News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The most dangerious intersection-bankruptcy and consumer privacy Related reading: US House subcommittee kicks off draft American Privacy Rights Act consideration

rss_feed

By Luis Salazar

Business bankruptcy filings rose 59.7 percent over a 12-month period ending March 31, 2009. According to the Administrative Office of the U.S. Courts, more than 49,000 businesses filed for bankruptcy during that period. But when it came to satisfying creditors, not all of these businesses’ assets were up for grabs. Data assets garner special attention in bankruptcy court. Here, Luis Salazar explains how sensitive information and valuable customer data is handled when a business goes bust, and the role of the Consumer Privacy Ombudsman in bankruptcy proceedings.

It’s hard enough to manage and secure data on a day-to-day basis, but just imagine trying to accomplish that same task with no money, no staff, and under intense public scrutiny. Some—the cynics among you—are already thinking “I do that everyday.” But even our usual challenges pale in comparison to managing data privacy and security at that most dangerous intersection—where it meets bankruptcy.

Financially troubled companies present unique challenges. First, the lack of resources and chaotic environment often leads to data escaping out the door through increasingly lax security or by employees seeking some “self-help” to cover their losses. Second, businesses do a poor job disposing of records containing confidential information—what might be referred to as the “dumpster syndrome.” Finally, even if those hurdles are overcome, there is still the perhaps more central challenge of maximizing the value of customer data—a potential source of recovery for creditors.

It’s in response to that last challenge that the Congress passed the Privacy Policy Enforcement in Bankruptcy Act, better known as the Consumer Privacy Ombudsman provisions of the 2005 Bankruptcy Code amendments. A first for both bankruptcy and privacy law, the Consumer Privacy Ombudsman was created to advise bankruptcy courts of the privacy implications surrounding certain data sales and, indirectly, protect consumer data privacy. Although noble in its intentions, bankruptcy practitioners expressed concern that the Consumer Privacy Ombudsman would delay or scuttle critical sales by recommending that data not be transferred as part of the bankruptcy court sale.
But in fact the track record thus far shows that Consumer Privacy Ombudsmen repeatedly have met often challenging deadlines to produce reports, and their recommendations have been supportive of data sales while providing practical suggestions to protect consumers’ data privacy expectations. Rather than disrupt the process, these ombudsmen have, in a very real sense, served to validate the propriety of data transfers to benefit creditors while protecting consumer privacy

This article surveys some of the ombudsman reports filed thus far and analyzes the Tweeter Home Entertainment report in greater detail.

The consumer privacy provisions

By now, most practitioners are aware of the consumer privacy provisions and have some idea of their origins. In short, the provisions were sparked by the Federal Trade Commission’s actions in In re Toysmart. There, a bankrupt Internet toy company sought to sell consumer data in direct contradiction to its privacy policy, which promised that it would “never” share consumer information with third parties. The FTC sought to enjoin Toysmart from that sale and the violation of its privacy policy. Ultimately, the FTC reached a settlement with Toysmart, allowing the transfer of personal data under certain conditions, including notice and an opportunity for consumers to opt out.

The amendment to Bankruptcy Code Section 363 and the creation of Section 332 spring from the Toysmart dispute. Bankruptcy Code Section 363(b)(1) now limits the use, sale, or lease of personally identifiable information “if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.”  
If a debtor intends to pursue such a non-consistent sale, the court must appoint a Consumer Privacy Ombudsman pursuant to Section 332. The ombudsman’s duties are limited to advising and assisting the court in digesting the considerable facts and applicable privacy law that may come to play in any 363 sale of consumer data. The section specifically provides that the ombudsman may advise the court on four key factors: (1) the debtor’s privacy policy; (2) the potential losses or gains of privacy to consumers if such sale or lease is approved by the court; (3) the potential cost or benefit to consumers if the transaction is approved; and (4) any potential alternatives that would mitigate potential privacy losses or potential costs to consumers.

