News & Events

For media inquiries and other press-related questions, please contact the NAAG Press Center at (202) 326-6027 or rstone@naag.org.

NAAGazette

I May Be Paranoid, But They?re Still Out to Get Me
Negotiating the Interface of Electronic Discovery and Consumer Privacy

Karen Cordry, Bankruptcy Counsel

Karen Cordry, Bankruptcy Counsel

Early Privacy Developments

The issues with respect to consumer privacy in the Electronic Age took on greater significance in the mid-1990s with the growth of identity theft issues. Identity theft was made a federal offense by the Identity Theft and Assumption Deterrence Act in 1998, and the Drivers Privacy Protection Act was enacted in 1999 to regulate the sale of information from departments of motor vehicles without the driver’s consent. The U.S. Departments of Justice and Treasury, the Office of Management and Budget and the Administrative Office of the U.S. Courts organized a study in 2000 of privacy issues in bankruptcy.

Approximately 20 Attorneys General submitted comments that noted the very difficult issues that arise in the bankruptcy arena. By its very nature, bankruptcy cases involve the making public of what would otherwise be highly sensitive personal and financial data. Yet, no debtor should be forced to face the threat of identity theft, nor should victims of domestic violence be forced to expose information about themselves that could lead to possible harm. On the other hand, there is a substantial need for the courts, creditors and regulatory bodies to be able to identify filers with certainty and ensure that they do not abuse the system by repeated filings or by concealing their assets. The use by bankruptcy courts of electronic filing earlier, and to a greater degree, more than any other court system, made the problem even more acute, both as to possible criminal misuse of data and commercial exploitation of those filing bankruptcy.

Selling Names? Not So Fast!

During this period, cases arose in bankruptcy that raised the question of whether customer information could be sold like any other asset. The first case that raised those issues in stark form involved the Cult Awareness Network, Inc. (“CAN”), a not-for-profit anti-cult organization that was hit was a sizable judgment after forcibly “deprogramming” a “cult member.” It filed bankruptcy in 1995 and there were efforts to sell information that CAN had compiled on various cults and its membership data. There were numerous objections that such a sale would violate the privacy of CAN’s contributors and expose them to harm from cult members who could buy the data. The trustee eventually gave up such efforts, noting that he faced threats of numerous suits should the materials be sold, which would cost more than any value received. The U.S. Trustee agreed, asserting that any such sale would require resolving religious and constitutional privacy rights of hundreds of third parties, who have no status under the Code’s provisions of sales of estate property. The courts allowed the trustee to drop the sale, but did not appear to recognize any specific privacy rights or limits on whether such information should appropriately be treated as a salable asset.

The approach changed, though, with a bankruptcy filing in 2000 by Toysmart, an on-line seller of educational toys, which encouraged children to use its website and collected copious amounts of personal information from them. It promised, though, that such personal information was “never shared with a third party” and would be used only to enhance the customer’s experience at the website. Upon filing bankruptcy, however, Toysmart immediately sought to sell that information as another estate asset. Texas filed the first objection to the proposed sale, asserting that it violated state law on unfair and deceptive practices and the existence of those state privacy laws meant that Toysmart was trying to sell something that it did not legally own. It also noted that, once again, the customers whose rights were at issue were being given no notice of the sale. In short order, 40 additional states raised similar objections to those raised by Texas and the Federal Trade Commission (FTC) and also filed a complaint in federal district court to enjoin the sale.

The FTC tried to settle the matter by allowing a sale to a “Qualified Buyer,” which would be a similar entity dealing with “family commerce,” which would impose the same privacy terms as Toysmart had, and that would not retain those rights unless the consumer consented. It did not, however, provide for the consent of the consumers to that settlement. The states opposed the settlement, asserting that the sale to a third party, without notice to and “opt-in” consent from the consumer, would still violate their laws and could not be allowed. Eventually, the sale was dropped and one of the debtor’s equity owners, a Disney entity, agreed to pay $50,000 for the privilege of destroying the information. Thus, it was never determined whether “opt-in” or “opt-out” policies were necessary (or whether the result would depend on the nature of the privacy promises that were made). There is little doubt that the nature of Toysmart’s information – detailed personal information about children – contributed to the uproar and the demand that controls be established. Thereafter, several other entities – all Internet companies who had created explicit privacy policies – faced similar objections to sales of their consumer data.

Legislative Responses

In reaction to these events, provisions were added in 2001 to the pending bankruptcy bill that finally become law in 2005. The amendments define “personally identifying information” and limit the sale of such information if the debtor had made its privacy policy known to its consumers and that policy was still in effect at the time of the bankruptcy filing. If so, then the sale can go forward only if the sale is consistent with the policy or the court appoints a consumer privacy ombudsman and, after receiving his report, approves such a sale upon “finding that no showing was made that such sale . . . would violate applicable nonbankruptcy law.” This appears to explicitly bar such sales if state law would preclude the information from being sold.

