Editor's note: William Boeck is Insurance & Claims Counsel, Lockton Financial Services at Lockton Cos.
Selling your company or its assets? These days, it seems certain that litigation is sure to follow. If your company holds the personal data of customers and has made promises in its data privacy policy about not selling it, then you may be hearing from the Federal Trade Commission (FTC). You won't enjoy it.
Companies doing business on the Internet typically have privacy policies explaining how the company will collect and use consumers' personal information. Various state and federal laws require them. Those privacy policies often contain language to the effect that the company will not give the information to any third party without the consumers' consent.
The FTC views violations of privacy policies as deceptive trade practices, which are prohibited by the FTC Act. The FTC frequently brings enforcement actions against companies for such violations.
In May 2014, the FTC sent a letter to the judge overseeing the bankruptcy of ConnectEDU, Inc., stating that the proposed sale of the company's assets would violate the ConnectEDU privacy policy because consumer information would be sold without the consumers' consent.
ConnectEDU is an educational technology company that helps students prepare for college and connect with career opportunities. Students create profiles on the ConnectEDU website that contain personal information.
The ConnectEDU privacy policy states that:
[T]he personally identifiable data you submit to ConnectEDU is not made available or distributed to third parties, except with your express consent and at your direction. In particular, the Company will not give, sell, or provide access to your personal information to any company, individual, or organization for its use in marketing or commercial solicitation or for any other purpose, except as is necessary for the operation of this site.
The policy allows information to be disclosed when the company or its assets are sold, but consumers must be given notice and an opportunity to remove their information.
The FTC states that their concerns would be diminished if ConnectEDU notified individuals that their information was being sold and gave them the opportunity to have the information removed. The FTC would also be satisfied if the information was simply destroyed. (The FTC identified a third option that would apply only in the bankruptcy context.)
The FTC's letter is a warning to all companies being sold that they will face a potential enforcement action if consumer information is transferred to a buyer in violation of the company's privacy policy.
The FTC isn't the only thing companies need to worry about, though. It isn't hard to imagine that individuals and their lawyers will bring class action suits for alleged misrepresentations in privacy policies. Such actions are being brought against companies right now.
And it isn't just companies that need to be concerned. Their directors and officers need to worry, too. M&A-related litigation against directors and officers is depressingly common. If directors and officers cause their company to be sold in violation of its privacy policy, that violation could figure prominently in breach of fiduciary duty allegations in a shareholder lawsuit.
So what should companies do?
* Companies should examine their privacy policies to determine whether the policies would permit personal data to be transferred if the company or its assets are sold. If transferring the data would violate the privacy policy, then a company may wish to work with their privacy counsel to alter the policy to allow a transfer.
* Purchasers of companies or their consumer data should assure that the selling companies represent and warrant that they are in compliance with their data privacy policy, and that they are authorized to transfer the consumer data to the buyer.
If a company faces a claim from the FTC or private plaintiffs, it should have the consolation of its insurers' support. Such a claim should be covered under most good cyber policies. Companies should consider whether their existing policy limits and any applicable sublimits are adequate, however. Buying and selling companies should also consider representations and warranties insurance policies to cover any resulting losses.
D&O policies should cover any shareholder claims for breach of fiduciary duty by a company's directors and officers.
The FTC has proved to be a very active enforcer of privacy rights. If the FTC and private plaintiffs are focused on an issue, companies do well to pay attention: An ounce of prevention now in the form of a well-crafted privacy policy and an equally well-crafted insurance program may save companies a very expensive pound of cure later.
William Boeck is a Senior Vice President and Insurance and Claims Counsel with Lockton Financial Services. He is located in Lockton's Kansas City office. Before joining Lockton in 2006, Boeck spent over 19 years handling claims for insurers and representing insurers in private legal practice in connection with complex claims under directors and officers liability, errors and omissions liability, employment practices liability, fiduciary, crime and fidelity, and other policies.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.