BLS_web_ad_300x250_V3B
CM300x250
AsiaPF15_300x250_Banner_FINAL
CS15_300x250_Banner_FINAL

By Luis Salazar

Business bankruptcy filings rose 59.7 percent over a 12-month period ending March 31, 2009. According to the Administrative Office of the U.S. Courts, more than 49,000 businesses filed for bankruptcy during that period. But when it came to satisfying creditors, not all of these businesses’ assets were up for grabs. Data assets garner special attention in bankruptcy court. Here, Luis Salazar explains how sensitive information and valuable customer data is handled when a business goes bust, and the role of the Consumer Privacy Ombudsman in bankruptcy proceedings.

It’s hard enough to manage and secure data on a day-to-day basis, but just imagine trying to accomplish that same task with no money, no staff, and under intense public scrutiny. Some—the cynics among you—are already thinking “I do that everyday.” But even our usual challenges pale in comparison to managing data privacy and security at that most dangerous intersection—where it meets bankruptcy.

Financially troubled companies present unique challenges. First, the lack of resources and chaotic environment often leads to data escaping out the door through increasingly lax security or by employees seeking some “self-help” to cover their losses. Second, businesses do a poor job disposing of records containing confidential information—what might be referred to as the “dumpster syndrome.” Finally, even if those hurdles are overcome, there is still the perhaps more central challenge of maximizing the value of customer data—a potential source of recovery for creditors.

It’s in response to that last challenge that the Congress passed the Privacy Policy Enforcement in Bankruptcy Act, better known as the Consumer Privacy Ombudsman provisions of the 2005 Bankruptcy Code amendments. A first for both bankruptcy and privacy law, the Consumer Privacy Ombudsman was created to advise bankruptcy courts of the privacy implications surrounding certain data sales and, indirectly, protect consumer data privacy. Although noble in its intentions, bankruptcy practitioners expressed concern that the Consumer Privacy Ombudsman would delay or scuttle critical sales by recommending that data not be transferred as part of the bankruptcy court sale.
But in fact the track record thus far shows that Consumer Privacy Ombudsmen repeatedly have met often challenging deadlines to produce reports, and their recommendations have been supportive of data sales while providing practical suggestions to protect consumers’ data privacy expectations. Rather than disrupt the process, these ombudsmen have, in a very real sense, served to validate the propriety of data transfers to benefit creditors while protecting consumer privacy

This article surveys some of the ombudsman reports filed thus far and analyzes the Tweeter Home Entertainment report in greater detail.

The consumer privacy provisions

By now, most practitioners are aware of the consumer privacy provisions and have some idea of their origins. In short, the provisions were sparked by the Federal Trade Commission’s actions in In re Toysmart. There, a bankrupt Internet toy company sought to sell consumer data in direct contradiction to its privacy policy, which promised that it would “never” share consumer information with third parties. The FTC sought to enjoin Toysmart from that sale and the violation of its privacy policy. Ultimately, the FTC reached a settlement with Toysmart, allowing the transfer of personal data under certain conditions, including notice and an opportunity for consumers to opt out.

The amendment to Bankruptcy Code Section 363 and the creation of Section 332 spring from the Toysmart dispute. Bankruptcy Code Section 363(b)(1) now limits the use, sale, or lease of personally identifiable information “if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.”  
If a debtor intends to pursue such a non-consistent sale, the court must appoint a Consumer Privacy Ombudsman pursuant to Section 332. The ombudsman’s duties are limited to advising and assisting the court in digesting the considerable facts and applicable privacy law that may come to play in any 363 sale of consumer data. The section specifically provides that the ombudsman may advise the court on four key factors: (1) the debtor’s privacy policy; (2) the potential losses or gains of privacy to consumers if such sale or lease is approved by the court; (3) the potential cost or benefit to consumers if the transaction is approved; and (4) any potential alternatives that would mitigate potential privacy losses or potential costs to consumers.

