Asher Kalman

 

In response to the increasing financial value and proliferation of Personally Identifiable Information (“PII”) held by corporations, courts have loosened restrictions on the sale of consumer data during bankruptcy. This development poses a significant threat to consumer privacy interests. Amendments to either the Bankruptcy Code (the “Code”) or the Health Insurance Portability and Accountability Act (“HIPAA”) might mitigate potential harm to consumers during bankruptcy sales.

 

Background

Beginning in the early 2000s, companies began to collect and analyze enormous amounts of data.[1] The use and sale of “big data” has expanded dramatically since then.[2] In corporate settings, large data sets can be used to understand customer preferences, target new markets and demographics, and increase efficiency.[3] This data is often comprised of PII,[4] which is defined in the Code to include “information concerning an identified individual that, if disclosed, will result in contacting or identifying such individual physically or electronically.”[5]

The framework governing the bankruptcy sale of PII in violation of a debtor’s privacy policy emerged in Federal Trade Comm’n v. Toysmart.com.[6] Toysmart was a popular online retailer that sold children’s toys.[7] The company’s website collected birthdates, billing information, names, and addresses from customers and visitors.[8] The website also included a privacy policy stating that Toysmart would never share information provided by customers with outside parties.[9] However, after petitioning for bankruptcy, Toysmart attempted to sell its customer data, prompting the Federal Trade Commission (“FTC”) to sue to stop the sale.[10] The parties eventually settled, and the conditions of their agreement continue to serve as a template for sales of PII in bankruptcy.[11] Toysmart’s sale was subject to the following four conditions:

(1) the customer information was sold as part of a package with the debtor’s other assets; (2) the buyer was in the same line of business as the debtor (referred to as a “qualified buyer”); (3) the buyer agreed to comply with Toysmart‘s privacy policy with respect to the purchased customer information; and (4) the buyer notified the affected customers and obtained their affirmative consent before using their personal information.[12]

Toysmart’s confining template prompted Congressional action. Several provisions were added to the Code through the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (“BAPCPA”).[13] Congress sought to give courts more leeway to allow the sale of PII.[14] Specifically, Section 363(b)(1) of the Act provides that a bankruptcy court may allow a debtor's transfer of PII to a purchaser despite a privacy policy that prohibits the transfer, if, after appointing a consumer privacy ombudsman (“CPO”)[15] and providing notice and a hearing, the court gives “due consideration to the facts, circumstances, and conditions of such sale or such lease” and finds “that no showing was made that such sale or such lease would violate applicable non-bankruptcy law.”[16]

Bankruptcy judges have exercised the discretion offered by Section 363(b)(1) by interpreting BAPCPA’s definition of PII in an artificially narrow way in order to avoid Code restrictions.[17] This puts the spotlight on the BAPCPA’s definition of PII. Researchers have found enormous amounts of “anonymous” data to be traceable to individuals (and therefore constitute PII) even though on first glance the data appears to be anonymous. In one study, researchers found that eighty seven percent of people in the United States have unique combinations of birth dates, sex, and ZIP codes, making the release of any data involving these three components a virtual rolodex.[18] This data would not be considered PII by a bankruptcy judge despite the fact that it can be de-anonymized (and therefore constitutes PII). However, judges have turned a blind eye to arguments about data de-anonymization.[19] 

Bankruptcy judges have also tended to interpret ambiguous language in privacy policies to avoid Code restrictions altogether. Section 363(b)(1) is not implicated if a privacy policy allows for sales of PII. In cases where privacy policies equivocally allow for transfers of PII in bankruptcy, judges are often highly accommodating.[20] Justifying sales of PII because consumers consented to a privacy policy seems reasonable.[21] At the same time, consumers have an excess of complex, lengthy privacy policies to read before being able to access almost any electronic service.[22] By some estimates, the average consumer would need to take a month out of every year to actually read the privacy policies they sign.[23] Many consumers also do not understand the implication of providing sensitive information.[24] Thus bankruptcy judges allowing the sale of customer data because consumers signed an ambiguous (and extremely lengthy) privacy policy allows companies to gain in unfair ways from consumer ignorance and misunderstanding.