The ombudsman reports on the debtor’s policy, the possible effects from the sale, the costs or benefits to consumers and potential alternatives that would mitigate privacy issues. No standards are set for deciding on protections – including, specifically, whether opt-in or opt-out is required. Rather, such issues are left to a court’s discretion, a debtor’s policy and nonbankruptcy law. It is not clear what the effect would be of conflicting state laws for a debtor with a national database. The ombudsman is not actually tasked with discussing the legal issues, though, nor is there any explicit requirement to give notice to the consumer protection agencies. Finally, there is no suggestion that those officials should be the presumptive choice for ombudsman, even though dealing with such issues is part of their daily responsibility.

To date, there have been less than a dozen ombudsmen appointed under the new provisions. In a recent report in Tweeter Home Entertainment Group, Inc. (07-10787, D. Del.), the ombudsman’s recommendations (which the court accepted) tracked very closely with those made by the FTC in the Toysmart case (which the states had objected to). Two differences may account for the different result – the information related only to electronic purchases by adults, and Tweeter had written its policy so as to reserve the right to transfer information if it sold or merged its business. For those reasons, some of the concerns raised by the states in Toysmart did not apply. Further, Tweeter made clear that it would not sell information as part of a “going out of business sale” or on a stand-alone basis, but only as part of a transfer of its business.

State Involvement in Going-Out-of-Business (“GOB”) and Other Sales

The states became highly involved in GOB sales after Montgomery Ward obtained permission in its bankruptcy filing in 2000 to severely limit consumers use of gift certificates, layaway items, return policies and the like and began to demand protections in the sales agreements. The states also began looking at the privacy concerns discussed here, including language in a number of agreements that required debtors to remove personal or confidential information about employees and customers if it intended to sell or abandon its computers or similar equipment.

However, while these provisions have been used in GOB sales, transfers of such equipment is just as likely to take place in sales of ongoing businesses. In view of the small number of ombudsman appointed to date, it is unlikely that they have been considered for all such sales, as opposed to only where there has been a specific reference to the sale of consumer information as such (rather than sale of the equipment holding the data). Perhaps many companies don’t have a privacy policy. Or perhaps their policy, like Tweeter’s, says it doesn’t apply if the company is sold to another similar operation. Certainly, such issues are not often thought of outside the bankruptcy context. Is bankruptcy different? Is it because bankruptcy is a place where outsiders get to object to sales? The issue certainly may be more salient when a company is actually shutting down and equipment is being sold outside the context of an ongoing venture that will have a self-interest in protecting the privacy of its newly acquired customer base. But should it be? If we’re concerned about such sales in bankruptcy, should the states take the same view outside of bankruptcy?

Is Information Ever Really Gone?

The questions become even more pointed when one considers the difficulty in removing information from computers. The new rules on electronic discovery (and the flood of recent seminars) have brought home to lawyers both the wealth of hidden information that exists on computers and how hard it is to truly purge that data. Those who have read articles on electronic discovery have learned that “deleted” doesn’t necessarily mean “gone.” “Deleting” a file on a computer is the equivalent of tearing out the table of contents from a book. One may no longer readily know how to find a particular item but the text is still there for those who know how to look for it. The sale of a computer from which data has been “deleted” in such a fashion is an open invitation for an unscrupulous party to run a recovery program and obtain a wealth of information that could be used for wholesale identity theft.

There are other processes by which one can make it more and more difficult to recover data, but some say the only way to truly ensure that data cannot be recovered is to take a hammer to the hard drive. Nor is customer information the only confidential data that could create havoc if left in a retrievable form on computers being sold or abandoned. Trade secrets, work product and the like – what obligations should a company, a law firm – or an Attorney General’s office – have to ensure that such information is properly safeguarded and removed if computers are disposed of in an office upgrade? In short, this area started with consideration of consumer privacy in bankruptcy sales, but has far wider applicability that governments may need to consider to protect consumer privacy in the “brave new world” of today’s electronics.

red logo

SAVE THE DATE

Deposition Skills

January 8 - 9, 2015
Tampa, FL
Contact: Bill Malloy

Voir Dire

January 14 - 16, 2015
New York, NY
Contact: Francesca Liquori

Human Trafficking for State Prosecutors: Bismark, ND

January 20 - 21, 2015
Bismark, ND
Contact: Judy McKee

Legal Writing for OAG-CA

January 21, 2015
Los Angeles, CA
Contact: Bill Malloy

Trial Advocacy Training for OAG-AS

January 26 - 29, 2015
Pago Pago, Am. Samoa
Contact: Bill Malloy

Human Trafficking for State Prosecutors: Pago Pago, Am. Samoa

January 29 - 30, 2015
Pago Pago, Am. Samoa
Contact: Judy McKee