After notice, a hearing, and input from the ombudsman, the court may approve the use, sale, or lease of the data after: (i) giving due consideration to the facts, circumstances, and conditions of such sale; and (ii) finding that no showing was made and such sale or such lease would violate applicable non-bankruptcy law

The reports thus far

It appears that there have been as many as 20 cases thus far where a consumer privacy ombudsman has been appointed and filed a report, including: (i) In re Refco, Inc., et al., Case No. 05-60006 (RDD) (Bankr. S.D.N.Y. 2007); (ii) In re Storehouse, Inc., Case No. 06-11144-SSM-Bankr. (E.D.Va. 2007); (iii) In re Tweeter Home Entertainment Group, Inc. et al., Case No. 07-10787(PJW) (Bankr. D. Del. 2007); (iv) In re R.J. Gators, Inc., et al., Case No. 07-14954 (Bankr. S.D. Gla. 2007); (v) In re Foxtons, Inc., Case No. 07-24496 (Bankr. D.N.J. 2007); (vi) JS Marketing and Communications, Inc., Case No. 05-65426-11 (Bankr. D. Mont. 2007); (vii) In re Engaging and Empowering Citizenship, Inc., Case No. 02-BKC-28175-CGC (Bankr. D. Ariz. 2006); (viii) In re Three A’s Holdings, LLC, et al., Case No. 06-10886 (BLS) (Bankr. D. Del. 2006); (ix) In re Bodies in Motion, Inc., Case No. 06-10931
(Bankr. C.D. Cal. 2006); and (x) In re Western Medical, Inc., Case. No. 06-01784 (Bankr. D. Ariz. 2006); and (xi) In re Circuit City Stores, Inc., Case No. 08-35653 (Bankr. E.D.Va. 2008).

In general, these ombudsmen encountered similar sets of facts—debtors seeking to sell PII in the face of privacy policies that did not explicitly allow or were silent as to such transfers. In broad terms, each of these ombudsmen have supported the proposed sales, provided certain conditions were met, such as requiring that: (i) the sales be made to qualified purchasers (those in the same business or that would operate the same business as the Debtor); (ii) the purchaser would serve as a successor-in-interest to the Debtor’s security and privacy policies; (iii) and customers be provided an opportunity to opt in or opt out of the proposed transfer

The Tweeter case

These conditions are perhaps more clearly understood in the context of a real case—In re Tweeter Home Entertainment, Inc., et al. Based upon the ombudsman’s investigation, it appeared that Tweeter collected PII from consumers at retail, call center, and online points of contact, each under similar privacy policies.

Retail. At the retail level, Tweeter collected consumers’ names, addresses, e-mail addresses, and telephone numbers, generally for warranty and marketing purposes. This was so even when customers paid in cash. If a customer applied for or used a credit card, that additional credit card information was also maintained by Tweeter.

Although Tweeter did not appear to have a written privacy policy for retail-level transactions, Tweeter’s CIO confirmed that retail store customers, if asked, were advised that the information collected was kept confidential and was used solely for marketing and customer service purposes.

Telephone orders. Tweeter also allowed purchases by telephone—customers could call a toll-free number and place their orders with a live operator. The call center used the same point-of-sale system as the retail stores, and the same information was collected and routed in the same manner. Likewise, although there appeared to be no written privacy policy for telephone transactions, customers were advised that the information collected was kept confidential and used solely for marketing and customer service purposes.

Online orders. Finally, Tweeter also operated a Web site that provided general information about the company, along with online shopping. The Web site used a typical shopping cart system, where consumers could fill their cart with items and “check out” online. A customer was required to input PII, including credit card information, in order complete the purchase. The Web site offered electronic equipment, as well as DVDs for sale.

The online privacy policy. Tweeter posted its privacy policy prominently on its Web site. The privacy policy was limited to “Personal information collected via this Web site, and not through any other activities of Tweeter or its affiliates or business partners,” and made clear that Tweeter collected PII about customers “like your name, address, e-mail address, phone number, or credit card information, and that is not otherwise publicly available.” Nonetheless, Tweeter also represented that “You have the right to know how your personal information may be used or disclosed.”  

