Last week, the United States Court of Appeals for the Sixth Circuit issued a decision in the case of Cyber Solutions International LLC v. Pro Marketing Sales, Inc. Although the decision blazes no new legal territory, the facts of the case and rulings offer important lessons for both lenders and licensees.

Personal data is a valuable corporate asset.  At times, the personal information collected from customers (such as email address, mailing address, phone number, etc.) can be a company’s most valuable asset.  Unfortunately, when a company attempts to sell this asset, it can find the value of the data significantly diminished due to promises made in a privacy policy the company implemented years before it ever contemplated such a sale.

Customer information has become an increasingly valuable business asset.  And, the volume and detail of other available information about consumers has increased along with it, well beyond mere customer names and addresses to preferences, purchasing history, and online activity.  This means that when a business is sold, customer information is often sold along with it.  But careful diligence is required in handling this intangible asset, and the recent settlement in the RadioShack bankruptcy case is instructive.

Be careful what you’ve promised your customers…or what has been promised about data you buy!

Last month, bankrupt company RadioShack settled with a coalition of seventeen attorneys general to destroy most of the company’s customer data in its files. The agreement was part of a Bankruptcy Court-approved $26.2 million sale of RadioShack’s assets.

When a bankrupt company’s most valuable assets include consumer information, a tension arises between bankruptcy policy aimed at maximizing asset value, on the one hand, and privacy laws designed to protect consumers’ personal information, on the other.

Much has been written of late about data breaches and the liabilities for the unauthorized acquisition of Personally Identifiable Information (PII) from institutions, including financial institutions. But what about when the alleged “breach”--the release of information --is voluntarily and/or legally compelled? What are the risks for creditors who take collateral, in security for the repayment of debt, containing PII data? What are the risks to businesses when they transfer assets that include PII? What liabilities do they face? What are the rights of customers?

Following the Texas Attorney General’s objection to the sale of RadioShack Corporation’s consumer data as an asset in its bankruptcy, 37 other state attorneys general and a large number of other consumer protection entities formally raised similar concerns. RadioShack, which filed for bankruptcy on February 5, 2015, revealed in a representative’s deposition on March 20, 2015 that it held personally identifiable consumer data of 117 million consumers, or 37% of the residential population of the United States.

Facing objections from the Federal Trade Commission and the Attorneys General of 23 states, RadioShack in its bankruptcy filing, has agreed to destroy the bulk of the personal customer information maintained in its files.

As part of its Chapter 11 petition, the company offered all of its assets for sale—including data on roughly 117 million customers, such as e-mail addresses, telephone numbers, and credit and debit card information.

In what may become viewed as the de facto standard for selling customer information in bankruptcies, a Delaware bankruptcy court approved, on May 20, 2015, a multi-party agreement that would substantially limit RadioShack’s ability to sell 117 million customer records.