The question of the privacy rights of consumers is an increasingly important topic. In the following guest post, Bill Boeck, Senior Vice President. Insurance & Claims Counsel for Lockton Financial Services, takes a look at recent actions the Federal Trade Commission has taken to protect consumers’ privacy rights and to enforce companies’ privacy policies.
I would like to thank Bill for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contract me directly if you are interested in submitting a guest post. Here is Bill’s post:
*******************
Selling your company or its assets? These days it seems certain that litigation will follow. If your company holds the personal data of customers, and has made promises in its data privacy policy about not selling it, then you may be hearing from the Federal Trade Commission (FTC). You won’t enjoy it.
Companies doing business on the Internet typically have privacy policies explaining how the company will collect and use consumers’ personal information. Various state and federal laws require them. Those privacy policies often contain language to the effect that the company will not give the information to any third party without the consumer’s consent.
The FTC views violations of privacy policies as deceptive trade practices which are prohibited by the FTC Act. The FTC frequently brings enforcement actions against companies for such violations.
In May 2014 the FTC sent a letter to the judge overseeing the bankruptcy of ConnectEDU, Inc. stating that the proposed sale of the company’s assets would violate the ConnectEDU privacy policy because consumer information would be sold without the consumers’ consent.
ConnectEDU is an educational technology company that helps students prepare for college and connect with career opportunities. Students create profiles on the ConnectEDU web site that contain personal information. The ConnectEDU privacy policy states that:
[T]he personally identifiable data you submit to ConnectEDU is not made available or distributed to third parties, except with your express consent and at your direction. In particular, the Company will not give, sell or provide access to your personal information to any company, individual or organization for its use in marketing or commercial solicitation or for any other purpose, except as is necessary for the operation of this site.
The policy allows information to be disclosed when the company or its assets are sold, but consumers must be given notice and an opportunity to remove their information.
The FTC states that their concerns would be diminished if ConnectEDU notified individuals that their information was being sold and gave them the opportunity to have the information removed. The FTC would also be satisfied if the information was simply destroyed. (The FTC identified a third option that would apply only in the bankruptcy context.)
The FTC’s letter is a warning to all companies being sold that they will face a potential enforcement action if consumer information is transferred to a buyer in violation of the company’s privacy policy.
The FTC isn’t the only thing companies need to worry about though. It isn’t hard to imagine that individuals and their lawyers will bring class action suits for alleged misrepresentations privacy policies. Such actions are being brought against companies now.
And it isn’t just companies that need to be concerned. Their directors and officers need to worry too. M&A-related litigation against directors and officers is depressingly common. If directors and officers cause their company to be sold in violation of its privacy policy that violation could figure prominently in breach of fiduciary duty allegations in a shareholder lawsuit.
So what should companies do?
- Companies should examine their privacy policies to determine whether the policies would permit personal data to be transferred if the company or its assets are sold. If transferring the data would violate the privacy policy then a company may wish to work with their privacy counsel to change the policy to allow a transfer.
- Purchasers of companies or their consumer data should assure that the selling companies represent and warrant that they are in compliance with their data privacy policy, and that they are authorized to transfer the consumer data to the buyer.
If a company faces a claim from the FTC or private plaintiffs it should have the consolation of its insurers’ support. Such a claim should be covered under most good cyber policies. Companies should consider whether their existing policy limits and any applicable sublimits are adequate though. Buying and selling companies should also consider Representations and Warranties Insurance policies to cover any resulting losses.
D&O policies should cover any shareholder claims for breach of fiduciary duty by a company’s directors and officers.
The FTC has proved to be a very active enforcer of privacy rights. If the FTC and private plaintiffs are focused on an issue, companies do well to pay attention. An ounce of prevention now in the form of a well-crafted privacy policy and an equally well-crafted insurance program may save companies a very expensive pound of cure later.