Last year, we wrote a post about how a New York bankruptcy judge delayed the approval of Barnes and Noble’s acquisition of Borders’ database of customer information amid privacy concerns. The court later approved the transaction, requiring that Barnes and Noble give customers 15 days to opt out of the transfer by responding to an email that was sent when the deal closed. A copy of that email can be found here.
Those same privacy concerns are re-surfacing in another bankruptcy asset sale. Real Mex Restaurants Inc. (“Real Mex”), the operator of Chevys Fresh Mex and other Mexican restaurants, filed for Chapter 11 bankruptcy protection back in October 2011. In November, Real Mex received tentative court approval to auction off its assets. Last week, though, the U.S. Trustee, the administrative agency charged with enforcing the country’s bankruptcy laws, asked the Delaware bankruptcy court to block the proposed sale of Real Mex’s assets until privacy concerns were addressed.
The U.S. Trustee objected to the sale based on its opinion that it violated section 363(b)(1) of the Bankruptcy Code because no consumer privacy ombudsman had been appointed to protect individuals’ personally identifiable information (“PII”). Section 363 permits the sale or lease of PII only when either (1) such a sale or lease is made consistent with the debtor’s policy prohibiting the transfer of PII to persons that are not affiliated with the debtor or (2) the court appoints a consumer privacy ombudsman and, thereafter, approves the sale or lease after giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.
As we reported in our last post, this is not the first time that would-be buyers of databases have faced judicial or regulatory scrutiny about privacy concerns. See, e.g., In re: Peter Ian Cummings and FTC v. Toysmart.com, LLC and Toysmart.com, Inc. Still, though, the Real Mex case serves as an important reminder: Companies looking to acquire or transfer assets containing customer information need to address the associated privacy risks with those transactions, ideally before the government raises the issue first.