Finally, courts have facilitated sales of PII in bankruptcy processes by not appointing CPOs. Ten years after Toysmart, bankruptcy judges appointed CPOs only a fourth of the time, despite the fact that their presence is required.[25]This deviation from the BAPCPA appears to be justified on the basis of Toysmart. Stacy-Ann Elvy describes the origin of this judicial thinking: “These courts have reasoned that if the data buyer agrees to be the ‘debtor’s successor-in-interest’ as to the customer data, and consents to using the customer data pursuant to the debtor’s existing privacy policy, a CPO is unnecessary.”[26] This justification recalls the third Toysmart condition: “the buyer agreed to comply with Toysmart’s privacy policy with respect to the purchased customer information.”[27]  

Many of these CPO-less cases involved transfers of consumer data that conflicted with the debtor’s privacy policy.[28] Failing to appoint a CPO risks privacy interests protected under non-bankruptcy law.[29] CPOs tend to include lengthy analyses regarding potential violations of non-bankruptcy law in their reports on data sales.[30] Failing to appoint CPOs risks missing issues they are the only party likely to identify. Unfortunately, non-bankruptcy law largely fails to protect consumer data regardless of the appointment of a CPO.

 

Solutions: Amending the Code

An advisable amendment to the Code is to restrict debtors from selling certain categories of sensitive data in bankruptcy.[31] These restrictions might cover sales of biometric and health-related data, sexual and romantic preference data, and racial, ethnic, and religious background data.

If the Code is amended in order to create inalienable data categories, it might be argued that the policy behind the Code of maximizing the estate is violated in an effort to protect consumer privacy. Such restrictions will likely decrease the value of consumer lists.[32] The restriction will therefore inhibit maximizing the value of the estate. However, this analysis is reductive. Today’s “big data” is no longer the antiquated name-number-address customer list from twenty years ago. Instead, datasets now contain extremely varied, highly sensitive information on billions of individuals.[33] If firms are benefiting economically from the increased abundance and value of PII, then consumer privacy interests – accounted for in the Code through Section 363 – should share in that benefit. Privacy interests can be supported by treating certain highly sensitive categories of information as inalienable.

 

------------------------------------------------------

[1] Data, Data Everywhere, The Economist (Feb. 27, 2010), https://www.economist.com/special-report/2010/02/27/data-data-everywhere. 

[2] Wendy Arianne Günther et al., Debating Big Data: A Literature Review on Realizing Value from Big Data, 26 J. Strategic Info. Sys. 191, 191–209 (2017).

[3] Id.

[4] John T. Soma, J. Zachary Courson & John Cadkin, Corporate Privacy Trend: The “Value” of Personally Identifiable Information (“PII”) Equals the “Value” of Financial Assets, 15 Rich. J.L. & Tech 11 (2009).

[5] Bankruptcy Abuse Prevention and Consumer Protection Act § 231(b), 11 U.S.C. § 101(41A) (2018).

[6] Federal Trade Comm'n v. Toysmart.com, LLC, 2000 WL 34016434 (D. Mass. July 21, 2000).

[7] See Press Release, Fed. Trade Comm’n, FTC Announces Settlement with Bankrupt Website, Toysmart.com, Regarding Alleged Privacy Policy Violations, (July 21, 2000), https://www.ftc.gov/news-events/press-releases/2000/07/ftc-announces-settlement-bankrupt-website-toysmartcom-regarding (describing Toysmart as “a popular Web site that marketed and sold educational and non-violent children’s toys over the Internet”).

[8] See Complaint for Permanent Injunction and Other Equitable Relief at Ex. 1, Fed. Trade Comm’n v. Toysmart.com, Inc., No. 00-11341 (D. Mass. Jul. 23, 2004) (“Personal information voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party.”).

[9] Id.

[10] Id.

[11] See Report of the Consumer Privacy Ombudsman at 8, In re RadioShack Corp., No. 15-10197 (Bankr. D. Del. May 16, 2015), Dkt. 2148.

[12] Stipulated Consent Agreement and Final Order, In re Toysmart.com, LLC, No. 00-13995-CJK (Bankr. D. Mass. July 21, 2000), Dkt. 113.

