More and more frequently the following question arises: “What do we do about personal, sensitive, and business information owned by or residing with a financially troubled company?” Information is an intangible asset and often has significant value. Information increasingly resides with a party other than the owner and may need to be transferred in unexpected ways. Unfortunately, the thinking about this question often arises after financial distress is readily apparent, such as after a bankruptcy filing. Planning should occur much earlier, whether for the business in distress or in dealing with a business that could suffer financial distress (hint 1 – the latter is every business).
Section 332 was enacted in 2005 in large response to FTC and Attorneys General enforcement actions and objections in the Toysmart.com bankruptcy a few years earlier. In Toysmart.com, PII ultimately was not sold in the bankruptcy. This section largely lay dormant for five years. However, since about 2010, a CPO has regularly been appointed in many large bankruptcies including Borders, Sports Authority, Radio Shack, Chrysler and Circuit City and is often employed in smaller consumer-oriented business bankruptcies.
Fortunately, some consensus has been reached regarding the bankruptcy sale of PII. First, PII will be sold. Second, the sale will be conditioned. Sales to competitors of the debtor are favored. Standalone PII sales are disfavored; bundle PII with other assets. The amount of PII sold will be limited by time (customers the debtor last did business with more than two years ago may not be useful and unduly impacts those consumers) and type (destroy the payment card data).
PII not included in sale is destroyed in a commercially reasonable manner (or returned to its owner if not the debtor). The acquirer will need to file a post-sale report on compliance with all the bankruptcy sale conditions. Of course regulators can enforce against the acquirer for any breach of terms of the transferred PII.
Ok, so much for consumer information in an asset sale bankruptcy. What about PII involved in a “no asset” Chapter 7? Sorry, no easy and comprehensive answers here; if there is no money, there is no general mechanism for protecting PII. However, a mechanism exists under 11 U.S.C. §351 when “patient records” are involved but the trustee does not have funds to pay for storage.
First, the trustee provides notice to patients and insurance carriers that they may claim records. Any unclaimed records are then offered to applicable federal agencies for transfer. The federal agency is not required to take the records. Any remaining unclaimed records shall be appropriately destroyed by the trustee.
Since this provision begins from the premise that there are not sufficient estate funds to store the records, who pays for all the notice, turnover and destruction costs? Unstated in the statute. Otherwise, Chapter 7 bankruptcy trustees “abandon” property of inconsequential value or burden – this means the property reverts to the debtor. However, a business entity debtor ceases to exist upon filing Chapter 7. Where does that PII go? If the debtor has your PII, hint number 2 – get out your wallet.
What if your information is stuck in a no-asset bankruptcy? This can be PII or other business records maintained (by way of some prominent examples) in a failing or failed cloud storage facility, software company hosting your information, or a third party providing services to you such as a debt collector, accounting or law firm. In general, the debtor’s “property” comprises the bankruptcy estate. Your information would generally not be considered property of the bankruptcy estate. However, making the unilateral determination that the information is yours and acting on this premise is not a good option. You will probably need to go to bankruptcy court to receive a determination of ownership and guidance in recovering your information.
Bankruptcies are often in an inconvenient forum; certainly not as easy as trotting down to your local state court. At a minimum, you need to discuss the issue with the trustee. Remember that retrieving this information is not like picking up a piece of collateral. Electronically stored information is often commingled with other’s information and you certainly do not want other’s information or have other companies possessing your information (that goes for paper information as well). Bankruptcy moves quickly, so no dawdling.
And bankruptcy is the best scenario. On the chaos level, the world of distressed companies moves downward quickly from bankruptcy. State and federal receiverships, while involving some court function, are dramatically less structured and often amount to a senior, secured lender working with a court appointed receiver to maximize that lender’s recovery. State receivership laws vary dramatically and federal receivership law is limited. You likely will have no actual notice these actions are even occurring.
At least receiverships have some court action. UCC sales can have a non-court, public aspect but might include private sales. You are not entitled to actual notice of public auctions. Sometimes borrowers just “turn over the keys” to a secured lender and walk away from business operations. Now the secured lender holds your information. This should freak out both you and the secured lender. Finally, sometimes companies just cease to exist and shut down operations. In all these situations, your information may not be residing with the distressed company at all but with one of their vendors who has not been paid.
This piece is just a gentle reminder that you must include financial distress into your information security policy planning. Even if you “have” all the information and duplicate information simply resides elsewhere, you are responsible for reasonable control, security, retention, and destruction of that information. If you do not “have” the information and your operations are at risk, the stakes are that much higher. Future parts will examine how the various constituents – debtors, acquirers, secured lenders, and your interactions with third party providers – may help insure proper planning and response when information is in distress.