The Bankruptcy Protector recently discussed notable non-bankruptcy provisions that must be consulted to ensure compliance with privacy issues. In this post, we discuss notable Bankruptcy Code provisions and Bankruptcy Rules on these issues.
Section 101(41) of the Bankruptcy Code—Personally Identifiable Information
In 2005, Congress enacted the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 and, in so doing, added a definition for personally identifiable information, which for an individual obtaining products or services for personal, family, or household use, includes:
- The first and last name of an individual;
- Email address;
- Social security number; and
- Credit card number
Section 107(c) of the Bankruptcy Code
Section 107(c) provides that the bankruptcy court may, for cause, protect an individual from the disclosure of certain information to the extent the court finds that the disclosure would create an undue risk of identity theft or other unlawful injury to the individual or the individual's property. The types of information potentially protected under subsection (c) includes “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual. . . .”
Bankruptcy Rule 9037
Bankruptcy Rule 9037 addresses an individual's privacy protections for filings made with the court. Subject to certain exceptions, the rule requires that any filing that contains certain sensitive information include only the following portions of such information:
- The last four digits of the social security number and taxpayer identification number;
- The year of the individual's birth;
- The minor's initials; and
- The last four digits of the financial account number.
Bankruptcy Rule 9037 allows the court (1) to order a document be filed under seal (subsection (c)) and/or with redactions (subsection (d)(1)), and (2) to limit or prohibit nonparty's remote access to a document filed with the court (subsection (d)(2)).
Selling Personally Identifiable Information in Bankruptcy: Sections 363, 332, and Rule 6004
Section 332 provides for the U.S. Trustee to appoint a consumer privacy ombudsman (also referred to as a CPO) upon a court order if required under the amended Section 363(b). Bankruptcy Rule 6004(g)(1) requires the party moving to sell personally identifiable information request an order directing the U.S. Trustee to appoint a consumer privacy ombudsman. The U.S. Trustee is required to file a notice of the appointment of a consumer privacy ombudsman at least seven days before the sale hearing if the court orders the appointment of a consumer privacy ombudsman. Fed. R. Bankr. P. 6004(g)(2).
The consumer privacy ombudsman is authorized to appear at the Section 363(b) sale hearing and provide information to assist the court with its consideration of the privacy issues contained in the amended Section 363(b). Section 332 further states that the consumer privacy ombudsman may provide the court with the following information:
- The potential losses or gains of privacy to consumers if such sale or such lease is approved by the court
- The potential costs or benefits to consumers if such sale or such lease is approved by the court
- The potential alternatives that would mitigate potential privacy losses or potential costs to consumers
11 U.S.C. § 332(b). The consumer privacy ombudsman is also prohibited from disclosing personally identifiable information.
Although there are few decisions discussing these consumer privacy protections, counsel should be aware of these requirements and be prepared to address these issues in connection with a Section 363 sale motion.
In some cases, the court or objecting party will want to impose additional conditions to the sale of personally identifiable information. Below is a list of conditions for the sale of personally identifiable information (that have been adopted in some cases):
- Buyer agrees to employ appropriate information security controls to protect the personally identifiable customer information. See, e.g., Movie Gallery, 2010 Bankr. LEXIS 5823, at *4–5 (buyer agrees to “employ appropriate information security controls and procedures (technical, operational, and managerial) to protect such information”).
- The buyer agrees to abide by all applicable federal, state, and international laws. See, e.g., Movie Gallery, 2010 Bankr. LEXIS 5823, at *4–5 (buyer agrees to “abide by all applicable laws and regulations”).