The Bankruptcy Code revisions in the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 included a requirement that a court appoint a consumer privacy ombudsman (CPO) in some cases involving the sale of personally identifiable information. This requirement has now been in effect for over 10 years, and the time is ripe to assess the CPO’s role in bankruptcy cases.
Background
Two major developments likely drove the creation of the CPO requirement. First, technological advances have made it easier than ever for companies to electronically collect, store and transmit consumer information, such as names, addresses, telephone numbers and credit card information. Second, as bankruptcy has become an increasingly popular vehicle for asset sales, these sales have often included this valuable consumer information, known as personally identifiable information (PII).
These changes came to the forefront in a case involving an online toy company, Toysmart. The company sought to sell PII in bankruptcy in violation of its privacy policy, which provided that Toysmart would “never” share customer information with third parties. The Federal Trade Commission (FTC) objected to the proposed sale and sought to enjoin Toysmart from selling the PII.[1] Although the parties eventually reached a settlement, Congress, in anticipation of similar situations, changed the Bankruptcy Code to provide procedures for this type of sale.
Thus, when a debtor seeks to sell or lease its PII in bankruptcy, § 363(b)(1) prohibits the sale unless either (1) the sale complies with the seller’s privacy policy in effect on the petition date, or (2) the court appoints a CPO pursuant to § 332 and holds a hearing to determine whether the sale would violate applicable nonbankruptcy law. The CPO must be a “disinterested person” whose main task is providing the court with information regarding the terms of the sale as they relate to the types of PII at issue and the seller’s privacy policy.
Case Law
The Borders bankruptcy was a large case involving a CPO appointment.[2] As in Toysmart, Borders sought to sell its PII in bankruptcy, and the FTC became concerned. The FTC and several state attorneys general contacted the appointed CPO, who then made detailed recommendations to the court. Despite this, the court’s sale order did not include all of the CPO’s recommendations. Instead, the court found that the sale was consistent with Borders’ privacy policy and determined that the parties had agreed on an acceptable procedure for contacting customers and notifying them of their rights to opt out of the transfer.[3]
The Borders case thus demonstrates that courts need not implement all of a CPO’s recommendations. In other cases, a CPO appointment can sometimes result in less involvement from the court. In Real Mex Restaurants Inc., the parties voluntarily agreed to accept the CPO’s recommendations, which were modeled off of the same terms agreed to in the Toysmart case, without the need to engage in a lengthy court battle.[4] Indeed, the FTC often uses the Toysmart settlement terms as a benchmark, including the requirement that the PII be sold to a “qualified buyer” — a party who seeks to acquire the PII as part of a larger sale and who plans to operate the business as a going concern.[5]
RadioShack’s bankruptcy is perhaps the most recent large case involving a CPO.[6] In that case, the debtor sought to sell PII to Standard General, a hedge fund. The FTC, 22 states and the District of Columbia all objected to the sale, arguing that it violated both RadioShack’s customer privacy pledge and several state laws.[7] The court-appointed CPO advised that the sale could proceed if the parties adhered to the Toysmart guidelines; however, the CPO did make some modifications to account for the parties’ specific business models.
Analysis
The CPO requirement has arguably facilitated sales of PII, but it also creates some challenges. The benefit of having an independent party to assess and balance the goals of the bankruptcy process with the privacy concerns at stake should not be overlooked. Indeed, CPOs can provide an informed, sensible view of the relevant issues and may serve a coordinator role as well, gathering information from the debtor, state attorneys general, the FTC and other parties in the case. Additionally, even though the Toysmart guidelines have become the benchmark for acceptable PII sales, CPOs may still be needed to adapt and update these guidelines to conform to the specifics of a particular case.
On the other hand, a CPO’s appointment may be costly, as the fees incurred are paid by the debtor’s estate, and the time a CPO needs to conduct a careful review of the relevant issues may create tension over the balance to be struck between the need for a quick sale and the need to examine privacy concerns. Furthermore, CPOs do not appear to reduce the likelihood that the FTC and state attorneys general will become involved in a case, although by serving as a coordinator CPOs may help to reduce overall government interference that could slow down a sale. Finally, because a court can ultimately bypass the CPO’s recommendations, the CPO’s effectiveness in cases may vary depending on how willing the court is to give weight to the CPO’s report.
Conclusion
The role of the CPO may continue to develop and change as new types of companies and new types of PII become the focus of bankruptcy sales. It is important to continue to weigh the benefits and drawbacks of a CPO appointment when considering how the CPO requirement fits in with the overall goals of bankruptcy law and the needs of particular companies in distress.
[1] F.T.C. v. Toysmart.com, 2000 WL 34016434 (D. Mass. Jul. 21, 2000).
[2] In re Borders Group Inc., 2011 WL 5520261 (Bankr. S.D.N.Y. Sept. 27, 2011).
[3] See Kenneth M. Misken & Camisha L. Simmons, “Government Addresses Privacy Concerns in Bankruptcy Sales,” 31-Nov. Am. Bankr. Inst. J. 28 (2012).
[4] In re Real Mex Restaurants Inc., Case No. 1:11-bk-13122 (Bankr. D. Del. 2011).
[5] See, e.g., FTC Seeks Protection for Personal Consumer Information in Borders Bankruptcy Proceeding, Federal Trade Commission, Sept. 21, 2011, available at www.ftc.gov/news-events/press-releases/2011/09/ftc-seeks-protection-per… (stating that “the Toysmart settlement is an appropriate model to apply” in the Borders bankruptcy case).
[6] In re RadioShack Corp., Case No. 15-10197 (BLS) (Bankr. D. Del. 2015).
[7] Michael Hiltzik, “The RadioShack bankruptcy shows you can’t trust a company’s privacy pledge,” Los Angeles Times, May 19, 2015, available at www.latimes.com/business/la-fi-mh-radioshack-you-have-no-privacy-left-2….