Much has been written of late about data breaches and the liabilities for the unauthorized acquisition of personally identifiable information (PII) from institutions.
But what about when the alleged “breach”–the release of information –is voluntarily and/or legally compelled? What are the risks to businesses when they sell assets that include PII? What liabilities do they face? What are the rights of customers?
In February, one of the original and legendary tech chains, RadioShack (RS), filed for Chapter 11 bankruptcy. (For years RS labeled itself as “America’s technology store”. In 1977, RS introduced the TRS-80, one of the first personal computers). As a result, PII collected by RS over many years along with a number of its other assets, was almost sold by a bankruptcy trustee to a third party to help pay off Radio Shack’s debts.
For years, RS had collected email addresses, telephone numbers and other PII from customers. (Remember Kramer asking, ˝Why does Radio Shack ask for your phone number when you buy batteries?” Answer: “I don’t know.”).
Indeed, RS pioneered the collection of PII data. And by the time it filed bankruptcy RS had dutifully collected over 13 million email addresses and 65 million customer names and physical addresses, as well as information about some 117 million customers’ shopping habits.
In a last-minute revision to its offer, the purchaser of the RS assets agreed that customer data would not be part of the sale. The planned inclusion of PII had prompted objections from government authorities in several states.
A key issue however will be whether the customers can be said to have knowingly “consented”. Indeed, whether consent was validly, freely and knowingly given can often create litigation issues. See for example Kirch v Embarq Management Co. , 2011 WL 3651359 (D. Kan. ,2011), Deering v. CenturyTel Inc. 2011 WL 1842859 (D. Mont. 2011), In re Google Inc Gmail Litigation 2014 WL 1102660 (N.D.Cal. 2014). The FTC requires that there be clear and conspicuous notice and affirmative consent.
In any event, assuming the policy permits the sale, consumers would be hard pressed to show damages as a result of the sale (i. e., they have no standing) and absent the violation of some specialized regulations or statutes (such as GLBA, HIPAA or credit card protection statutes and regulations), there is little that could be challenged. Again, FTC requirements for customer consent must be met.
Thorny issues arise, however, in the more common situation when the seller decides to sell PII arguably in a manner not consistent with its policy, where customers have not clearly consented or the purchaser decides not to follow the policy once the transaction is completed.
First, some states, such as Texas and Tennessee actually specifically prohibit companies from selling PII in ways that violate the company’s own privacy policies. (In the RadioShack case, 24 states legally challenged the PII sale).
A little over two years later, Borders issued another policy which added: “Circumstances may arise where for strategic or other business reasons, Borders decides to sell…or otherwise reorganize its business….In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.” Importantly, however, Borders also restated the consent requirements in this new, amended policy.
The issues get even thornier in a third situation where the holder of the PII is in bankruptcy. How for example does a bankruptcy trustee meet its obligations to creditors while balancing the customers’ privacy interests? Is there an obligation to sell the data in order to pay the creditors? What obligation does a bankruptcy trustee have to maintain customer privacy?
Certainly, bankruptcy courts have a great deal of leeway in overriding policies. Information, such as customer data, is an asset that is owned by the company. A bankruptcy court has an obligation to maximize the recovery of the creditors of a company–not an obligation to protect privacy interests of the bankrupt’s customers. And the Bankruptcy Act does leave the door open for the sale of such assets albeit with some safeguards.
The Act provides that if the debtor has in place a policy prohibiting the transfer of PII, the trustee may not sell such information unless that sale is consistent with the policy or after a hearing and the appointment of an ombudsman, the court approves the sale giving due consideration to the conditions for such sale and finding that the sale would not violate non bankruptcy law.
So at the end of the day, the final say so seems to be in the hands of the bankruptcy court itself, meaning the real losers could be the customers.
The potential pitfalls as demonstrated by these situations thus seem clear. So what’s a business to do to minimize the risk of these pitfalls?