COVID-19 will end, that much we know. But when will it end, and what lasting effects will it have on our society remain the pressing questions for all of us. While many questions persist, it is certain that we have yet to see the full effects this global crisis will have on the economy. Many businesses, and perhaps entire industries, will not survive this prolonged shutdown or the changes in consumer behaviors following the exit from this pandemic. That means we can expect to see bankruptcy protection filings in the months ahead, and a spike in the sale of valuable corporate assets. This will almost certainly include customer data.
With this in mind, here’s an overview of privacy lessons learned in the context of bankruptcy setting out when customer data may be sold, and the potential consequences if data is ever transferred improperly.
Post-COVID, we can expect to see several commercial entities selling assets in bankruptcy, and consumer data will certainly play a role in those proceedings. Keep the following in mind.
- Regulators are watching. The cases above highlight that federal and state regulators have expressed interest in intervening in bankruptcy proceedings involving the sale of valuable consumer data, and enforce promises made in privacy policies. In the post-COVID environment, don’t be surprised if they do so again.
- What does the Bankruptcy Code say? Under section 363(b)(1) of the U.S. Bankruptcy Code, if a commercial entity has disclosed to its customers a policy prohibiting the transfer of customer data, the entity may not sell or lease the customer data in its bankruptcy unless the policy is no longer in effect on the date of its bankruptcy filing, the sale or lease is consistent with the policy, or the bankruptcy court approves the sale or lease after appointment of a consumer privacy ombudsman. As in the Radioshack case, the consumer privacy ombudsman is charged with recommending a course of action to the bankruptcy court on whether to approve or deny the sale.
- Buyer beware. Cybersecurity risks will exist long after the bankruptcy proceedings. Creditors and other parties in interest may seek swift control of databases containing consumer data as an asset, but must be mindful of maintaining the security of those systems. What if a disgruntled employee of the debtor stole copies of that data? What if the systems contain viruses or hidden code to thwart access controls? What if you are responsible for a security breach shortly after taking possession of data? All good questions to consider.
- Cross-border data transfer restrictions. Numerous privacy laws around the world (e.g., GDPR) impose restrictions on the lawful, use, access, or other transfer of personal data across country borders. Creditors and other parties in interest must, therefore, perform due diligence before purchasing databases to ensure debtor has collected and otherwise processed personal data in accordance with applicable requirements, or face potential regulatory inquiries, fines, and other enforcement actions.
Businesses can mitigate the risks associated with consumer data in the context of bankruptcy sales through careful vetting of privacy policies, updated notices to impacted customers, opt-out mechanisms or consents, and just-in-time review of potentially applicable laws to the data in-scope.