United States: Recent Trends In Bankruptcy Sales Of Customer Data

Introduction

In 2005, Congress amended the Bankruptcy Code to address privacy concerns in connection with sales of customer data in bankruptcy cases. The Code was specifically amended to restrict or prohibit the sale of customers' personally identifiable information – as defined by the Bankruptcy Code – when in violation of a debtor company's existing privacy policy.

In practice, the statute mostly has operated to facilitate these sales pursuant to a bankruptcy court approval process, which is conditioned upon satisfaction of certain procedural safeguards. After quickly reviewing the basic statutory framework, we discuss some recent cases involving bankruptcy sales of customer data. We then provide our summary of lessons learned and key takeaways.

Statutory Framework

Section 101(41A) of the Bankruptcy Code's enumerates the specific items of personal information that constitute Personally Identifiable Information within the meaning of the Bankruptcy Code, if provided by an individual in connection with obtaining a product or service from the debtor primarily for personal, family or household purposes. They are as follows: first and last name, residence, email address, telephone number, social security number, or credit card account numbers. In addition, Section 101(41A) provides that Personally Identifiable Information can include a birth date, place of birth or any other item of information concerning an identified individual that, if disclosed, would result in identifying such individual physically or electronically, if such information is identified with one or more of the above enumerated items of personal information.

Section 363(b)(1) of the Bankruptcy Code provides that if the debtor has a privacy policy in effect at the time of the bankruptcy filing, which prohibits the transfer of Personally Identifiable Information ("PII"), the Information cannot be sold in bankruptcy unless additional requirements are satisfied. If triggered, section 363(b)(1) prohibits the sale of PII unless the bankruptcy court finds that the sale is consistent with the debtor's privacy policy or the court approves the sale at a hearing after (a) appointing a consumer privacy ombudsman to assist the court in reviewing the facts and circumstances of the sale and (b) finding that the sale of the information would not violate applicable nonbankruptcy law.

The bankruptcy court orders the appointment of the consumer privacy ombudsman pursuant to section 332 of the Bankruptcy Code, who may appear and be heard at the sale hearing. Section 332 provides a non-exclusive list of the information and topics to be included in the ombudsman's report and recommendations to the court. They include the potential losses or gains of privacy to consumers if the sale is approved, the potential costs or benefits to consumers if the sale is approved, and the potential alternatives that would mitigate privacy losses or potential costs to consumers.

Recent Bankruptcy Sales of Customer Data

1. BPS Holdings (2017): The debtor companies manufactured, distributed and sold sports equipment, accessories and apparel under a number of band names. Products were sold in U.S. and Canada, and the companies operated a number of websites which collected a variety of PII from their customers, in some cases from minors. After filing bankruptcy, the debtors requested bankruptcy court approval to complete two sales of their businesses: (1) Sale of their soccer apparel and equipment business ("Soccer Business") to their co-founder and (2) Sale of their hockey, lacrosse, and baseball businesses ("Other Business") to a newly formed company.
   
   The bankruptcy court appointed a privacy ombudsman, who examined the debtors' privacy policies and data collection practices among the various businesses. The ombudsman recommended court approval of both sales under certain terms and conditions, and the both sales were recently approved by the bankruptcy court.
   
   Sale of Soccer Business: The ombudsman found that the debtors operated two websites for the Soccer Business, pursuant to which they collected customer names, addresses, phone numbers, email addresses and order histories. They did not collect any other categories of PII, nor track customer activity via cookies or other tracking technologies. At the time of the bankruptcy filing, a privacy policy was posted on one of the websites, which promised customers that their PII would not be sold or transferred to any other company for any reason whatsoever.
   
   The privacy ombudsman recommended that the court approve the sale subject to the following conditions: (1) the buyer must engage in substantially the same line of business, (2) the buyer must adhere to all material terms of the existing privacy policy, (3) the buyer must agree to obtain the customers' affirmative consent before making any material changes to the privacy practices to the PII collected under the existing privacy policy, and (4) the buyer must agree to comply with applicable privacy and data protection laws.
   
   The privacy ombudsman did not recommend, and the buyer not agree, that notice be given to the customers of the proposed sale with an ability to opt-out of the sale of their PII to the buyer. The sale was approved without any required opt-out notice..
   
   Sale of the Other Businesses: The ombudsman found that the debtors operated several websites and Instagram pages among the different sports businesses, collecting customer names, mailing addresses, phone numbers, email addresses, birth dates, ages, genders, zip codes, and payment information, in different combinations. The debtors also collected anonymized customer usage and demographic data from Google and Amazon. Certain of the websites also collected personally identifiable from minors.
   
