about handling personal information when they’re considering bankruptcy, especially if some personal information – like customer records – may be a valuable asset?

This is the second part of a 3-part series of posts addressing the Bankruptcy Code’s provisions related to personally identifiable information (“PII”), and how transfers of PII in bankruptcy can play out in the real world. [Click here to read Part I]

Introduction

Issues related to the transfer of PII and other personal information can complicate M&A transactions in the bankruptcy context. Businesses contemplating a restructuring can avoid minefields – as well as save time and resources – by taking steps early to understand their data assets and privacy policies and to map out strategies in advance.The focus of this post is to offer practical advice for navigating the privacy-related hurdles a business may face in connection with selling PII and other personal information as an asset in bankruptcy.

Step 1: Locate & Determine Personal Information for Sale

In a perfect world, a business facing bankruptcy is fully informed regarding its data – what data it has, where the data are stored, and the restrictions the business may be subject to with regard to its use and disclosure of data. In reality, this is not always (or even often) the case. But businesses contemplating a bankruptcy proceeding need to think about the PII and other personal information in their possession or control – and, particularly, which categories may be valuable assets in bankruptcy. As an initial matter, it is critical that a business understand:

  1. Who owns the data. Does the business itself own all of the PII and other personal information that may be sold, or is there another entity or entities that may have an ownership interest? For example, in RadioShack, AT&T and Verizon disputed ownership of customer data acquired by RadioShack through the sale of their respective products and services. Ultimately, the parties (including the buyer) entered a stipulation requiring detailed protocols, including technical steps, to ensure that contested AT&T and Verizon data would not be transferred or sold to General Wireless.1
  2. Where the data are housed. For example, does the business centralize or segregate its data? Is personal information stored on the business’s servers, in the cloud, with third-party vendors, or (most likely) some combination of these? What technically would be required for the data to be transferred to a buyer?
  3. How the data are organized. Does the business have the capacity to identify and extract particular categories of data while leaving other categories of data in place and intact? If an eventual court order were to direct the business to transfer certain data categories but destroy others, would that be technically possible for the business?

The answers to these questions will help businesses determine which categories of personal information may be sold and which should be excluded from an auction. Once a business has a handle on the scope of PII and other personal information that may be in play, it can focus on how to ensure that any data transfer is made legally.

Step 2: Compliance with Non-Bankruptcy Laws

With the categories of data assets eligible for sale in mind, a business should assess applicable laws and what restrictions or conditions may be imposed on the transfer. In addition to PII as defined by the Bankruptcy Code, businesses will have other categories of personal information that are governed by non-bankruptcy privacy laws, and a range of laws may apply to the same datasets. It is therefore crucial that a business consider the full scope of applicable laws and regulations, taking into account:

  • U.S. laws, which vary at the federal and state level as well as by business sector (e.g., federal healthcare and financial privacy laws and the California Consumer Privacy Act);
  • Foreign laws, which may apply even if a business does not physically operate in a particular country if that business collects data from residents of that country (such as under the EU General Data Protection Regulation (GDPR)); and
  • Self-regulatory frameworks and standards, like the Payment Card Industry Data Security Standard (PCI-DSS) and the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

Where there may be conditions or restrictions on the transfer or sale of personal information, consider whether the business or an eventual buyer, depending on which party is better positioned, would be able to satisfy those conditions or restrictions. As examples:

  • A business contemplating the transfer of Protected Health Information (PHI)2 must comply with HIPAA, which allows for the transfer of PHI with express patient authorization or, in the absence of patient authorization, only where the transfer is from one HIPAA-covered entity (i.e., healthcare provider, health plan or healthcare clearinghouse) to another or to an entity that will become a covered entity following the transaction.3 Depending on the amount of PHI at issue and the difficulty of obtaining consent from all impacted patients, this restriction may significantly reduce the number of viable buyers.
  • The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks are approved mechanisms for the cross-border transfer of personal information from the European Economic Area and/or Switzerland to the U.S. that require companies to self-certify their compliance to a set of legally binding privacy and data protection standards. These Frameworks do not expressly contemplate the transfer of covered data in the context of a bankruptcy. A Privacy Shield-certified business facing restructuring will need to determine whether, how, and to whom it may transfer the personal information of European or Swiss individuals.

The interplay between various legal requirements can make it challenging to determine whether and what personal information can be transferred pursuant to a sale in bankruptcy. For this reason, businesses should be upfront and honest throughout the bankruptcy sale process about their data and their privacy practices, and should seek the assistance of counsel (as well as the trustee and the court) where it is unclear whether data can be legally transferred.

Step 3: Privacy Policies

Once a business has vetted a subset of PII and/or personal information that the business believes may be legally transferred, it must determine whether its consumer privacy policies authorize the transfer of that data.