With respect to the PII it collected, Tweeter represented that it:

  • Does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:
  • We provide the information to trusted partners who work on behalf of or with Tweeter under confidentiality agreements. These companies may use your personal information to help Tweeter fulfill orders, process credit card payment, evaluate Tweeter.com, or communicate with you about offers from Tweeter and our marketing partners. However, these companies do not have any independent right to share this information. You may opt out of future marketing communications from Tweeter or our marketing partners at any time by e-mailing to customersupport@tweeter.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it , or calling us at 1-866-690-2370.
  • We transfer information about you if Tweeter is acquired by or merged with another company. In this event, Tweeter will notify you before information about you is transferred and becomes subject to a different privacy policy.

This last clause appeared to be most relevant to the proposed sale, but did not explicitly authorize data transfer in the context of an asset sale.

The privacy policy also contained a disclaimer that provided that it may be changed at any time and without prior notice. Nevertheless, Tweeter represented that it “will notify you about significant changes in the way we treat personal information by sending a notice to the e-mail address you have provided to us or by placing a prominent notice on Tweeter.com so that you may be aware of our actions.”  

The ombudsman recommendation

Relying on established Federal Trade Commission guidance, the ombudsman recommended that the court permit the sale, subject to certain conditions designed to protect consumers’ privacy expectations. More specifically, the Ombudsman recommended that the Tweeter sale be allowed if:

  • The sale of PII was to a “Qualified Buyer.” A “Qualified Buyer” means an entity that: (a) concentrates in the same business and market as Tweeter’s; (b) expressly agrees to be Tweeter’s successor-in-interest as to the customer information; (c) agrees to be responsible for any violation of that policy following the date of purchase; (d) would use the PII only to fulfill customer orders and to personalize customers’ experience on the Web site; and (e) shall not disclose, sell, or transfer customers’ PII to any third party in a manner inconsistent with Tweeter’s Privacy Policy;
  • The Qualified Buyer agrees to be bound and meet the standards established by Tweeter’s Privacy Policy and to maintain at least the same level of security as is presently in place;
  • Tweeter and the Qualified Buyer agree to provide notice of the proposed transfer to any consumer whose PII is being sold, including a posted notice on the Tweeter Web site and by e-mail; and
  • Tweeter and the Qualified Buyer agree to provide consumers with an opportunity to opt out as part of the notification process.

If for any reason the PII were to be sold to any other entity that would not meet the requirements of a “Qualified Buyer,” then the ombudsman recommended that the court should require that:

  • The purchaser must at a minimum agree to abide by Tweeter’s existing privacy policies;
  • Tweeter and the purchaser must provide notice of the proposed transfer to any consumer whose PII it holds by prominent posting on Tweeter’s Web site and via e-mail; and
  • As part of the notification process, Tweeter and the purchaser must provide each consumer with an opportunity to opt in to the transfer, or their information would not be transferred.

Finally, the ombudsman recommended that the order approving the sale of PII also should: (a) require any buyer to file with the court a statement under oath that it has fully complied with the procedures imposed by the court to protect the PII; (b) direct the ombudsman to file a supplemental report confirming such compliance; or (c) both.
Ultimately, the court determined that the successful bidder for Tweeter’s assets was, in fact, a “Qualified Buyer.”  That bidder then agreed to provide posted notice of the transfer and honor opt outs made via their newly acquired Tweeter Web site.

Conclusion

Thus, the Consumer Privacy Ombudsman has so far been easily integrated into the often lightning-quick Section 363 bankruptcy sale process. More important, the ombudsman offers a voice for consumers who typically have none. For bankruptcy practitioners, ombudsmen legitimize a process that could otherwise attract unwanted and highly disruptive attention from regulators or angry consumers. In a very real way, the ombudsman serves as a traffic cop—steering folks through the often treacherous bankruptcy and privacy intersection.

Luis Salazar is a shareholder in the Greenberg Traurig Miami office and a member of the firm’s Business Bankruptcy and Reorganization Department and Data Privacy and Security Law Task Force. He can be reached at salazarl@gtlaw.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it . He drafted the Privacy Policy Enforcement and Bankruptcy Act and has served as the Consumer Privacy Ombudsman in multiple cases, including In re Tweeter Home Entertainment Group, Inc., In re Foxtons, and Vi Corp. Restaurants.

Comments

If you want to comment on this post, you need to login.

Related Stories
Related Stories
Recent Comments