Handling Customer Data in Bankruptcy Mergers and Acquisitions Coping with the Consumer Privacy Ombudsman Provisions of BAPCPA
The History Behind the Consumer Privacy Ombudsman
That settlement did not resolve the problem. Several state attorney generals objected to the proposed auction. Their objection asserted that the sale, even if conducted subject to the conditions of the FTC settlement, constituted an unfair or deceptive business practice in violation of the states' consumer protection statutes. Faced with only one bid, by Disney Corp., and active opposition from the state attorney generals, the debtor withdrew the customer data from the auction.8
The Toysmart and Living.com cases illustrate the problems raised by the sale of customer data in a bankruptcy case. To address these issues, the Leahy-Hatch Amendment was added to the Senate version of The Bankruptcy Reform Act of 2001. Its provisions, with some changes, remained as §§231 and 232 of the Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCPA).
The Privacy Ombudsman Provisions of BAPCPA
BAPCPA makes three changes to the Bankruptcy Code that together create a new process for selling or leasing customer information using 11 U.S.C. §363. First, a new §101(41A) defines the term "personally identifiable information." Second, amendments to §363 limit the debtor's ability to sell or lease personally identifiable information. Third, a new §332 controls appointment of consumer privacy ombudsmen and defines their role in the sale process.
Although the Ombudsman provisions' definition of "personally identifiable information" is quite lengthy, the concept is simple enough. Basically, personally identifiable information is information obtained from a purchaser of consumer goods or services that is specific to that individual and would, by itself, allow identification of the individual.
The definition embodies two concepts —first, that the information must have been provided to the debtor in the context of the sale of consumer goods or services by the debtor, and second, that the information is personally identifiable. The first concept has importance because of what it excludes as much as because of what it includes. The information must be provided "in connection with obtaining a product or a service." In short, the information must be provided in connection with a transaction of some sort. The definition appears to exclude, by omission, information collected solely for marketing or advertising purposes.
The information must be provided to and the product or service obtained from "the debtor." This qualification would appear to exclude from the rule personal information collected when a party other than the debtor provides the goods or services. For example, suppose an insurance company obtained personal information from a bank about the bank's customers. The Ombudsman provisions would appear to restrict the bank's ability to sell or lease the information, but not the insurance company's.
Finally, the product or service must be obtained "primarily for personal, family or household purposes." In other words, the transaction must be a consumer transaction. The Ombudsman provisions will not affect the transfer of information about business customers.
The types of information that qualify as personally identifiable fall into two categories. The first category includes specific types of information that would allow actual identification or contacting of an individual, including the individual's first name (or initials) and last name, physical home address, e-mail address, home telephone number, Social Security number and credit card account number.
The second category includes less-specific types of information, such as birth date, birth certificate number, place of birth or any other information concerning the individual that, if disclosed, will result in the physical or electronic contacting or identification of the individual. Information in the second category, however, will only count as personally identifiable information when associated with one or more items of information in the first group.
The second Ombudsman provision amends §363(b) to restrict the debtor's ability to sell or lease the personally identifiable information outside of the ordinary course of business:
(b)(1) The trustee, after notice and a hearing, may use, sell or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless—(A) such sale or such lease is consistent with such policy; or
(B) after appointment of a consumer privacy ombudsman in accordance with §332, and after notice and a hearing, the court approves such sale or such lease—
(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and
(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.
This change only affects sales and leases outside of the ordinary course of business. Transactions inside of the ordinary course of business are authorized by 11 U.S.C. §363(a), which remains unchanged. Thus, a company that ordinarily leases customer lists can continue to do so, subject only to any applicable nonbankruptcy limitations on its data usage.
[A] pre-bankruptcy change designed to strip promised rights from consumers...might be an unfair or deceptive business practice in violation of the FTC Act.
When the three pre-conditions are met and the proponent is not relying on the "consistent test," the court must order an ombudsman appointed and, after receiving the ombudsman's report, review the sale "giving due consideration to the facts, circumstances and conditions of such sale or such lease." The court must give the ombudsman at least five days to prepare his or her report.
In fact, a significant number of statutes, such as COPPA,13 the Gramm-Leach-Bliley Act of 1999 (GLB),14 the Health Insurance Portability and Accountability Act of 1996 (HIPAA)15 and the European Union Privacy Directive of 1995,16 restrict transfers of personally identifiable information. In addition to these statutes specifically addressing the use of customer data, a sale must also comply with §5(a) of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce."17
A new §332 describes the process for appointing the consumer privacy ombudsman and defines his or her role in the sale process.