  1. The In-Effect Privacy Policy.

As discussed in Part I, the Bankruptcy Code requires appointment of an ombudsman where a business has a privacy policy that promises consumers it will not transfer their PII and that policy is in effect on the date the case commences. If the business’s current public-facing policy explicitly promises not to transfer PII (such as in RadioShack), then by the plain terms of the Code, either an ombudsman must be appointed to determine whether and how such information can, despite the policy, be transferred or the business will need to exclude PII from the asset sale. More complicated are instances in which a privacy policy is silent on the issue of transfer (or a business has not disclosed any privacy policy); these scenarios are discussed in the next section.

Another thorny issue is where the business’s current privacy policy contemplates the transfer of PII pursuant to bankruptcy M&A but older policies did not. There is some room for interpretation regarding whether such historic policies are “in effect” and thus relevant for purposes of the Code. But, absent the business having taken specific measures to ensure that old policies were adequately retired (e.g., purging data from consumers who did not explicitly opt into superseding privacy policies), the prudent and more supportable approach is to treat the business’s historic policies as effective. This is consistent with general principles of privacy law—which dictate that the policy governing a consumer’s information is the policy that was disclosed to her when her personal information was collected—and the approach frequently taken by ombudsmen.4

Take, for example, a business whose current privacy policy and all policies in effect from the year 2014 forward contained a clause notifying users that their personal information would be disclosed or transferred in the event of a bankruptcy, but pre-2014 policies stated that the business would never sell consumer data under any circumstance. Provided the business has some way to determine what PII is subject to which privacy policy (and, unfortunately, not all businesses do), that business should assess the value of the pre-2014 data to a potential buyer. If the information is of limited value to the transaction, the business should consider excluding it from the sale and purging it prior to the closing of the transaction. But, if the information is valuable, the business should weigh that value against the expense and potential restrictions or conditions on transfer.

  • The Absent or Silent Privacy Policy.

Where a business has no posted privacy policy, by the plain language of the Code, an ombudsman is not required. But that does not mean the sale of PII or personal information will be automatically permissible, or that a proposed transaction will not face challenge. A bankruptcy court may not permit a data transfer where such transfer violates applicable non-bankruptcy law; and failure to post a privacy policy is likely to run afoul of certain laws. For example, the FTC Act prohibits unfair or deceptive acts or practices affecting commerce, which may include collecting personal information without the knowledge or full understanding of the individuals that provide it, and several federal and state laws require that consumers be notified of the collection and use of their personal information prior to collection.5

In practice, whether the court, trustee or others decide to challenge a proposed transfer of PII or personal information in the absence of a privacy policy is likely to depend on the volume and nature of the data, including its level of sensitivity. The larger the volume of data and the greater the sensitivity of such data, the more likely the data are to draw attention. It is generally best not to take chances—where a business believes it may not be in material compliance with applicable laws in connection with the data it hopes to sell, it may make sense to consult with the trustee about ways to mitigate privacy-related concerns. One common and effective—but potentially burdensome—fix is to require that either the business or the winning bidder provide individuals with notice and the ability to opt-out of the transfer of their personal information.

Privacy policies that are silent on data sale and transfer present a different issue. Where a business has a policy that does not address whether personal information may be sold or otherwise transferred pursuant to a sale in bankruptcy, the business should carefully consider whether the policy, read as a whole, implicitly prohibits such a transfer. The key consideration here is what a reasonable consumer would understand about the handling of their data by the debtor, which should be informed by an analysis as to whether the policy or other statements made to consumers (in writing, verbally or otherwise) may give an impression that personal information will not be transferred.

In Sharper Image, Sharper Image sought to sell its customer mailing lists but resisted appointment of an ombudsman, arguing that the proposed sale was not inconsistent with its privacy policy, which had no provisions addressing the sale or transfer of personal information. The court disagreed and appointed an ombudsman, who noted in her report that the transfer of customer mailing lists couldn’t be consistent with Sharper Image’s privacy policies as those policies “did not anticipate or address the type of sale contemplated by the [transaction].”6 The ombudsman ultimately ordered Sharper Image to destroy certain PII and placed restrictions on the sale of the remaining PII, including that it be sold only to a “qualified buyer” operating in the same line of business as Sharper Image and bound by the Sharper Image privacy policy.7

In contrast, some businesses with a silent policy err on the side of caution and proactively request an ombudsman even where they believe it may not be required. For instance, the debtor in Emivest Aerospace Corp. requested appointment of an ombudsman because its privacy policy “[did] not explicitly provide that [personal] information may be transferred to a purchaser of substantially all of the assets of the Debtor.”8 Particularly where a delayed sale could materially impact a debtor financially or cause a potential buyer to lose interest in or back out of a deal, Emivest’s approach is likely the more prudent course in most instances.

Conclusion The big takeaway for businesses approaching a restructuring that may involve the transfer of PII or other personal information is to keep privacy considerations at the forefront early and throughout the restructuring process. Understanding what personal information you have and what your public-facing notices say (or do not say) about that information will be critical to developing a plan of action as you move through the process.