United States: Recent Trends In Bankruptcy Sales Of Customer Data

Last Updated: March 2 2017
Article by Robert S. Gebhard

Introduction

In 2005, Congress amended the Bankruptcy Code to address privacy concerns in connection with sales of customer data in bankruptcy cases. The Code was specifically amended to restrict or prohibit the sale of customers' personally identifiable information – as defined by the Bankruptcy Code – when in violation of a debtor company's existing privacy policy.

In practice, the statute mostly has operated to facilitate these sales pursuant to a bankruptcy court approval process, which is conditioned upon satisfaction of certain procedural safeguards. After quickly reviewing the basic statutory framework, we discuss some recent cases involving bankruptcy sales of customer data. We then provide our summary of lessons learned and key takeaways.

Statutory Framework

Section 101(41A) of the Bankruptcy Code's enumerates the specific items of personal information that constitute Personally Identifiable Information within the meaning of the Bankruptcy Code, if provided by an individual in connection with obtaining a product or service from the debtor primarily for personal, family or household purposes. They are as follows: first and last name, residence, email address, telephone number, social security number, or credit card account numbers. In addition, Section 101(41A) provides that Personally Identifiable Information can include a birth date, place of birth or any other item of information concerning an identified individual that, if disclosed, would result in identifying such individual physically or electronically, if such information is identified with one or more of the above enumerated items of personal information.

Section 363(b)(1) of the Bankruptcy Code provides that if the debtor has a privacy policy in effect at the time of the bankruptcy filing, which prohibits the transfer of Personally Identifiable Information ("PII"), the Information cannot be sold in bankruptcy unless additional requirements are satisfied. If triggered, section 363(b)(1) prohibits the sale of PII unless the bankruptcy court finds that the sale is consistent with the debtor's privacy policy or the court approves the sale at a hearing after (a) appointing a consumer privacy ombudsman to assist the court in reviewing the facts and circumstances of the sale and (b) finding that the sale of the information would not violate applicable nonbankruptcy law.

The bankruptcy court orders the appointment of the consumer privacy ombudsman pursuant to section 332 of the Bankruptcy Code, who may appear and be heard at the sale hearing. Section 332 provides a non-exclusive list of the information and topics to be included in the ombudsman's report and recommendations to the court. They include the potential losses or gains of privacy to consumers if the sale is approved, the potential costs or benefits to consumers if the sale is approved, and the potential alternatives that would mitigate privacy losses or potential costs to consumers.

Recent Bankruptcy Sales of Customer Data

  1. BPS Holdings (2017): The debtor companies manufactured, distributed and sold sports equipment, accessories and apparel under a number of band names. Products were sold in U.S. and Canada, and the companies operated a number of websites which collected a variety of PII from their customers, in some cases from minors. After filing bankruptcy, the debtors requested bankruptcy court approval to complete two sales of their businesses: (1) Sale of their soccer apparel and equipment business ("Soccer Business") to their co-founder and (2) Sale of their hockey, lacrosse, and baseball businesses ("Other Business") to a newly formed company.

    The bankruptcy court appointed a privacy ombudsman, who examined the debtors' privacy policies and data collection practices among the various businesses. The ombudsman recommended court approval of both sales under certain terms and conditions, and the both sales were recently approved by the bankruptcy court.

    Sale of Soccer Business: The ombudsman found that the debtors operated two websites for the Soccer Business, pursuant to which they collected customer names, addresses, phone numbers, email addresses and order histories. They did not collect any other categories of PII, nor track customer activity via cookies or other tracking technologies. At the time of the bankruptcy filing, a privacy policy was posted on one of the websites, which promised customers that their PII would not be sold or transferred to any other company for any reason whatsoever.

    The privacy ombudsman recommended that the court approve the sale subject to the following conditions: (1) the buyer must engage in substantially the same line of business, (2) the buyer must adhere to all material terms of the existing privacy policy, (3) the buyer must agree to obtain the customers' affirmative consent before making any material changes to the privacy practices to the PII collected under the existing privacy policy, and (4) the buyer must agree to comply with applicable privacy and data protection laws.

    The privacy ombudsman did not recommend, and the buyer not agree, that notice be given to the customers of the proposed sale with an ability to opt-out of the sale of their PII to the buyer. The sale was approved without any required opt-out notice..

    Sale of the Other Businesses: The ombudsman found that the debtors operated several websites and Instagram pages among the different sports businesses, collecting customer names, mailing addresses, phone numbers, email addresses, birth dates, ages, genders, zip codes, and payment information, in different combinations. The debtors also collected anonymized customer usage and demographic data from Google and Amazon. Certain of the websites also collected personally identifiable from minors.