   The ombudsman reported that some websites for the various businesses posted privacy policies, while others did not. Most of the privacy policies promised customers that their PII would not be sold without prior notice; one of the websites posted a policy that PII might be shared with affiliated companies or third party service providers for the purpose of conducting business, and promised that PII would not be provided to any third parties for their own marketing purposes. In certain instances, the ombudsman indicated that he had requested, but had not received, any prior or currently applicable privacy policies.
   
   The ombudsman recommended that the sale be approved on a number of conditions. As to websites which notified customers that their PII would not be sold without prior notice, the ombudsman recommended (1) email notice of the sale to customers, (2) if the buyer did not agree to be bound by the existing privacy policy, an opt-out opportunity, and (3) the buyer's agreement to comply with applicable privacy and data protection laws. As to the website which promised customers that their PII would not be shared, the ombudsman recommended that the buyer obtain the customers' affirmative consent to the sale of the PII or a showing by the buyer that it would (1) engage in substantially the same line of businesses, (2) adhere in all material respects to the existing privacy policy (3) obtain customer affirmative consent before making any material changes to privacy practices, and (4)agree to comply applicable privacy and data protection laws.
   
   For websites with no privacy policies, the ombudsman did not recommend any conditions other than the buyer's agreement to comply with applicable privacy and data protection laws. For websites in which the ombudsman was unable to confirm the existence or absence of any privacy policy, the ombudsman recommended that the debtors obtain consent from the customers before the sale of their PII to the buyer. Lastly, the ombudsman objected to the debtor's transfer of any PII of children under the age 13, consistent with the Children's Online Privacy Protection Act.
   
   The court approved the sale without requiring opt-out notices to consumers, but required affirmative customer consent with respect to the sale of PII collected prior to existing privacy policies for certain of the websites. The court also required the debtors to delete all PII of children prior to the sale.
2. Aeropostale (2016): The debtor companies sold clothing in the U.S. and Canada in retail outlets and through 2 websites under a variety of brands. The websites collected customers' names and addresses (mailing and email). Phone numbers also could be collected for shipping purposes only. Similar PII was collected in the retail stores. The websites also tracked and collected historical usage and transaction data, and the customers' IP address, browser information and reference site domain name.
   
   The company also conducted certain contests and sweepstakes, which, in certain instances, required customers to provide their social security numbers, in addition to their names and addresses. The company did not collect credit card numbers or other payment information.
   
   At the time of the bankruptcy filing, the posted privacy policy on one of the websites stated that the PII would not be shared with others "except with your consent or as described in this Privacy Policy." The policy described a number of circumstances for the companies' sharing of PII with affiliates or marketing or service partners, or where required by law, but the policy did not provide for the sharing of the PII in the event of a bankruptcy or sale of the company or its assets. On the second website, the posted privacy policy explicitly promised customers that their PII would "never" be sold, rented or given away.
   
   After filing bankruptcy, the debtors conducted an auction of their operating assets, including the customer PII, and thereafter moved for approval of the sale to the winning bidder. The court-appointed ombudsman recommended approval of the sale of the customer PII after reporting that under the terms of the sale the proposed transfer of PII was subject to a 60 day opt-out notice to customers after the closing of the sale as to any future use of their PII by the buyer. The ombudsman noted that this opt-out provision was not a specific recommendation of the ombudsman, rather it was agreed to between the debtors and the buyer.
   
   The ombudsman specifically recommended that the sale be further conditioned upon the buyer's agreement to (1) employ appropriate security controls and procedures to PII, (2) abide by all application laws and regulations with respect to PII, (3) abide by the debtor companies' existing privacy policies and related promises, and (4) respect all prior requested opt-out requests by customers. In addition, the ombudsman recommended that absent prior express consent from customers, the buyer's future use of PII should be limited to the purposes of continuing business operations that were purchased and providing goods and services to customers.
   
   Thereafter, the bankruptcy court approved the sale after adopting the ombudsman's recommended conditions to the sale of the PII.
3. Golfsmith (2016): The affiliated debtors were the largest specialty golf retailer in the world, offering customers an extensive selection of golf equipment and related services. The debtors operated their business as an integrated multi-channel retailer, with retail stores, catalog sales and e-commerce pursuant a website. After filing bankruptcy, the debtors moved to sell their assets pursuant to a court supervised auction. The winning bidder, a large sporting goods retailer, sought to purchase the business as a going concern.
   
