Recent Consumer/Creditor Privacy Issues in Crypto Industry Bankruptcies

Over the past year, case law around privacy and data security has been evolving in crypto industry bankruptcies, as courts grapple with familiar issues in a new industry. Debtors, unsecured creditors’ committees and other proponents of greater privacy for creditors of crypto companies argue that greater precautions are required because crypto company creditors are more likely than creditors of other types of companies to be targeted by identity theft and scams. Crypto assets can be attractive to scammers and other bad actors due to the anonymity of cryptocurrency transactions and difficulty tracing crypto assets.

While the Bankruptcy Code generally favors transparency, the Code and courts impose limits to that transparency. For example, Rule 9037 of the Federal Rules of Bankruptcy Procedure requires any filing in a bankruptcy court to limit disclosure of personally identifiable information (PII) to the following: (1) the last four digits of a Social Security number or tax identification number; (2) birthdates only to the year; (3) limiting the names of minor children to their initials; and (4) financial account numbers to the last four digits.

Section 107(c) of the Bankruptcy Code provides that the court may protect information of individuals if “disclosure of such information would create undue risk of identity theft or other unlawful injury to the individual or the individual’s property.”[2] Courts often cite § 107(c) to authorize the redaction, filing under seal or entry of a protective order to protect vulnerable populations (e.g., nursing home residents and sex abuse victims). Bankruptcy Rule 1007(j) also permits the court to direct the impounding of creditor lists, schedules of assets and liabilities, statements of financial affairs and other documents for cause. This article discusses three recent crypto industry cases where courts were tasked with applying bankruptcy law’s competing goals of transparency and protection of PII to the question of whether to redact creditor information.

In re Celsius Network LLC

In In re Celsius Network LLC, the debtors filed various motions requesting the authority to redact names, home addresses and email addresses of individuals listed on the debtors’ creditor matrix, schedules of assets and liabilities, statements of financial affairs and any other documents filed publicly on the court docket.[3] In the motions, the debtors raised concerns about identity theft for the impacted individual creditors, as well as a negative impact on the debtors’ future ability to monetize potentially valuable customer lists once publicly disclosed.[4]

Hon. Martin Glenn of the U.S. Bankruptcy Court for the Southern District of New York granted the motion in part and denied it in part, ruling that (1) individual customers’ home addresses and email addresses could be sealed; (2) individual customers’ names could not be sealed; and (3) businesses’ names, addresses and email addresses could not be sealed.[5] The court reasoned that customer names were not sensitive commercial information worthy of protection under § 107(b), and that the risk of identity theft or personal danger was too speculative to justify redaction under § 107(c).[6] The court also held that “[t]he strong public policy of transparency and public disclosure in bankruptcy cases requires very narrow exceptions and only on strong evidentiary showings.”[7]

Later in the case, Judge Glenn appointed a consumer privacy ombudsman (CPO) to provide data-privacy recommendations in the event that the debtors choose to sell PII in their possession during the bankruptcy case.[8] On Jan. 27, 2023, the CPO filed its first report.[9] According to the report, after the debtors filed their schedules of assets and liabilities and statements of financial affairs, which disclosed customer names, “someone created a searchable database of the published names and financial transactions” that could be used “to try to determine the identity of particular individuals who may have suffered losses in the case.”[10]

To date, the debtors have also filed nine notices of phishing attempts on the public court docket, disclosing known phishing attempts, including an altered version of a court order, spoofed websites and unauthorized emails purporting to be official communications from the debtors’ counsel, Celsius Network employees, or the claims and noticing agent appointed in the case.[11] It is unclear whether bad actors were able to target individual customers more easily because their names were disclosed on the public court docket, but parties in other cases have cited these phishing attempts as evidence that sealing customer names was warranted.

In re FTX Trading Ltd.

In In re FTX Trading Ltd.,[12] Hon. John T. Dorsey of the U.S. Bankruptcy Court for the District of Delaware granted a redaction request similar to that of the Celsius debtors.[13] Judge Dorsey ruled that (1) the debtors may redact the names, addresses and email addresses of creditors and equityholders for 90 days after entry of the order; (2) the debtors may redact names, addresses and email addresses of all creditors and equityholders protected by the General Data Protection Regulation for the 90 days after entry of the order; and (3) the debtors may redact only addresses and email addresses of individual customers on a final basis.[14]

On June 15, 2023, the court entered a further order authorizing the debtors to also redact individual customer names on a final basis,[15] which was appealed by certain media outlets and the U.S. Trustee.[16] The debtors and the official committee of unsecured creditors recently filed a motion seeking authority to redact names of all customers (individual and non-individual) on a final basis, which is currently pending before the court.[17] The court’s redaction orders were entered without written opinions, but the debtors and unsecured creditors’ committee cited the Celsius phishing attempts in their motion requesting authority to redact customer names.[18]

In re Genesis Global Holdco LLC

On Aug. 4, 2023, in In re Genesis Global Holdco LLC, Hon. Sean H. Lane of the U.S. Bankruptcy Court for the Southern District of New York granted the debtors’ motion to seal individual creditors’ names, addresses and contact information.[19] Judge Lane cited the Celsius phishing attempts and report of the Celsius CPO in holding that the risk of identity theft and scams was “real, not theoretical,” and “protection is warranted under Section 107(c).”[20]

Conclusion

As courts continue to grapple with the novel issues involved with crypto assets, bankruptcy courts may look to other non-crypto bankruptcy cases for guidance. For example, in addition to privacy concerns, some debtors and their investment bankers have argued that crypto companies’ customer information is proprietary data, pointing to the court’s redaction of customer information in litigation involving pharmaceutical giant Endo International.[21] Instead of redaction, some judges have used broad sealing orders to protect the privacy of crypto owners.[22] While we are far from a bright-line standard, courts appear to prioritize privacy over transparency when it comes to PII of cryptocurrency users.