When 11 U.S.C. §363(b) requires a consumer privacy ombudsman, the court shall order the appointment. The U.S. Trustee makes the actual appointment. The ombudsman must be a disinterested person other than the U.S. Trustee. Hypothetically, the ombudsman could be an FTC commissioner or state attorney general, although it remains to be seen whether they could satisfy the disinterested requirement.18 The ombudsman will have a right to appear and be heard at the sale hearing,19 shall maintain as confidential any "personally identifiable information" he receives20 and shall be compensated in the same manner as an examiner.21 The statute is not clear as to whether the ombudsman can employ his own professionals.22
How the ombudsman will accomplish this task is another question. The ombudsman's job will require completion of three steps: collecting data, analyzing the relevant legal and business issues and submitting a report to the court. In addition, the ombudsman's role contemplates that he or she communicate with the sale proponents prior to the sale hearing to attempt to resolve any problems. Such communication will allow the ombudsman to facilitate an asset sale that respects the rights of consumers instead of simply acting as an impediment to a sale.
Information in hand, the ombudsman will have to understand the impact the proposed sale will have on consumers. The ombudsman will have to understand data privacy principles and the various laws and rules that govern business use and transfer of customer information. However, the ombudsman's skills must extend beyond just understanding and appreciating the role safeguarding personal information plays in consumer protection. The ombudsman must also understand and appreciate how businesses use personal information and the various ways in which transferability, especially in the bankruptcy context, can actually benefit consumers. Finally, the ombudsman must understand the bankruptcy sale process.
Coping with the Consumer Privacy Ombudsman Provisions
Debtors should recognize that the Consumer Privacy Ombudsman provisions present a potential "wild card" when selling a business that serves consumers. Without advance planning, the ombudsman may be appointed mere days before the court rules
on whether to allow the sale under §363(b)(1)(B). Keep in mind that the statute only requires five days advance notice to the consumer privacy ombudsman. Assuming it takes a day or two for the appointment to actually occur, the ombudsman needs at least one day to prepare his report, and the report needs to be filed the day before the hearing; the ombudsman really only has a day or two to obtain the information he needs and digest it. The result is obvious and inevitable: reports prepared by rote and conclusions that simply do not reflect the true relationships between the business, the sale and the customers. This produces an obvious risk to the sale.
In cases where a consumer privacy ombudsman is clearly needed, the debtor should consider requesting early appointment of an ombudsman. The ombudsman can work with the debtor to structure appropriate sale guidelines so the debtor can offer the customer data on terms it knows the ombudsman will support. The debtor does not want to propose a sale and then find out after the fact that the ombudsman's recommendations to the court don't support the sale. The ombudsman can also work with the estate to structure potential sales that will work notwithstanding last-minute changes in deal structures.
In the end, all that's required to cope with the Consumer Privacy Ombudsman provisions is proper planning and an appreciation for customer rights. The Consumer Privacy Ombudsman provisions will help address the issues raised in the Toysmart and Living.com cases by providing a workable framework that lets the courts balance the rights of creditors and customers. Thus, while selling customer data will require greater attention in future cases, practitioners should be able to avoid the kind of controversy that erupted in the Toysmart case.
1 Former chair of the ABA's E-Commerce and Insolvency Subcommittee and the Boston Bar Association's Computer and Internet Law Committee, Mr. Agin is the author of Bankruptcy and Secured Lending in Cyberspace, 3rd Ed. (West Group, 2005). Return to article
16 Council Directive 95/46, 1995 O.J. (L 281) 31. The Directive can be found at http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html. Return to article
18 11 U.S.C. §332(a) (2005) requires the U.S. Trustee to appoint "one disinterested person" to serve as the consumer privacy ombudsman. The term "disinterested" is defined by 11 U.S.C. §101(14). A creditor, equity security-holder, insider or any person with an interest materially adverse to the estate is, by definition, not disinterested. Return to article
21 11 U.S.C. §330(a)(1) (2005). The court may award the consumer privacy ombudsman reasonable compensation based on the actual, necessary services provided. However, §330(a)(3), which identifies factors for the court to consider when awarding fees to other professionals, might not apply to Consumer Privacy Ombudsman fee awards. Return to article