With the ongoing covid crisis leaving businesses of all sizes concerned about the short and medium term future, the intimidating task of considering a liquidation or restructuring is inevitably starting to become a reality.  Although privacy in the bankruptcy context is nothing new—especially in the context of personally identifiable information (“PII”) held by a company—it is an issue that has been overlooked by many companies.  However, by taking proactive measures, a business can transform the personal data it holds from a reorganization liability into an asset.

Whether a set of PII can be sold is one of the more common ways privacy issues come into play during liquidation and reorganization proceedings.  In 2005, Congress amended the Bankruptcy Code to prohibit sales of PII when the debtor “discloses to an individual a policy prohibiting the transfer of [PII] to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.”  11 U.S.C. § 363(b)(1).  The 2005 amendment defines PII broadly to include an individual’s name, physical address, email address, telephone number, and various types of financial information.

Further, courts have interpreted the amendment as prohibiting PII sales during bankruptcy proceedings unless the privacy policy discloses such potential sales—i.e., a privacy policy silent on such sales impliedly prohibits the sale.  Indeed, even where a privacy policy seems to generally reference the possibility of PII sales during a reorganization, courts have refused to allow the sale without restrictive conditions.  See In re Borders Group, Inc., No. 11-10614 (MG), 2011 Bankr. LEXIS 4606 (Bankr. S.D.N.Y. Sept. 27, 2011). And importantly, as demonstrated in the high profile bankruptcies of RadioShack in 2015 and Toysmart in 2000, the conditions courts place on PII sales can be so restrictive that companies are better off paying to destroy the PII rather than include it in the sales.

In addition to privacy policies, companies subject to HIPAA, GLBA, and the new California Consumer Privacy Act would also face additional requirements before a PII sale could be approved as part of a reorganization plan.  Further, apart from privacy, a company’s failure to implement and properly document its information security program could significantly impact the value of its non-PII assets.

Companies are understandably tightening their belts as they try to weather this covid storm.  However, by taking a fresh look at their privacy and information security programs and making relatively minor changes, companies may be able to turn potential liabilities into assets—and therefore better position themselves to emerge as a going concern.