   Included in the purchased assets were all of the Debtors' customer information including contact information (name, email, mailing address, and phone number), birthday and gender, and transaction history, with the exception of any credit card information or social security number information that might be in the debtors' possession. At the time of the bankruptcy filing, the debtors' privacy policy disclosed that certain PII would be shared with trusted third party service providers, but phone numbers would not be made available to other companies or organizations and email addresses would not be shared or distributed and would remain in the sole possession of the debtors. An earlier privacy policy also promised customers that their email addresses would not be sold.
   
   The privacy ombudsman's report recommended approval of the sale subject to a number of conditions, including the buyer's agreement to (1) be bound by and succeed to the debtors' existing privacy policy, (2) be responsible for any violation of the privacy policy after the closing of the sale, (3) notify the customers of the sale and provide them with an opt-out opportunity for the transfer of any customer PII to the buyer, which such notice to be posted both on the debtors' website and retail stores, (4) provide further opt-out notice to customers of any attempt to convert the customers to the buyer's privacy policy, and (5) safeguard all customer PII in a manner consistent with industry standard data protections and applicable information security laws and best practices.
   
   In addition, the ombudsman recommended that the buyer agree to destroy all PII for which it determined that there was no reasonable business need and that the debtors destroy all customer PII not transferred to the buyer within 90 days after the closing of the sale.
   
   The court approved the sale as conditioned by the ombudsman's recommendations.
4. RadioShack (2015): After filing bankruptcy, the debtor proposed a sale of its customer records database along with certain IP on a standalone basis. The data was not part of a sale of the debtor's business to the buyer as a going concern. The data base included customer names, email and mailing addresses, and phone numbers and extensive transaction data, including credit and debit card numbers and social security numbers. The debtor carved-out the credit and debit card numbers and social security numbers from the proposed sale.
   
   The debtor's pre-bankruptcy privacy policies advised customers that, among other things, the company's mailing list would not be sold, customer PII would not be used for any purpose other than carrying out services requested from the company, and the company would not "sell or rent customer PII to anyone at any time."
   
   The proposed sale drew objections from the Federal Trade Commission and State Attorneys Generals from 38 states. In addition, the court appointed a consumer privacy ombudsman to review the proposed sale. Thereafter, the FTC, States Attorneys General, debtor and successful bidder mediated this dispute and reached a consensual resolution which also was subsequently endorsed by the ombudsman.
   
   As part of the settlement, the buyer agreed to purchase only a very limited subset of the customer PII, namely (1) email addresses of customers that were active within 2 years prior to the bankruptcy filing along with certain limited transaction data collected in the five years prior to the bankruptcy filing and (2) customer names and mailing addresses with certain limited transaction data associated therewith in the 5 year period prior to bankruptcy. No customer phone numbers were sold.
   
   In addition, the buyer agreed to a number of other protections in the mediated settlement, including the buyer's agreement to (1) become a successor in interest under the debtor's existing privacy policies, adhering to all material terms and assuming liability for any violations thereof, (2) effectuate an extensive notice and opt-out procedure for affected customers, (3) not make further material changes to the privacy policies without further notice and opt-out opportunity to affected customers, (4) safeguard all PII in a manner consistent with industry data security protections, applicable information security laws and best practice and (4) destroy all PII for which it had no reasonable business need. In addition, the debtor agreed to destroy any PII not conveyed to the buyer.
   
   The court approved the sale as modified by this mediated settlement.

Lessons Learned and Key Takeaways

• Sales of customer PII on a standalone basis, or which are not part of a sale of the debtor's business in which the buyer will continue to provide the same or similar products or services, will continue to draw greater judicial scrutiny and likely require more limitations and protections, as a condition to their approval by the bankruptcy court.
• Absent objections by affected consumers, the bankruptcy courts likely will continue to approve sales of customer PII in bankruptcy cases in accordance with the recommendations of the consumer privacy ombudsmen who are appointed by the courts, in many instances with no opportunity for customer opt-out.
• Although a number of bankruptcy sales of PII have included some form of opt-out notice to the affected customers, it remains to be seen in future cases whether buyers will continue to agree or be required to provide such notices. Much may depend upon the particular factual circumstances, but consumer privacy ombudsman do not consistently recommended such restrictions as a condition to the approval of these sales.
• Some bankruptcy sales of PII have been conditioned upon the buyer assuming certain liability for breaches of the debtor's privacy policy and/or obligations to safeguard PII in accordance with applicable law or industry standards. At the same time, the debtor's assets are often sold to the buyer free and clear of any liens, claims, or interests, including potential successor liability. It remains to be seen whether significant disputes or litigation will arise after the closing of these bankruptcy sales of customer PII in the event of a subsequent discovery of a data security breach or other breach of the debtor's prior privacy policies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.