By Luis Salazar
Business bankruptcy filings rose 59.7 percent over a 12-month period ending March 31, 2009. According to the Administrative Office of the U.S. Courts, more than 49,000 businesses filed for bankruptcy during that period. But when it came to satisfying creditors, not all of these businesses’ assets were up for grabs. Data assets garner special attention in bankruptcy court. Here, Luis Salazar explains how sensitive information and valuable customer data is handled when a business goes bust, and the role of the Consumer Privacy Ombudsman in bankruptcy proceedings.
It’s hard enough to manage and secure data on a day-to-day basis, but just imagine trying to accomplish that same task with no money, no staff, and under intense public scrutiny. Some—the cynics among you—are already thinking “I do that everyday.” But even our usual challenges pale in comparison to managing data privacy and security at that most dangerous intersection—where it meets bankruptcy.
Financially troubled companies present unique challenges. First, the lack of resources and chaotic environment often leads to data escaping out the door through increasingly lax security or by employees seeking some “self-help” to cover their losses. Second, businesses do a poor job disposing of records containing confidential information—what might be referred to as the “dumpster syndrome.” Finally, even if those hurdles are overcome, there is still the perhaps more central challenge of maximizing the value of customer data—a potential source of recovery for creditors.
But in fact the track record thus far shows that Consumer Privacy Ombudsmen repeatedly have met often challenging deadlines to produce reports, and their recommendations have been supportive of data sales while providing practical suggestions to protect consumers’ data privacy expectations. Rather than disrupt the process, these ombudsmen have, in a very real sense, served to validate the propriety of data transfers to benefit creditors while protecting consumer privacy
This article surveys some of the ombudsman reports filed thus far and analyzes the Tweeter Home Entertainment report in greater detail.
The consumer privacy provisions
The amendment to Bankruptcy Code Section 363 and the creation of Section 332 spring from the Toysmart dispute. Bankruptcy Code Section 363(b)(1) now limits the use, sale, or lease of personally identifiable information “if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.”
After notice, a hearing, and input from the ombudsman, the court may approve the use, sale, or lease of the data after: (i) giving due consideration to the facts, circumstances, and conditions of such sale; and (ii) finding that no showing was made and such sale or such lease would violate applicable non-bankruptcy law
The reports thus far
It appears that there have been as many as 20 cases thus far where a consumer privacy ombudsman has been appointed and filed a report, including: (i) In re Refco, Inc., et al., Case No. 05-60006 (RDD) (Bankr. S.D.N.Y. 2007); (ii) In re Storehouse, Inc., Case No. 06-11144-SSM-Bankr. (E.D.Va. 2007); (iii) In re Tweeter Home Entertainment Group, Inc. et al., Case No. 07-10787(PJW) (Bankr. D. Del. 2007); (iv) In re R.J. Gators, Inc., et al., Case No. 07-14954 (Bankr. S.D. Gla. 2007); (v) In re Foxtons, Inc., Case No. 07-24496 (Bankr. D.N.J. 2007); (vi) JS Marketing and Communications, Inc., Case No. 05-65426-11 (Bankr. D. Mont. 2007); (vii) In re Engaging and Empowering Citizenship, Inc., Case No. 02-BKC-28175-CGC (Bankr. D. Ariz. 2006); (viii) In re Three A’s Holdings, LLC, et al., Case No. 06-10886 (BLS) (Bankr. D. Del. 2006); (ix) In re Bodies in Motion, Inc., Case No. 06-10931
(Bankr. C.D. Cal. 2006); and (x) In re Western Medical, Inc., Case. No. 06-01784 (Bankr. D. Ariz. 2006); and (xi) In re Circuit City Stores, Inc., Case No. 08-35653 (Bankr. E.D.Va. 2008).
In general, these ombudsmen encountered similar sets of facts—debtors seeking to sell PII in the face of privacy policies that did not explicitly allow or were silent as to such transfers. In broad terms, each of these ombudsmen have supported the proposed sales, provided certain conditions were met, such as requiring that: (i) the sales be made to qualified purchasers (those in the same business or that would operate the same business as the Debtor); (ii) the purchaser would serve as a successor-in-interest to the Debtor’s security and privacy policies; (iii) and customers be provided an opportunity to opt in or opt out of the proposed transfer
The Tweeter case
These conditions are perhaps more clearly understood in the context of a real case—In re Tweeter Home Entertainment, Inc., et al. Based upon the ombudsman’s investigation, it appeared that Tweeter collected PII from consumers at retail, call center, and online points of contact, each under similar privacy policies.
Retail. At the retail level, Tweeter collected consumers’ names, addresses, e-mail addresses, and telephone numbers, generally for warranty and marketing purposes. This was so even when customers paid in cash. If a customer applied for or used a credit card, that additional credit card information was also maintained by Tweeter.
Online orders. Finally, Tweeter also operated a Web site that provided general information about the company, along with online shopping. The Web site used a typical shopping cart system, where consumers could fill their cart with items and “check out” online. A customer was required to input PII, including credit card information, in order complete the purchase. The Web site offered electronic equipment, as well as DVDs for sale.
With respect to the PII it collected, Tweeter represented that it:
- Does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:
This last clause appeared to be most relevant to the proposed sale, but did not explicitly authorize data transfer in the context of an asset sale.
The ombudsman recommendation
Relying on established Federal Trade Commission guidance, the ombudsman recommended that the court permit the sale, subject to certain conditions designed to protect consumers’ privacy expectations. More specifically, the Ombudsman recommended that the Tweeter sale be allowed if:
- Tweeter and the Qualified Buyer agree to provide notice of the proposed transfer to any consumer whose PII is being sold, including a posted notice on the Tweeter Web site and by e-mail; and
- Tweeter and the Qualified Buyer agree to provide consumers with an opportunity to opt out as part of the notification process.
If for any reason the PII were to be sold to any other entity that would not meet the requirements of a “Qualified Buyer,” then the ombudsman recommended that the court should require that:
- The purchaser must at a minimum agree to abide by Tweeter’s existing privacy policies;
- Tweeter and the purchaser must provide notice of the proposed transfer to any consumer whose PII it holds by prominent posting on Tweeter’s Web site and via e-mail; and
- As part of the notification process, Tweeter and the purchaser must provide each consumer with an opportunity to opt in to the transfer, or their information would not be transferred.
Finally, the ombudsman recommended that the order approving the sale of PII also should: (a) require any buyer to file with the court a statement under oath that it has fully complied with the procedures imposed by the court to protect the PII; (b) direct the ombudsman to file a supplemental report confirming such compliance; or (c) both.
Ultimately, the court determined that the successful bidder for Tweeter’s assets was, in fact, a “Qualified Buyer.” That bidder then agreed to provide posted notice of the transfer and honor opt outs made via their newly acquired Tweeter Web site.
Thus, the Consumer Privacy Ombudsman has so far been easily integrated into the often lightning-quick Section 363 bankruptcy sale process. More important, the ombudsman offers a voice for consumers who typically have none. For bankruptcy practitioners, ombudsmen legitimize a process that could otherwise attract unwanted and highly disruptive attention from regulators or angry consumers. In a very real way, the ombudsman serves as a traffic cop—steering folks through the often treacherous bankruptcy and privacy intersection.