After notice, a hearing, and input from the ombudsman, the court may approve the use, sale, or lease of the data after: (i) giving due consideration to the facts, circumstances, and conditions of such sale; and (ii) finding that no showing was made and such sale or such lease would violate applicable non-bankruptcy law

The reports thus far

It appears that there have been as many as 20 cases thus far where a consumer privacy ombudsman has been appointed and filed a report, including: (i) In re Refco, Inc., et al., Case No. 05-60006 (RDD) (Bankr. S.D.N.Y. 2007); (ii) In re Storehouse, Inc., Case No. 06-11144-SSM-Bankr. (E.D.Va. 2007); (iii) In re Tweeter Home Entertainment Group, Inc. et al., Case No. 07-10787(PJW) (Bankr. D. Del. 2007); (iv) In re R.J. Gators, Inc., et al., Case No. 07-14954 (Bankr. S.D. Gla. 2007); (v) In re Foxtons, Inc., Case No. 07-24496 (Bankr. D.N.J. 2007); (vi) JS Marketing and Communications, Inc., Case No. 05-65426-11 (Bankr. D. Mont. 2007); (vii) In re Engaging and Empowering Citizenship, Inc., Case No. 02-BKC-28175-CGC (Bankr. D. Ariz. 2006); (viii) In re Three A’s Holdings, LLC, et al., Case No. 06-10886 (BLS) (Bankr. D. Del. 2006); (ix) In re Bodies in Motion, Inc., Case No. 06-10931
(Bankr. C.D. Cal. 2006); and (x) In re Western Medical, Inc., Case. No. 06-01784 (Bankr. D. Ariz. 2006); and (xi) In re Circuit City Stores, Inc., Case No. 08-35653 (Bankr. E.D.Va. 2008).

In general, these ombudsmen encountered similar sets of facts—debtors seeking to sell PII in the face of privacy policies that did not explicitly allow or were silent as to such transfers. In broad terms, each of these ombudsmen have supported the proposed sales, provided certain conditions were met, such as requiring that: (i) the sales be made to qualified purchasers (those in the same business or that would operate the same business as the Debtor); (ii) the purchaser would serve as a successor-in-interest to the Debtor’s security and privacy policies; (iii) and customers be provided an opportunity to opt in or opt out of the proposed transfer

The Tweeter case

These conditions are perhaps more clearly understood in the context of a real case—In re Tweeter Home Entertainment, Inc., et al. Based upon the ombudsman’s investigation, it appeared that Tweeter collected PII from consumers at retail, call center, and online points of contact, each under similar privacy policies.

Retail. At the retail level, Tweeter collected consumers’ names, addresses, e-mail addresses, and telephone numbers, generally for warranty and marketing purposes. This was so even when customers paid in cash. If a customer applied for or used a credit card, that additional credit card information was also maintained by Tweeter.

Although Tweeter did not appear to have a written privacy policy for retail-level transactions, Tweeter’s CIO confirmed that retail store customers, if asked, were advised that the information collected was kept confidential and was used solely for marketing and customer service purposes.

Telephone orders. Tweeter also allowed purchases by telephone—customers could call a toll-free number and place their orders with a live operator. The call center used the same point-of-sale system as the retail stores, and the same information was collected and routed in the same manner. Likewise, although there appeared to be no written privacy policy for telephone transactions, customers were advised that the information collected was kept confidential and used solely for marketing and customer service purposes.

Online orders. Finally, Tweeter also operated a Web site that provided general information about the company, along with online shopping. The Web site used a typical shopping cart system, where consumers could fill their cart with items and “check out” online. A customer was required to input PII, including credit card information, in order complete the purchase. The Web site offered electronic equipment, as well as DVDs for sale.

The online privacy policy. Tweeter posted its privacy policy prominently on its Web site. The privacy policy was limited to “Personal information collected via this Web site, and not through any other activities of Tweeter or its affiliates or business partners,” and made clear that Tweeter collected PII about customers “like your name, address, e-mail address, phone number, or credit card information, and that is not otherwise publicly available.” Nonetheless, Tweeter also represented that “You have the right to know how your personal information may be used or disclosed.”  

