©2017. Published in Landslide, Vol. 9, No. 6, July/August 2017, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.
But my freewheeling consent habit occasionally gives me pause. Not so long ago, I helped financially distressed companies (and their creditors) navigate the United States Bankruptcy Code. For a solvent company, the priority is upholding applicable privacy law and maintaining good customer relations by keeping security breaches to a minimum. However, for an insolvent company, creditor repayment becomes the company’s focus by statute, and all other tasks are prioritized accordingly. Critically, customer data is often among a debtor’s most valuable assets.2
Customer Data Is a Business Asset
Enter the Consumer Privacy Ombudsman
As noted by the article’s authors, X Co.’s position is not unique. Most, if not all, companies treat customer data as an asset, and the reasons why are not surprising. Customer data is rarely limited solely to an individual’s contact information. A customer’s interests, social connections, and even the device he or she uses to explore and connect can all be gathered and organized.7 From this information, inferences about an individual’s preferences, politics, and religion may be inferred. For the right marketer or advertiser, large groups of organized information are a potential gold mine of intelligence. Depending on the circumstances, customer data may be more valuable than any other asset available to be liquidated.8
When a company seeks to restructure its debt, two core legal principles must be rectified: a creditor’s statutory right to be repaid versus an individual’s statutory right to receive the benefit of his or her bargain and to be free from unfair and deceptive trade practices. In today’s data-driven economy, customers may be pitted against themselves if the only asset a debtor has to liquidate is the same asset that it cannot sell absent customer consent. In these situations, a consumer privacy ombudsman (CPO) brings reason to an otherwise insane process. As a court-appointed fiduciary, the CPO’s role is to protect the rights of consumers whose data is being considered for sale while assisting the bankruptcy court with navigating nonbankruptcy law in the court’s quest to create the best outcome in a dire situation.
As a matter of practice, most CPOs prepare a report for the bankruptcy court’s consideration that is filed openly on the case docket. In the report, the CPO summarizes his or her investigation and outlines recommendations for the court’s consideration. Further, as required by the case circumstances, a CPO will engage in discussions with proposed purchasers. These discussions usually include an extensive review of the buyer’s intentions for a debtor’s data after the transfer occurs, the buyer’s ability to protect the data in an industry-directed and statutorily appropriate manner, and a procedure for destroying unused data and providing confirmation that the destruction occurred.
Putting Theory into Practice
Congress’s directions to debtors and courts seem simple enough. However, how the directions are interpreted and enforced are critical to ensuring consumer interests are protected. For example, in In re Golfsmith International Holdings Inc., the debtors sought approval to sell substantially all of their assets, including just under 10 million unique customer records, to Dick’s Sporting Goods Inc. and its affiliates.16 During the CPO’s investigation in the Golfsmith matter, she learned that the debtors’ assets included retail stores17 and years of customer data, potentially dating back to its early days as a golf club repair shop and catalog business.18 The debtors also operated a website that processed retail orders and had approximately 29 million unique site visits annually.19 The debtors collected information from customers through its website, retail stores, catalog business, and related call centers, including personally identifiable information such as a customer’s name, birthday, gender, and physical/mailing address. The debtors also collected customer e-mail addresses through its website and stores, and in connection to purchases made through its website, catalog, and stores. Further, the debtors obtained customer e-mail addresses in connection with calls received at its call center and through its gift card program, warranty program, and company branded credit card.20
Given that the debtors’ privacy policies did not readily permit the transfer of customer data to a third party, the Golfsmith CPO and buyer engaged in extensive discussions with respect to the buyer’s proposed use of customer data. At the conclusion of these discussions, the Golfsmith CPO recommended that the bankruptcy court approve the sale subject to several conditions designed to protect customer interests in their data by providing them with notice of the transaction and an opportunity to opt-out of their data being transferred.24 Ultimately, the sale was approved by the bankruptcy court, subject to the Golfsmith CPO’s recommended conditions, in time for the buyer to take over the debtors’ operations prior to the holiday retail season.
Second confession: I was the Golfsmith CPO. My role in the Golfsmith chapter 11 matters is a good example of how a CPO can efficiently25 validate the propriety of data transfers while protecting consumers’ interests in their data privacy in an efficient streamlined process.26 The data transfer process ensured that customers’ data privacy was protected on an individual level and for customers as a group in two ways. First, individual Golfsmith customers received notice of the sale along with information as to their respective rights in connection with the proposed data transfer. Second, Golfsmith customers’ data privacy was protected as a whole because the buyer agreed to safeguard these records in a manner consistent with industry standard data protections as a condition of the Golfsmith sale.
When CPOs were first introduced into the restructuring process, some predicted that they would create more expenses for the estates and further clutter an already chaotic process. In practice, the opposite has occurred. CPOs as a whole have found ways to protect the rights of millions of individual consumers while helping to preserve the viability of an estate’s assets. Final confession: that’s the best part of being a CPO.
1. Depending on the website, I may skim the policy; and if it is well drafted, I will read it more thoroughly. However, I engage in the exercise for no other reason than curiosity over what a potential competitor has created.
