Skip to Content

Data Privacy in Bankruptcy

silhouettes of people with images of locks in the foreground

silhouettes of people with images of locks in the foreground

A corporate debtor filing for bankruptcy has a duty to protect confidential and personally identifiable information (“PII”) under data security laws and applicable non-bankruptcy law. PII includes information such as name, mailing address, email address, phone number, social security number, credit card information, and other information that can be used to identify an individual. These laws are sometimes in direct contravention with bankruptcy principles of open access to court records and maximizing creditor recoveries – for example, with respect to the sale of PII.

Many states have enacted privacy laws affecting various types of data – such as cybersecurity, biometric (e.g., a fingerprint or retina), and genetic data – governing how personal data is disposed of by corporations. On the federal level, the Federal Trade Commission Act governs data privacy and security as part of the Federal Trade Commission’s authority to protect consumers from unfair or deceptive trade practices. Moreover, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires adoption of national standards to prevent the disclosure of protected health information (“PHI”), such as identifiable demographic information related to an individual’s physical or mental state and information concerning the provision of health care that is created by a covered entity. These are just two prominent examples of federal regulations of data privacy and security.

Section 107 of the Bankruptcy Code sets out the general rule that filings in a bankruptcy case are public records subject to certain exceptions. These exceptions protect individuals from disclosure of information that could cause scandalous or defamatory effects, disclose the name of a minor child, or create an undue risk of identity theft.

PII can be a valuable asset for a bankruptcy estate to monetize through a section 363 sale (check out our article on sales under section 363 of the Bankruptcy Code for more information) of the business as a going concern or in a more limited sale of customer data. It can also be burdensome to store and dispose of PII. If a debtor seeks to sell PII, or use it in a way that is inconsistent with its privacy policy, the bankruptcy court must direct the US Trustee to appoint a consumer privacy ombudsman (“CPO”), whose role will be to educate the court about the personal information and privacy implications at hand; this includes identifying the PII involved, evaluating the sensitivity of the data, determining what data can be sold and how consumers should be notified, and developing a destruction plan for data that cannot be sold.

Section 363(b)(1) of the Bankruptcy Code sets forth the conditions under which a debtor may sell PII even if it violates the debtor’s privacy policy. With that said, even with sale conditions, it can be difficult to sell customer data if the sale is inconsistent with the debtor’s privacy policy. If possible, a company should revise (or draft) its privacy policy before filing for bankruptcy in a way that minimizes restrictions on the sale of PII.

In today’s tech era, one of a company’s most valuable assets is personal information that it has collected from its customers. As we gear up to manage the effects of a global recession spurred by the pandemic, and the need for bankruptcy relief grows, businesses should be aware of this asset and its privacy implications. Reach out to KI Legal’s Bankruptcy and Restructuring attorneys for more information on the topics discussed here today, and/or for help with a personal matter, at your convenience.  



This information is the most up to date news available as of the date posted. Please be advised that any information posted on the KI Legal Blog or Social Channels is being supplied for informational purposes only and is subject to change at any time. For more information, and clarity surrounding your individual organization or current situation, contact a member of the KI Legal team.  


KI Legal focuses on guiding companies and businesses throughout the entire legal spectrum. KI Legal’s services generally fall under three broad-based practice group areas: Transactions, Litigation and General Counsel. Its extensive client base is primarily made up of real estate developers, managers, owners and operators, lending institutions, restaurant and hospitality groups, construction companies, investment funds, and asset management firms. KI Legal’s unwavering reputation for diligent and thoughtful representation has been established and sustained by its strong team of reputable attorneys and staff. For the latest updates, follow KI Legal on LinkedInFacebook, and Instagram. For more information, visit

Share To: