Privacy lawyers see assets differently than some other attorneys. Bankruptcy lawyers see assets even more differently. So what happens when privacy lawyers try to get out in front of maneuvers by bankruptcy lawyers?
Let me put the issue in context. When a privacy lawyer drafts a privacy policy for a web site, he or she will think about all of the possible scenarios where his or her client needs to transfer personal information collected on the web site. As part of a sale of the company? To answer law enforcement and other subpoena requests? To litigate against the owner of the information? In each case, the web site owner wants the right to use and transfer the personal information of its users.
But what if the company/web site goes defunct? Some clients will take the position that they do not want subscriber information going into the hands of the highest bidder, no matter what. Other clients will determine that if their business failed, all bets are off and the asset of the company (the personal information) should be used to generate income for the estate. Those people in the latter category are often the same people that personally guarantee the borrowing by the company and, therefore, want every potential asset to be available. The lawyer for clients in the last category will put in the privacy policy an explicit disclosure that the information may be transferred in bankruptcy proceedings.
But what happens when the privacy policy says nothing about bankruptcy but does say "[w]e never give your info to anybody"? Read on to read about that exact scenario currently pending in bankruptcy court.
XY.com was a magazine that catered to gay teens, a category of users that sought privacy for personal, familial and safety reasons. The founder of the magazine, Peter Ian Cummings, shuttered the magazine in 2007, the web site in 2009, and the information collected has (presumably) sat dormant since then.
In February of this year, Cummings filed for personal bankruptcy protection. Although Mr. Cummings had little in the way of assets, he did list the editorial content and users’ personal information as a personal asset. Now, creditors of Mr. Cummings want the users’ personal information sold and the proceeds distributed to creditors.
The first question is how Mr. Cummings came to be the owner of the users’ personal information. It is possible that a business entity was never formed, in which case Mr. Cummings may truly be the owner. It is also possible that a business entity was formed, but later dissolved and the assets distributed to him as an (or the sole) owner of the magazine. In any event, I expect the first question to be whether the users’ personal information should have been listed in his financial statements at all.
Assuming that the users’ personal information is properly listed as an asset of Mr. Cummings, we have to wonder how this is different than the toysmart.com bankrupcy case in 2000. In that case, toysmart.com offered to sell its customer list but backed down after tremendous public pressure and threats from attorneys general of several states. Maybe the toysmart.com case was more novel at the time (2000) and received more attention because it was something that most people had not considered. Maybe ten years later the expectation of privacy is actually worse than it was in 2000. We can only hope that the latter is not the case.
The FTC has come out and said that it strongly objects to any sale of XY.com users’ personal information, and has called for the information to be destroyed in the face of the existing (existing at least at the time of collection) XY.com privacy policy. As reported in an excellent article by CNET, the following is two excerpts sent to attorneys and creditors in the Cummings bankruptcy:
"Due to the nature of the information, the passage of time, and the closure of the magazine and Web site in 2007 and 2009, respectively, the continued use of the data may pose privacy risks not reasonably contemplated by subscribers when they provided the data, and not consistent with their course of dealing with the company."
"With regard to the street addresses collected by XY, many of these were provided by minors living with their parents or others who may have been unaware of their sexual orientation. With the passage of time since the magazine and Web site’s demise, many of these minors may have moved. At the time the Web site and magazine were operational, minors who moved, especially those concerned about the confidentiality of their subscriptions, were able to go online to update promptly any change of address. Former subscriber expectations, however, have likely changed over the past several years. They do not expect to receive any future communications from XY. The magazine has ceased publication and has been dormant for three years. The Web site no longer functions, making it impossible to update any changes of address, even if there were an expectation that future communications might occur. Accordingly, any effort to contact former subscribers via mail now carries the risk of unintentionally revealing their sexual orientation to individuals residing at the former subscribers’ addresses."
If the bankruptcy judge allows the sale to happen (and ultimately the bankruptcy judge can block the sale, subject to appeal), then anyone can purchase the information. I am not sure how valuable information that is three years old really is to a company, but we can suppose many examples of where the data could be used for more nefarious purposes. If a sale does occur, you can expect to see groups bidding for the sole purpose of destroying the information.
It is also possible that a bifucation of the data, namely that information collected online and that information collected offline being treated differently. The FTC, no doubt, will argue that the online privacy policy applies to information collected offline unless explicitly stated otherwise in the online privacy policy.
In any event, this particular data is some of the most sensitive data I can imagine, outside of certain crime victims. I cannot tell you that this issue could have been absolutely drafted around (this is bankruptcy court, after all, and some crazy things happen in the name of protecting creditors), and I also cannot tell you that privacy lawyers do not draft privacy policies everyday with the explicit intent that such data can be sold in bankruptcy proceedings.
There is pending legislation that could prohibit a transfer just like this. As noted in a brief but good article on this case at ReadWriteWeb.com, the Online Privacy Act would provide: "A covered entity may not sell, share, or otherwise disclose covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates." A silver bullet? No, but it is a good argument to prevent transfers such as the one proposed in the XY.com case.