Privacy issues are not new to corporate reorganizations; §§ 322 and 363(b)(1) were enacted as part of BAPCPA precisely to address such concerns.[1] In an increasingly digital age, reorganizing debtors may possess a slew of personally identifiable information (PII), itself a term defined at § 101(41A).[2] These issues have come to the forefront in connection with the recent ConnectEDU bankruptcy and asset sale.[3]
What happened in ConnectEDU?
ConnectEDU is an education technology company principally focused on post-secondary education planning for students. As such, ConnectEDU and its co-debtor subsidiaries, possessed substantial amounts of students’ PII. To protect such information, ConnectEDU’s Privacy Policy states, in pertinent part, that “[i]n the event of sale or intended sale … ConnectEDU will give users reasonable notice and an opportunity to remove personally identifiable data from the service.”[4]
ConnectEDU filed for bankruptcy under chapter 11 on April 28, 2014.[5] Two weeks later, ConnectEDU was actively proposing to sell its assets through 363 sales,[6] but it had not given its users any notice of the impending sales. This raised the interest of the Federal Trade Commission (FTC), which addressed a letter to the presiding bankruptcy judge, alerting her to its perceived issues with any upcoming 363 sale.[7]
The 363 sales, however, needed to be expedited, meaning the implementation of the safeguards of §§ 322 and 363(b)(1) would pose a barrier to swift authorization. In an effort to advance the process while still assuaging its fears, the FTC participated in discussions with the debtors and potential buyers. During a May 29, 2014 hearing, it was stated that, with respect to the sale of assets to Symplicity Corp., “given the exigency of time … [the FTC was] comfortable taking the practical and cooperative approach,”[8] meaning that the formal safeguards provided for under the Code would not be implicated. Instead, a two-step procedure was to be implemented to safeguard all PII transferred in the 363 sale: first, “the PII that is being transferred to the purchaser from the [corporate] assets will be segregated from other data that's being transferred,” and second, “the purchaser will provide the reasonable notice and opportunity to remove the PII to the effected individuals.”[9] The U.S. Trustee, however, maintained an objection to anything but full statutory compliance;[10] however, the court determined that the aforementioned two-step procedure was sufficient to protect any PII transferred during the sale.[11] Thus, in its eventual order approving the terms of the 363 sale, the court approved terms putting the onus of protecting any PII on the buyers.[12]
The Bankruptcy Court’s final order approving the sale of certain of ConnectEDU’s assets to Symplicity included substantial and specific procedures, mirroring those outlined in the May 29 hearing, designed to protect PII.[13] These procedures included post-sale notification and provision of opt-out notices to ConnectEDU’s former clients and segregation of all PII during an enumerated opt-out period.[14] While the ConnectEDU asset sale was consummated without exact compliance with 363(b)(1) attributable to good faith negotiations among all interested parties, the FTC’s objection might have been obviated by doing so in the first place.
What are the rules? (Or, how to avoid the FTC’s attention in the first place.)[15]
Under § 363(b)(1), if PII is to be sold or leased outside the ordinary course of business, one of two things is to occur. If the “sale or lease is consistent with [the pre-existing privacy] policy,” said transaction may occur as normally permitted under § 363.[16] However, if the sale or lease does not comply with the debtor’s privacy policy, a consumer privacy ombudsman is to be appointed under § 332, and at a subsequent hearing, the bankruptcy judge is to consider “the facts, circumstances, and conditions of such sale or lease” as presented by the ombudsman, and make a determination that the disposition would not violate other applicable nonbankruptcy law.[17]
The role of the consumer privacy ombudsman, therefore, is to provide the bankruptcy court with the information related to the specific debtor necessary for it to approve or reject the terms of a 363 sale of PII.[18] Even if the court is satisfied by the findings and recommendations of the ombudsman, it must also consider whether any nonbankruptcy law would be violated by the asset sale.[19] If the court finds that there would be no such violation, it may approve a 363 sale including the transfer of PII.
Conclusion
This instance of a perceived privacy breach in bankruptcy may well have garnered national attention because most of the PII at issue belonged to younger students.[20] However, in an era of individuals becoming increasingly concerned with preserving their privacy on and offline, issues dealing with the disposition of PII in bankruptcy asset sales will only become more pervasive. Insofar as verbatim compliance with the procedures of §§ 322 and 363(b)(1) is not followed, In re ConnectEDU may provide a template for future debtors to ensure PII is protected in asset sales.
[1] Warren E. Agin, Handling Consumer Data in Bankruptcy Mergers and Acquisitions—Coping with the Consumer Privacy Ombudsman Provisions of the 2005 Bankruptcy Act, 60 Consumer Fin. L.Q. Rep. 609, 610 (2006).
[2] PII includes names, addresses, contact information, social security numbers, or credit card information of a non-debtor individual provided to the debtor.
[3] In re ConnectEdu, Inc., No. 14-11238 (Bankr. S.D.N.Y.).
[4] Available at http://www.connectedu.com/privacypolicy.
[5] See In re ConnectEdu, Inc., ECF No. 1 (Apr. 28, 2014).
[6] Id., at ECF Nos. 55, 72, 76, 82 (May 9–14, 2014).
[7] Id., at ECF No. 108 (May 22, 2014), also at 2014 WL 2430969.
[8]Id., at ECF No. 199, at p.29 (June 30, 2014) (Transcript of May 29, 2014 Hearing).
[9] Id., at p. 33–34.
[10] Id., at p. 35–37.
[11] Id., at p. 38.
[12] In re ConnectEdu, Inc., at ECF No. 133 (May 27, 2014) (“To the extent that the Purchased Assets include personally identifiable information, the Buyers shall either comply with the Debtors’ existing privacy policy or such other privacy policy provided that such other privacy policy is no less protective than the Debtors’ existing privacy policy.”)
[13] Id., at ECF No. 164, at p. 15–17 (June 13, 2014).
[14] Id.
[15] See generally Agin, 60 Consumer Fin. L.Q. Rep., at 611–15; 8B C.J.S. Bankruptcy § 877.
[16] 11 U.S.C. § 363(b)(1)(A) (2005).
[17] 11 U.S.C. §§ 363(b)(1)(B); 332(b) (2005).
[18] Warren E. Agin, Reconciling the FTC Act with the Consumer Privacy Ombudsman’s Role, 29-OCT Am. Bankr. Inst. L.J. 38, at *89 (2010).
[19] See, e.g., 15 U.S.C. § 45(a); 15 U.S.C. §§ 6501 et seq.; 16 U.S.C. §§ 6801 et seq.; 28 U.S.C. § 959(b).
[20] See, e.g., Michele Molnar, “Millions of Student Records Sold in Bankruptcy Case,” Education Week (Dec. 9, 2014), available at http://www.edweek.org/ew/articles/2014/12/10/millions-of-student-record….