With the ongoing covid crisis leaving businesses of all sizes concerned about the short and medium term future, the intimidating task of considering a liquidation or restructuring is inevitably starting to become a reality. Although privacy in the bankruptcy context is nothing new—especially in the context of personally identifiable information (“PII”) held by a company—it is an issue that has been overlooked by many companies. However, by taking proactive measures, a business can transform the personal data it holds from a reorganization liability into an asset.
Whether a set of PII can be sold is one of the more common ways privacy issues come into play during liquidation and reorganization proceedings. In 2005, Congress amended the Bankruptcy Code to prohibit sales of PII when the debtor “discloses to an individual a policy prohibiting the transfer of [PII] to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.” 11 U.S.C. § 363(b)(1). The 2005 amendment defines PII broadly to include an individual’s name, physical address, email address, telephone number, and various types of financial information.
In addition to privacy policies, companies subject to HIPAA, GLBA, and the new California Consumer Privacy Act would also face additional requirements before a PII sale could be approved as part of a reorganization plan. Further, apart from privacy, a company’s failure to implement and properly document its information security program could significantly impact the value of its non-PII assets.
Companies are understandably tightening their belts as they try to weather this covid storm. However, by taking a fresh look at their privacy and information security programs and making relatively minor changes, companies may be able to turn potential liabilities into assets—and therefore better position themselves to emerge as a going concern.