With respect to the PII it collected, Tweeter represented that it:

  • Does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:
  • We provide the information to trusted partners who work on behalf of or with Tweeter under confidentiality agreements. These companies may use your personal information to help Tweeter fulfill orders, process credit card payment, evaluate Tweeter.com, or communicate with you about offers from Tweeter and our marketing partners. However, these companies do not have any independent right to share this information. You may opt out of future marketing communications from Tweeter or our marketing partners at any time by e-mailing to customersupport@tweeter.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it , or calling us at 1-866-690-2370.
  • We transfer information about you if Tweeter is acquired by or merged with another company. In this event, Tweeter will notify you before information about you is transferred and becomes subject to a different privacy policy.

This last clause appeared to be most relevant to the proposed sale, but did not explicitly authorize data transfer in the context of an asset sale.

The privacy policy also contained a disclaimer that provided that it may be changed at any time and without prior notice. Nevertheless, Tweeter represented that it “will notify you about significant changes in the way we treat personal information by sending a notice to the e-mail address you have provided to us or by placing a prominent notice on Tweeter.com so that you may be aware of our actions.”  

The ombudsman recommendation

Relying on established Federal Trade Commission guidance, the ombudsman recommended that the court permit the sale, subject to certain conditions designed to protect consumers’ privacy expectations. More specifically, the Ombudsman recommended that the Tweeter sale be allowed if:

  • The sale of PII was to a “Qualified Buyer.” A “Qualified Buyer” means an entity that: (a) concentrates in the same business and market as Tweeter’s; (b) expressly agrees to be Tweeter’s successor-in-interest as to the customer information; (c) agrees to be responsible for any violation of that policy following the date of purchase; (d) would use the PII only to fulfill customer orders and to personalize customers’ experience on the Web site; and (e) shall not disclose, sell, or transfer customers’ PII to any third party in a manner inconsistent with Tweeter’s Privacy Policy;
  • The Qualified Buyer agrees to be bound and meet the standards established by Tweeter’s Privacy Policy and to maintain at least the same level of security as is presently in place;
  • Tweeter and the Qualified Buyer agree to provide notice of the proposed transfer to any consumer whose PII is being sold, including a posted notice on the Tweeter Web site and by e-mail; and
  • Tweeter and the Qualified Buyer agree to provide consumers with an opportunity to opt out as part of the notification process.

If for any reason the PII were to be sold to any other entity that would not meet the requirements of a “Qualified Buyer,” then the ombudsman recommended that the court should require that:

  • The purchaser must at a minimum agree to abide by Tweeter’s existing privacy policies;
  • Tweeter and the purchaser must provide notice of the proposed transfer to any consumer whose PII it holds by prominent posting on Tweeter’s Web site and via e-mail; and
  • As part of the notification process, Tweeter and the purchaser must provide each consumer with an opportunity to opt in to the transfer, or their information would not be transferred.

Finally, the ombudsman recommended that the order approving the sale of PII also should: (a) require any buyer to file with the court a statement under oath that it has fully complied with the procedures imposed by the court to protect the PII; (b) direct the ombudsman to file a supplemental report confirming such compliance; or (c) both.
Ultimately, the court determined that the successful bidder for Tweeter’s assets was, in fact, a “Qualified Buyer.”  That bidder then agreed to provide posted notice of the transfer and honor opt outs made via their newly acquired Tweeter Web site.

Conclusion

Thus, the Consumer Privacy Ombudsman has so far been easily integrated into the often lightning-quick Section 363 bankruptcy sale process. More important, the ombudsman offers a voice for consumers who typically have none. For bankruptcy practitioners, ombudsmen legitimize a process that could otherwise attract unwanted and highly disruptive attention from regulators or angry consumers. In a very real way, the ombudsman serves as a traffic cop—steering folks through the often treacherous bankruptcy and privacy intersection.

Luis Salazar is a shareholder in the Greenberg Traurig Miami office and a member of the firm’s Business Bankruptcy and Reorganization Department and Data Privacy and Security Law Task Force. He can be reached at salazarl@gtlaw.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it . He drafted the Privacy Policy Enforcement and Bankruptcy Act and has served as the Consumer Privacy Ombudsman in multiple cases, including In re Tweeter Home Entertainment Group, Inc., In re Foxtons, and Vi Corp. Restaurants.

0 Comments

If you want to comment on this post, you need to login

Related