[13] Bankruptcy Abuse Prevention and Consumer Protection Act § 232(a), 11 U.S.C. § 332(b) (2018).

[14] Susan Jensen, A Legislative History of the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, 79 AM. BANKR. L.J. 485, 544 (2005).

[15] Bankruptcy Abuse Prevention and Consumer Protection Act § 232(a), 11 U.S.C. § 332(b) (2018). (The CPO’s role is set forth in Section 332 of the Code. CPOs “shall provide to the court information to assist the court in its consideration of the facts, circumstances, and conditions of the proposed sale”)

[16] Bankruptcy Abuse Prevention and Consumer Protection Act § 231(a), 11 U.S.C. § 363(b)(1) (2018). In re Graceway Pharm., LLC, No. 11-13036 (PJW), 2011 WL 6296791, at 4 (Bankr. D. Del. Sept. 30, 2011).

[17] In re Graceway Pharm., LLC, No. 11-13036 (PJW), 2011 WL 6296791, at 4 (Bankr. D. Del. Sept. 30, 2011).

[18] Latanya Sweeney, Simple Demographics Often Identify People Uniquely, (Carnegie Mellon University, Data Privacy Working Paper No. 3, 2000), https://dataprivacylab.org/projects/identifiability/paper1.pdf.

[19] See, e.g., In re QSL of Medina, Inc., et al. No. 15-52727 (N.D. Ohio), Consumer Privacy Ombudsman Report to the Court, March 20, 2016 (Docket No. 260).

[20] Privacy Policy, FiLIP, http://www.myfilip.com/privacy-policy/.

[21] Walter W. Miller, Jr. & Maureen A. O‘Rourke, Bankruptcy Law v. Privacy Rights: Which Holds the Trump Card?, 38 Hous. L. Rev. 777, 847 (2001).

[22] Shankar Vedantam, To Read All Those Web Privacy Policies, Just Take a Month Off Work, NPR (April 19, 2012, 3:30 AM), https://www.npr.org/sections/alltechconsidered/2012/04/19/150905465/to-read-all-those-web-privacy-policies-just-take-a-month-off-work.

[23] Shankar Vedantam, To Read All Those Web Privacy Policies, Just Take a Month Off Work, NPR (April 19, 2012), https://www.npr.org/sections/alltechconsidered/2012/04/19/150905465/to-read-all-those-web-privacy-policies-just-take-a-month-off-work.

[24] Walter W. Miller, Jr. & Maureen A. O‘Rourke, Bankruptcy Law v. Privacy Rights: Which Holds the Trump Card?, 38 Hous. L. Rev. 777, 779, 783, 788 (2001)

[25] Lucy L. Thomson, Personal Data for Sale in Bankruptcy: A Retrospective on the Consumer Privacy Ombudsman, Am. Bankr. Inst. J., June 2015, at 32.

[26] Stacy-Ann Elvy, Commodifying Consumer Data in the Era of the Internet of Things, 59 B.C. L. Rev. 423, 481 (2018).

[27] Stipulated Consent Agreement and Final Order, In re Toysmart.com, LLC, No. 00-13995-CJK (Bankr. D. Mass. July 21, 2000), Dkt. 113.

[28] Id. at 33.

[29] Lucy L. Thomson, Personal Data for Sale in Bankruptcy: A Retrospective on the Consumer Privacy Ombudsman, Am. Bankr. Inst. J., June 2015, at 32.

[30] Report of the Consumer Privacy Ombudsman at 17, In re RadioShack Corp., No. 1510197 (BLS) (Bankr. D. Del. May 16, 2015).

[31] Stacy-Ann Elvy, Commodifying Consumer Data in the Era of the Internet of Things, 59 B.C. L. Rev. 423, 481 (2018).

[32] Nicolas P. Terry, Regulatory Disruption and Arbitrage in Health-Care Data Protection, 17 Yale J. Health Pol’y L. & Ethics 143, 152 (2017).

[33] Wendy Arianne Günther et al., Debating Big Data: A Literature Review on Realizing Value from Big Data, 26 J. Strategic Info. Sys. 191, 191–209 (2017).