When a bankrupt company’s most valuable assets include consumer information, a tension arises between bankruptcy policy aimed at maximizing asset value, on the one hand, and privacy laws designed to protect consumers’ personal information, on the other.

Much has been written of late about data breaches and the liabilities for the unauthorized acquisition of Personally Identifiable Information (PII) from institutions, including financial institutions. But what about when the alleged “breach”--the release of information --is voluntarily and/or legally compelled? What are the risks for creditors who take collateral, in security for the repayment of debt, containing PII data? What are the risks to businesses when they transfer assets that include PII? What liabilities do they face? What are the rights of customers?

Following the Texas Attorney General’s objection to the sale of RadioShack Corporation’s consumer data as an asset in its bankruptcy, 37 other state attorneys general and a large number of other consumer protection entities formally raised similar concerns. RadioShack, which filed for bankruptcy on February 5, 2015, revealed in a representative’s deposition on March 20, 2015 that it held personally identifiable consumer data of 117 million consumers, or 37% of the residential population of the United States.

Facing objections from the Federal Trade Commission and the Attorneys General of 23 states, RadioShack in its bankruptcy filing, has agreed to destroy the bulk of the personal customer information maintained in its files.

As part of its Chapter 11 petition, the company offered all of its assets for sale—including data on roughly 117 million customers, such as e-mail addresses, telephone numbers, and credit and debit card information.

In what may become viewed as the de facto standard for selling customer information in bankruptcies, a Delaware bankruptcy court approved, on May 20, 2015, a multi-party agreement that would substantially limit RadioShack’s ability to sell 117 million customer records.

U.S. v. Henry, Case No. 08-003 (W.D. Va. July 1, 2008)

In Re NVMS, LLC, Case No. 308-01901 (Bkrtcy.M.D.Tenn. Mar 21, 2008)

The debtor in this case is a medical services company who contracted with Medical Billing Partnership (“MBP”) to handle all of its billing. After filing for bankruptcy, the debtor asked MBP to provide billing data so as to determine the status of claims, but MBP refused to provide the information due to the proprietary software. MBP did provide a hard copy as well as a CD-rom with the information in an unformatted text file.

Conventional wisdom was that bankruptcy and insolvency were not major considerations when receiving outsourcing services from reputable, credit-worthy suppliers.

As more financial institutions get swallowed up by better-positioned industry competitiors or find themselves being forced to file for bankruptcy, many of these institutions' technology providers also are being impacted by the worsening economic crisis.

The dispute over the disposition of customer records held by the "Clear" airport traveler program casts a spotlight once again on the handling of consumer personal data when a business falls on hard times. In such circumstances, the desire of the debtor to preserve or maximize the value of its business assets can conflict with legitimate privacy interests of individuals who were customers of the business.