Editor's note: William Boeck is Insurance & ClaimsCounsel, Lockton Financial Services at Lockton Cos.

Selling your company or its assets? These days, it seems certainthat litigation is sure to follow. If your company holds thepersonal data of customers and has made promises in its dataprivacy policy about not selling it, then you may be hearing fromthe Federal Trade Commission (FTC). You won't enjoy it.

Companies doing business on the Internet typically have privacypolicies explaining how the company will collect and use consumers'personal information. Various state and federal laws require them.Those privacy policies often contain language to the effect thatthe company will not give the information to any third partywithout the consumers' consent.

The FTC views violations of privacy policies as deceptive tradepractices, which are prohibited by the FTC Act. The FTC frequentlybrings enforcement actions against companies for suchviolations.

In May 2014, the FTC sent a letter to the judge overseeing thebankruptcy of ConnectEDU, Inc., stating that the proposed sale ofthe company's assets would violate the ConnectEDU privacy policybecause consumer information would be sold without the consumers'consent.

ConnectEDU is an educational technology company that helpsstudents prepare for college and connect with career opportunities.Students create profiles on the ConnectEDU website that containpersonal information.

The ConnectEDU privacy policy states that:

[T]he personally identifiable data you submit to ConnectEDUis not made available or distributed to third parties, except withyour express consent and at your direction. In particular, theCompany will not give, sell, or provide access to your personalinformation to any company, individual, or organization for its usein marketing or commercial solicitation or for any other purpose,except as is necessary for the operation of this site.

The policy allows information to be disclosed when the companyor its assets are sold, but consumers must be given notice and anopportunity to remove their information.

The FTC states that their concerns would be diminished ifConnectEDU notified individuals that their information was beingsold and gave them the opportunity to have the information removed.The FTC would also be satisfied if the information was simplydestroyed. (The FTC identified a third option that would apply onlyin the bankruptcy context.)

The FTC's letter is a warning to all companies being sold thatthey will face a potential enforcement action if consumerinformation is transferred to a buyer in violation of the company'sprivacy policy.

The FTC isn't the only thing companies need to worry about,though. It isn't hard to imagine that individuals and their lawyerswill bring class action suits for alleged misrepresentations inprivacy policies. Such actions are being brought against companiesright now.

And it isn't just companies that need to be concerned. Theirdirectors and officers need to worry, too. M&A-relatedlitigation against directors and officers is depressingly common.If directors and officers cause their company to be sold inviolation of its privacy policy, that violation could figureprominently in breach of fiduciary duty allegations in ashareholder lawsuit.

So what should companies do?

* Companies should examine their privacy policies to determinewhether the policies would permit personal data to be transferredif the company or its assets are sold. If transferring the datawould violate the privacy policy, then a company may wish to workwith their privacy counsel to alter the policy to allow atransfer.

* Purchasers of companies or their consumer data should assurethat the selling companies represent and warrant that they are incompliance with their data privacy policy, and that they areauthorized to transfer the consumer data to the buyer.

If a company faces a claim from the FTC or private plaintiffs,it should have the consolation of its insurers' support. Such aclaim should be covered under most good cyber policies. Companiesshould consider whether their existing policy limits and anyapplicable sublimits are adequate, however. Buying and sellingcompanies should also consider representations and warrantiesinsurance policies to cover any resulting losses.

D&O policies should cover any shareholder claims for breachof fiduciary duty by a company's directors and officers.

The FTC has proved to be a very active enforcer of privacyrights. If the FTC and private plaintiffs are focused on an issue,companies do well to pay attention: An ounce of prevention now inthe form of a well-crafted privacy policy and an equallywell-crafted insurance program may save companies a very expensivepound of cure later.

William Boeck is a Senior Vice President and Insurance andClaims Counsel with Lockton Financial Services. He is located inLockton's Kansas City office. Before joining Lockton in 2006, Boeckspent over 19 years handling claims for insurers and representinginsurers in private legal practice in connection with complexclaims under directors and officers liability, errors and omissionsliability, employment practices liability, fiduciary, crime andfidelity, and other policies.