[caption id="attachment_205823" align="alignright" width="274"]
The COVID-19 pandemic has had a devastating impact on the economy. Already household names like Hertz and Neiman Marcus have filed for bankruptcy with experts predicting that more companies will seek bankruptcy protection.
For many companies, the information they possess about their customers, ranging from names and email address to customer profiles and shopping histories, is among their most valuable assets.
Companies considering bankruptcy should be aware of the privacy considerations that could impact the sale of customer data in a bankruptcy.
What privacy laws may apply?
Privacy-specific provisions of the U.S. Bankruptcy Code and non-bankruptcy privacy laws could impact the sale of customer data. Section 363(b)(1) provides that if a company has disclosed a policy to its customers that prohibits the transfer of customer data and the policy is in effect on the date of filing bankruptcy, then the company may not sell customer data unless the sale is consistent with the policy or a bankruptcy court approves the sale of customer data after the appointment of a consumer privacy ombudsman and notice and hearing.
Section 5(a) of the FTC Act also prohibits a company from transferring customer data in a manner that is contrary to its public-facing privacy policies.
There are also state privacy laws and federal industry-specific privacy laws that could impact the sale of customer data in a bankruptcy. The privacy laws that apply will depend on the company’s industry (e.g., financial services or health care), the types of personal information (e.g., credit card number or Social Security number) and the jurisdictions where the company operates.
Privacy considerations for data sale
A company selling customer data in a bankruptcy sale should consider the following:
Prior to filing for bankruptcy, a company should review any privacy policies (there could be more than one) that apply to determine whether the policies permit the sale of customer data or require the company to take any actions in connection with a sale, such as providing an opt-out right.
• Privacy compliance obligations:
A company should consider what privacy compliance obligations exist in connection with the sale of customer data. A company may be required to carry out a data protection impact assessment or implement safeguards for the transfer of customer data, particularly if the company is subject to international data protection laws.
A buyer of customer data in a bankruptcy sale should consider the following:
• Due diligence:
It is key that a buyer carry out due diligence in connection with purchasing customer data or databases, particularly related to cybersecurity. A debtor’s distressed situation may have caused the debtor to not have been as diligent as it could have been in protecting from cyber threats. Even if the debtor employed appropriate cybersecurity, there could be an undiscovered data breach in its systems, which once discovered, could have a financial and reputational impact on the buyer.
• Other privacy laws:
Certain privacy laws, such as the California Consumer Privacy Act (“CCPA”), may limit how a buyer can use customer data it purchases or require the buyer to take additional actions related to customer data. For example, the CCPA permits the transfer of customer data as part of a bankruptcy sale; however, if the buyer uses or shares customer data in a materially different way than previously disclosed to the customer, the buyer must provide notice to customers and a right to opt-out. Buyers should be aware of these obligations as they could impact the value of data.
McDermott Will & Emery counsel Jaime Petenko focuses her practice on privacy and data security matters, advising U.S. and multinational clients on international, federal, and state privacy and cybersecurity laws, regulations, and industry standards. She is based in Wilmington.