    The ombudsman reported that some websites for the various businesses posted privacy policies, while others did not. Most of the privacy policies promised customers that their PII would not be sold without prior notice; one of the websites posted a policy that PII might be shared with affiliated companies or third party service providers for the purpose of conducting business, and promised that PII would not be provided to any third parties for their own marketing purposes. In certain instances, the ombudsman indicated that he had requested, but had not received, any prior or currently applicable privacy policies.

    The ombudsman recommended that the sale be approved on a number of conditions. As to websites which notified customers that their PII would not be sold without prior notice, the ombudsman recommended (1) email notice of the sale to customers, (2) if the buyer did not agree to be bound by the existing privacy policy, an opt-out opportunity, and (3) the buyer's agreement to comply with applicable privacy and data protection laws. As to the website which promised customers that their PII would not be shared, the ombudsman recommended that the buyer obtain the customers' affirmative consent to the sale of the PII or a showing by the buyer that it would (1) engage in substantially the same line of businesses, (2) adhere in all material respects to the existing privacy policy (3) obtain customer affirmative consent before making any material changes to privacy practices, and (4)agree to comply applicable privacy and data protection laws.

    For websites with no privacy policies, the ombudsman did not recommend any conditions other than the buyer's agreement to comply with applicable privacy and data protection laws. For websites in which the ombudsman was unable to confirm the existence or absence of any privacy policy, the ombudsman recommended that the debtors obtain consent from the customers before the sale of their PII to the buyer. Lastly, the ombudsman objected to the debtor's transfer of any PII of children under the age 13, consistent with the Children's Online Privacy Protection Act.

    The court approved the sale without requiring opt-out notices to consumers, but required affirmative customer consent with respect to the sale of PII collected prior to existing privacy policies for certain of the websites. The court also required the debtors to delete all PII of children prior to the sale.
  2. Aeropostale (2016): The debtor companies sold clothing in the U.S. and Canada in retail outlets and through 2 websites under a variety of brands. The websites collected customers' names and addresses (mailing and email). Phone numbers also could be collected for shipping purposes only. Similar PII was collected in the retail stores. The websites also tracked and collected historical usage and transaction data, and the customers' IP address, browser information and reference site domain name.

    The company also conducted certain contests and sweepstakes, which, in certain instances, required customers to provide their social security numbers, in addition to their names and addresses. The company did not collect credit card numbers or other payment information.

    At the time of the bankruptcy filing, the posted privacy policy on one of the websites stated that the PII would not be shared with others "except with your consent or as described in this Privacy Policy." The policy described a number of circumstances for the companies' sharing of PII with affiliates or marketing or service partners, or where required by law, but the policy did not provide for the sharing of the PII in the event of a bankruptcy or sale of the company or its assets. On the second website, the posted privacy policy explicitly promised customers that their PII would "never" be sold, rented or given away.

    After filing bankruptcy, the debtors conducted an auction of their operating assets, including the customer PII, and thereafter moved for approval of the sale to the winning bidder. The court-appointed ombudsman recommended approval of the sale of the customer PII after reporting that under the terms of the sale the proposed transfer of PII was subject to a 60 day opt-out notice to customers after the closing of the sale as to any future use of their PII by the buyer. The ombudsman noted that this opt-out provision was not a specific recommendation of the ombudsman, rather it was agreed to between the debtors and the buyer.

    The ombudsman specifically recommended that the sale be further conditioned upon the buyer's agreement to (1) employ appropriate security controls and procedures to PII, (2) abide by all application laws and regulations with respect to PII, (3) abide by the debtor companies' existing privacy policies and related promises, and (4) respect all prior requested opt-out requests by customers. In addition, the ombudsman recommended that absent prior express consent from customers, the buyer's future use of PII should be limited to the purposes of continuing business operations that were purchased and providing goods and services to customers.

    Thereafter, the bankruptcy court approved the sale after adopting the ombudsman's recommended conditions to the sale of the PII.
  3. Golfsmith (2016): The affiliated debtors were the largest specialty golf retailer in the world, offering customers an extensive selection of golf equipment and related services. The debtors operated their business as an integrated multi-channel retailer, with retail stores, catalog sales and e-commerce pursuant a website. After filing bankruptcy, the debtors moved to sell their assets pursuant to a court supervised auction. The winning bidder, a large sporting goods retailer, sought to purchase the business as a going concern.

