Privacy lawyers see assets differently than some other attorneys. Bankruptcy lawyers see assets even more differently. So what happens when privacy lawyers try to get out in front of maneuvers by bankruptcy lawyers?
XY.com was a magazine that catered to gay teens, a category of users that sought privacy for personal, familial and safety reasons. The founder of the magazine, Peter Ian Cummings, shuttered the magazine in 2007, the web site in 2009, and the information collected has (presumably) sat dormant since then.
In February of this year, Cummings filed for personal bankruptcy protection. Although Mr. Cummings had little in the way of assets, he did list the editorial content and users’ personal information as a personal asset. Now, creditors of Mr. Cummings want the users’ personal information sold and the proceeds distributed to creditors.
The first question is how Mr. Cummings came to be the owner of the users’ personal information. It is possible that a business entity was never formed, in which case Mr. Cummings may truly be the owner. It is also possible that a business entity was formed, but later dissolved and the assets distributed to him as an (or the sole) owner of the magazine. In any event, I expect the first question to be whether the users’ personal information should have been listed in his financial statements at all.
Assuming that the users’ personal information is properly listed as an asset of Mr. Cummings, we have to wonder how this is different than the toysmart.com bankrupcy case in 2000. In that case, toysmart.com offered to sell its customer list but backed down after tremendous public pressure and threats from attorneys general of several states. Maybe the toysmart.com case was more novel at the time (2000) and received more attention because it was something that most people had not considered. Maybe ten years later the expectation of privacy is actually worse than it was in 2000. We can only hope that the latter is not the case.
"Due to the nature of the information, the passage of time, and the closure of the magazine and Web site in 2007 and 2009, respectively, the continued use of the data may pose privacy risks not reasonably contemplated by subscribers when they provided the data, and not consistent with their course of dealing with the company."
"With regard to the street addresses collected by XY, many of these were provided by minors living with their parents or others who may have been unaware of their sexual orientation. With the passage of time since the magazine and Web site’s demise, many of these minors may have moved. At the time the Web site and magazine were operational, minors who moved, especially those concerned about the confidentiality of their subscriptions, were able to go online to update promptly any change of address. Former subscriber expectations, however, have likely changed over the past several years. They do not expect to receive any future communications from XY. The magazine has ceased publication and has been dormant for three years. The Web site no longer functions, making it impossible to update any changes of address, even if there were an expectation that future communications might occur. Accordingly, any effort to contact former subscribers via mail now carries the risk of unintentionally revealing their sexual orientation to individuals residing at the former subscribers’ addresses."
If the bankruptcy judge allows the sale to happen (and ultimately the bankruptcy judge can block the sale, subject to appeal), then anyone can purchase the information. I am not sure how valuable information that is three years old really is to a company, but we can suppose many examples of where the data could be used for more nefarious purposes. If a sale does occur, you can expect to see groups bidding for the sole purpose of destroying the information.
In any event, this particular data is some of the most sensitive data I can imagine, outside of certain crime victims. I cannot tell you that this issue could have been absolutely drafted around (this is bankruptcy court, after all, and some crazy things happen in the name of protecting creditors), and I also cannot tell you that privacy lawyers do not draft privacy policies everyday with the explicit intent that such data can be sold in bankruptcy proceedings.
There is pending legislation that could prohibit a transfer just like this. As noted in a brief but good article on this case at ReadWriteWeb.com, the Online Privacy Act would provide: "A covered entity may not sell, share, or otherwise disclose covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates." A silver bullet? No, but it is a good argument to prevent transfers such as the one proposed in the XY.com case.