More and more frequently the following question arises: “What do we do about personal, sensitive, and business information owned by or residing with a financially troubled company?” Information is an intangible asset and often has significant value. Information increasingly resides with a party other than the owner and may need to be transferred in unexpected ways. Unfortunately, the thinking about this question often arises after financial distress is readily apparent, such as after a bankruptcy filing. Planning should occur much earlier, whether for the business in distress or in dealing with a business that could suffer financial distress (hint 1 – the latter is every business).

Bankruptcy provides some help for the presently unprepared. Notwithstanding a debtor’s pre-bankruptcy privacy policy assurances about “no transfers,” personally identifiable information (PII) is routinely sold in bankruptcy. Bankruptcy is intended to maximize value and enhance creditor return. Most Chapter 11 “reorganizations” result in asset sales; despite best intentions, companies rarely successfully reorganize. However, many Chapter 7 bankruptcies are liquidations and may have no assets to sell.

11 U.S.C. §363 allows for the sale of PII consistent with the debtor’s pre-bankruptcy privacy policy, or, if inconsistent with such policy, after appointing a “Consumer Privacy Ombudsman” (the “CPO”), with due court consideration of all relevant circumstances and a legal finding the sale would not violate applicable non-bankruptcy law. “Personally Identifiable Information” is defined in the Bankruptcy Code although the term is more limiting than some of the newer iterations. For purposes of this piece, PII should be considered whatever you have determined is PII.

11 U.S.C. §332 provides for the appointment of the CPO. The bankruptcy court shall appoint a CPO in cases where PII is likely to be sold but the debtor’s consumer-facing privacy policy does not make clear provision for such sale, often disclaiming such transfer (“We protect your privacy and will never sell your information to third parties”). The CPO’s role is to review the debtor’s privacy policy, consider the potential loss, gain, cost, and benefit to consumer privacy if a sale is approved, and contemplate potential alternatives to mitigate privacy loss. The CPO will likely confer with the FTC and state regulators and other interested bankruptcy constituents (debtor, potential purchasers, committees, and other third parties, particularly those claiming the PII is theirs and not the debtor’s) in preparing a report. The CPO report, like so much in bankruptcy, usually involves compromise among the affected constituents to get a workable deal. The Court reviews the CPO report and, after notice and hearing, will normally adopt the report and incorporate conditions noted in the report in any asset sale. The terms are approved prior to sale so prospective purchasers may fairly evaluate the information asset. Since distressed assets rarely gain value, speed is an essential component of the CPO function.

Section 332 was enacted in 2005 in large response to FTC and Attorneys General enforcement actions and objections in the Toysmart.com bankruptcy a few years earlier. In Toysmart.com, PII ultimately was not sold in the bankruptcy. This section largely lay dormant for five years. However, since about 2010, a CPO has regularly been appointed in many large bankruptcies including Borders, Sports Authority, Radio Shack, Chrysler and Circuit City and is often employed in smaller consumer-oriented business bankruptcies.

Fortunately, some consensus has been reached regarding the bankruptcy sale of PII. First, PII will be sold. Second, the sale will be conditioned. Sales to competitors of the debtor are favored. Standalone PII sales are disfavored; bundle PII with other assets. The amount of PII sold will be limited by time (customers the debtor last did business with more than two years ago may not be useful and unduly impacts those consumers) and type (destroy the payment card data).

Third party or disputed ownership PII residing with the debtor can be resolved (see the Radio Shack bankruptcy and the dispute with Apple, AT&T and others regarding resolution of this issue after Radio Shack “blended” information intended to be segregated in reseller agreements). The acquirer may need to destroy PII for which it discovers it has no business need. The acquirer will provide notice to consumers of the transfer, usually on its web-site and allowing for opt-out after sale. The acquirer will be considered a “successor-in-interest” to the debtor’s pre-bankruptcy privacy policy and may only use the information in ways consistent with that policy (well, except for the part about “no transfer”). Any material changes to the privacy policy post-sale would include additional notice and opt-out rights. The acquirer will need to protect the PII in a reasonable manner.

PII not included in sale is destroyed in a commercially reasonable manner (or returned to its owner if not the debtor). The acquirer will need to file a post-sale report on compliance with all the bankruptcy sale conditions. Of course regulators can enforce against the acquirer for any breach of terms of the transferred PII.

Ok, so much for consumer information in an asset sale bankruptcy. What about PII involved in a “no asset” Chapter 7? Sorry, no easy and comprehensive answers here; if there is no money, there is no general mechanism for protecting PII. However, a mechanism exists under 11 U.S.C. §351 when “patient records” are involved but the trustee does not have funds to pay for storage.

First, the trustee provides notice to patients and insurance carriers that they may claim records. Any unclaimed records are then offered to applicable federal agencies for transfer. The federal agency is not required to take the records. Any remaining unclaimed records shall be appropriately destroyed by the trustee.

Since this provision begins from the premise that there are not sufficient estate funds to store the records, who pays for all the notice, turnover and destruction costs? Unstated in the statute. Otherwise, Chapter 7 bankruptcy trustees “abandon” property of inconsequential value or burden – this means the property reverts to the debtor. However, a business entity debtor ceases to exist upon filing Chapter 7. Where does that PII go? If the debtor has your PII, hint number 2 – get out your wallet.

What if your information is stuck in a no-asset bankruptcy? This can be PII or other business records maintained (by way of some prominent examples) in a failing or failed cloud storage facility, software company hosting your information, or a third party providing services to you such as a debt collector, accounting or law firm. In general, the debtor’s “property” comprises the bankruptcy estate. Your information would generally not be considered property of the bankruptcy estate. However, making the unilateral determination that the information is yours and acting on this premise is not a good option. You will probably need to go to bankruptcy court to receive a determination of ownership and guidance in recovering your information.

Bankruptcies are often in an inconvenient forum; certainly not as easy as trotting down to your local state court. At a minimum, you need to discuss the issue with the trustee. Remember that retrieving this information is not like picking up a piece of collateral. Electronically stored information is often commingled with other’s information and you certainly do not want other’s information or have other companies possessing your information (that goes for paper information as well). Bankruptcy moves quickly, so no dawdling.

And bankruptcy is the best scenario. On the chaos level, the world of distressed companies moves downward quickly from bankruptcy. State and federal receiverships, while involving some court function, are dramatically less structured and often amount to a senior, secured lender working with a court appointed receiver to maximize that lender’s recovery. State receivership laws vary dramatically and federal receivership law is limited. You likely will have no actual notice these actions are even occurring.

At least receiverships have some court action. UCC sales can have a non-court, public aspect but might include private sales. You are not entitled to actual notice of public auctions. Sometimes borrowers just “turn over the keys” to a secured lender and walk away from business operations. Now the secured lender holds your information. This should freak out both you and the secured lender. Finally, sometimes companies just cease to exist and shut down operations. In all these situations, your information may not be residing with the distressed company at all but with one of their vendors who has not been paid.

This piece is just a gentle reminder that you must include financial distress into your information security policy planning. Even if you “have” all the information and duplicate information simply resides elsewhere, you are responsible for reasonable control, security, retention, and destruction of that information. If you do not “have” the information and your operations are at risk, the stakes are that much higher. Future parts will examine how the various constituents – debtors, acquirers, secured lenders, and your interactions with third party providers – may help insure proper planning and response when information is in distress.