    Included in the purchased assets were all of the Debtors' customer information including contact information (name, email, mailing address, and phone number), birthday and gender, and transaction history, with the exception of any credit card information or social security number information that might be in the debtors' possession. At the time of the bankruptcy filing, the debtors' privacy policy disclosed that certain PII would be shared with trusted third party service providers, but phone numbers would not be made available to other companies or organizations and email addresses would not be shared or distributed and would remain in the sole possession of the debtors. An earlier privacy policy also promised customers that their email addresses would not be sold.

    The privacy ombudsman's report recommended approval of the sale subject to a number of conditions, including the buyer's agreement to (1) be bound by and succeed to the debtors' existing privacy policy, (2) be responsible for any violation of the privacy policy after the closing of the sale, (3) notify the customers of the sale and provide them with an opt-out opportunity for the transfer of any customer PII to the buyer, which such notice to be posted both on the debtors' website and retail stores, (4) provide further opt-out notice to customers of any attempt to convert the customers to the buyer's privacy policy, and (5) safeguard all customer PII in a manner consistent with industry standard data protections and applicable information security laws and best practices.

    In addition, the ombudsman recommended that the buyer agree to destroy all PII for which it determined that there was no reasonable business need and that the debtors destroy all customer PII not transferred to the buyer within 90 days after the closing of the sale.

    The court approved the sale as conditioned by the ombudsman's recommendations.
  4. RadioShack (2015): After filing bankruptcy, the debtor proposed a sale of its customer records database along with certain IP on a standalone basis. The data was not part of a sale of the debtor's business to the buyer as a going concern. The data base included customer names, email and mailing addresses, and phone numbers and extensive transaction data, including credit and debit card numbers and social security numbers. The debtor carved-out the credit and debit card numbers and social security numbers from the proposed sale.

    The debtor's pre-bankruptcy privacy policies advised customers that, among other things, the company's mailing list would not be sold, customer PII would not be used for any purpose other than carrying out services requested from the company, and the company would not "sell or rent customer PII to anyone at any time."

    The proposed sale drew objections from the Federal Trade Commission and State Attorneys Generals from 38 states. In addition, the court appointed a consumer privacy ombudsman to review the proposed sale. Thereafter, the FTC, States Attorneys General, debtor and successful bidder mediated this dispute and reached a consensual resolution which also was subsequently endorsed by the ombudsman.

    As part of the settlement, the buyer agreed to purchase only a very limited subset of the customer PII, namely (1) email addresses of customers that were active within 2 years prior to the bankruptcy filing along with certain limited transaction data collected in the five years prior to the bankruptcy filing and (2) customer names and mailing addresses with certain limited transaction data associated therewith in the 5 year period prior to bankruptcy. No customer phone numbers were sold.

    In addition, the buyer agreed to a number of other protections in the mediated settlement, including the buyer's agreement to (1) become a successor in interest under the debtor's existing privacy policies, adhering to all material terms and assuming liability for any violations thereof, (2) effectuate an extensive notice and opt-out procedure for affected customers, (3) not make further material changes to the privacy policies without further notice and opt-out opportunity to affected customers, (4) safeguard all PII in a manner consistent with industry data security protections, applicable information security laws and best practice and (4) destroy all PII for which it had no reasonable business need. In addition, the debtor agreed to destroy any PII not conveyed to the buyer.

    The court approved the sale as modified by this mediated settlement.

Lessons Learned and Key Takeaways

  • Sales of customer PII on a standalone basis, or which are not part of a sale of the debtor's business in which the buyer will continue to provide the same or similar products or services, will continue to draw greater judicial scrutiny and likely require more limitations and protections, as a condition to their approval by the bankruptcy court.
  • Absent objections by affected consumers, the bankruptcy courts likely will continue to approve sales of customer PII in bankruptcy cases in accordance with the recommendations of the consumer privacy ombudsmen who are appointed by the courts, in many instances with no opportunity for customer opt-out.
  • Although a number of bankruptcy sales of PII have included some form of opt-out notice to the affected customers, it remains to be seen in future cases whether buyers will continue to agree or be required to provide such notices. Much may depend upon the particular factual circumstances, but consumer privacy ombudsman do not consistently recommended such restrictions as a condition to the approval of these sales.
  • Some bankruptcy sales of PII have been conditioned upon the buyer assuming certain liability for breaches of the debtor's privacy policy and/or obligations to safeguard PII in accordance with applicable law or industry standards. At the same time, the debtor's assets are often sold to the buyer free and clear of any liens, claims, or interests, including potential successor liability. It remains to be seen whether significant disputes or litigation will arise after the closing of these bankruptcy sales of customer PII in the event of a subsequent discovery of a data security breach or other breach of the debtor's prior privacy policies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.