2. A string of recent bankruptcies demonstrates this issue. See, e.g., In re Aéropostale, Inc., No. 16-11275 (SHL) (Bankr. S.D.N.Y. 2016) [D.I. 758]; In re Hancock Fabrics, Inc., No. 16-10296 (BLS) (Bankr. D. Del. 2016) [D.I. 948]; In re Adinath Corp., No. 15-16885 (LMI) (Bankr. S.D. Fla. 2015) [D.I. 427]; In re RadioShack Corp., No. 15-10197 (BLS) (Bankr. D. Del. 2015) [D.I. 2148]; In re Deb Stores Holdings, LLC, No. 14-12676 (KG) (Bankr. D. Del. 2014) [D.I. 272]; In re dELiA*s, Inc., No. 14-23678 (RDD) (Bankr. S.D.N.Y. 2014) [D.I. 557]; In re Coldwater Creek, Inc., No. 14-10867 (BLS) (Bankr. D. Del. 2014) [D.I. 339, 425]; In re Crumbs Bake Shop, Inc., No. 14-24287 (MBK) (Bankr. D.N.J. 2014) [D.I. 174]; In re Kid Brands, Inc., No. 14-22582 (DHS) (Bankr. D.N.J. 2014) [D.I. 280]; In re Dots, LLC, No. 14-11016 (DHS) (Bankr. D.N.J. 2014) [D.I. 624]; In re Loehmann’s Holdings Inc., No. 13-14050 (MG) (Bankr. S.D.N.Y. 2013) [D.I. 196]; In re Real Mex Rests., Inc., No. 11-13122 (BLS) (Bankr. D. Del. 2011) [D.I. 877]; In re Borders Grp., Inc., No. 11-10614 (MG) (Bankr. S.D.N.Y. 2011) [D.I. 1830].
3. For an overview of early customer data sale issues, see Susan Stellin, Technology; Dot-Com Liquidations Put Consumer Data in Limbo, N.Y. Times, Dec. 4, 2000, http://www.nytimes.com/2000/12/04/business/technology-dot-com-liquidations-put-consumer-data-in-limbo.html; and Paul Davidson, Dying Dot-Coms’ Customers Coveted, USA Today, Feb. 6, 2002, http://usatoday30.usatoday.com/tech/news/2001-01-30-dying-dot-coms.htm.
4. For details about the Toysmart.com chapter 11 case, including a copy of the respective pleadings, see https://www.ftc.gov/enforcement/cases-proceedings/x000075/toysmartcom-llc-toysmartcom-inc (last updated July 21, 2000).
5. Natasha Singer & Jeremy B. Merrill, When a Company Is Put Up for Sale, in Many Cases, Your Personal Data Is, Too, N.Y. Times, June 28, 2015, https://www.nytimes.com/2015/06/29/technology/when-a-company-goes-up-for-sale-in-many-cases-so-does-your-personal-data.html?_r=0.
7. See Timothy Morey et al., Customer Data: Designing for Transparency and Trust, 93 Harv. Bus. Rev. 96 (2015), available at https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust.
8. Another confession: I am both horrified and thrilled by the idea of “big data.” My reasons why are best saved for another article. But let’s just say that if The Graduate were remade today, Mr. McGuire would advise Ben to peruse “Big Data.”
9. Under 11 U.S.C. § 101(41A), personally identifiable information includes an individual’s first name and last name, residential address, electronic address (including e-mail), telephone number, Social Security account number, credit card account number, birth date or place of birth, and other information that if disclosed could identify an individual.
10. See 11 U.S.C. § 363(b)(1).
11. Id. § 363(b)(1)(A).
12. Id. § 363(b)(1)(B).
13. Id. § 332(a).
14. Id. § 332(b).
16. See Report of Consumer Privacy Ombudsman at 1, 12, In re Golfsmith Int’l Holdings Inc., No. 16-12033 (LSS) (Bankr. D. Del. Oct. 28, 2016) [D.I. 412] (hereinafter Ombudsman Report).
17. Moreover, through the course of her investigation, the CPO also learned that no other purchaser was interested in acquiring the debtor’s assets, which included dozens of fully staffed retail stores prepared for end-of-the-year holiday sales.
18. Ombudsman Report, supra note 16, at 8.
19. Id. at 9.
20. Id. at 11–12.
21. Id. at 13.
23. Id. at 14.
24. Id. at 1–5.
25. As in many retail chapter 11 matters, efficiency was particularly critical in the Golfsmith cases given the number of employees and unsecured creditors who depended on a buyer taking over the debtors’ operations quickly and seamlessly. Moreover, the cost of enforcing a process to protect customer data is also an important consideration. If a process is too costly or overly burdensome, a potential buyer may decide to forgo the purchase. As a result, unless the bankruptcy estate has sufficient liquidity, customer data may inadvertently become unprotected as the debtor loses staff and attends to other matters.
26. See Luis Salazar, The Most Dangerous Intersection—Bankruptcy and Consumer Privacy, Privacy Advisor (June 1, 2009), https://iapp.org/news/a/2009-06-bankruptcy-and-consumer-privacy.