The Bankruptcy Protector recently discussed notable non-bankruptcy provisions that must be consulted to ensure compliance with privacy issues. In this post, we discuss notable Bankruptcy Code provisions and Bankruptcy Rules on these issues.

Section 101(41) of the Bankruptcy Code—Personally Identifiable Information

In 2005, Congress enacted the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 and, in so doing, added a definition for personally identifiable information, which for an individual obtaining products or services for personal, family, or household use, includes:

  • The first and last name of an individual;
  • Address;
  • Email address;
  • Social security number; and
  • Credit card number

Section 107(c) of the Bankruptcy Code

Section 107(c) provides that the bankruptcy court may, for cause, protect an individual from the disclosure of certain information to the extent the court finds that the disclosure would create an undue risk of identity theft or other unlawful injury to the individual or the individual's property. The types of information potentially protected under subsection (c) includes “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual. . . .”

Bankruptcy Rule 9037

Bankruptcy Rule 9037 addresses an individual's privacy protections for filings made with the court. Subject to certain exceptions, the rule requires that any filing that contains certain sensitive information include only the following portions of such information:

  • The last four digits of the social security number and taxpayer identification number;
  • The year of the individual's birth;
  • The minor's initials; and
  • The last four digits of the financial account number.

Bankruptcy Rule 9037 allows the court (1) to order a document be filed under seal (subsection (c)) and/or with redactions (subsection (d)(1)), and (2) to limit or prohibit nonparty's remote access to a document filed with the court (subsection (d)(2)).

Selling Personally Identifiable Information in Bankruptcy: Sections 363, 332, and Rule 6004

Section 363(b) provides that a debtor that has a privacy policy that prohibits the transfer of personally identifiable information may not sell or lease such information unless (1) the sale or lease is consistent with the policy or (2) after appointment of a consumer privacy ombudsman, the court finds, after giving due consideration to the facts, circumstances, and conditions, that the sale or lease would not violate applicable nonbankruptcy law. 11 U.S.C. § 363(b)(1). These restrictions only apply if (1) the debtor disclosed the privacy policy to persons not affiliated with the debtor and (2) the policy was in effect on the date of the bankruptcy filing.

Section 332 provides for the U.S. Trustee to appoint a consumer privacy ombudsman (also referred to as a CPO) upon a court order if required under the amended Section 363(b). Bankruptcy Rule 6004(g)(1) requires the party moving to sell personally identifiable information request an order directing the U.S. Trustee to appoint a consumer privacy ombudsman. The U.S. Trustee is required to file a notice of the appointment of a consumer privacy ombudsman at least seven days before the sale hearing if the court orders the appointment of a consumer privacy ombudsman. Fed. R. Bankr. P. 6004(g)(2).

The consumer privacy ombudsman is authorized to appear at the Section 363(b) sale hearing and provide information to assist the court with its consideration of the privacy issues contained in the amended Section 363(b). Section 332 further states that the consumer privacy ombudsman may provide the court with the following information:

  • The debtor's privacy policy
  • The potential losses or gains of privacy to consumers if such sale or such lease is approved by the court
  • The potential costs or benefits to consumers if such sale or such lease is approved by the court
  • The potential alternatives that would mitigate potential privacy losses or potential costs to consumers

11 U.S.C. § 332(b). The consumer privacy ombudsman is also prohibited from disclosing personally identifiable information.

Although there are few decisions discussing these consumer privacy protections, counsel should be aware of these requirements and be prepared to address these issues in connection with a Section 363 sale motion.

A debtor has several options when attempting to sell personally identifiable information. If the debtor (and purchaser) do not intend to comply with the debtor's privacy policy, the debtor must generally seek the appointment of a CPO (as required under Section 363(b)) and work with the CPO.

In some cases, the court or objecting party will want to impose additional conditions to the sale of personally identifiable information. Below is a list of conditions for the sale of personally identifiable information (that have been adopted in some cases):

  • Buyer agrees to be bound by the terms of the debtor's privacy policy (and agrees to use the information for the same purpose) and to provide notice to customers. See, e.g., In re Movie Gallery, Inc., 2010 Bankr. LEXIS 5823, at *4–5 (Bankr. E.D. Va. Nov. 17, 2010) (buyer agrees to use personally identifiable information “in compliance with the terms of Sellers' privacy policies with respect to its customers”); In re Borders Grp., Inc., 2011 Bankr. LEXIS 4606, at *68–69 (Bankr. S.D.N.Y. Sep. 27, 2011) (buyer agrees to adopt a policy “substantially similar in all material respects to those included in the [seller's] written privacy policies”).
  • Buyer agrees to provide the consumers with an opt-out or opt-in right with respect to material changes to the privacy policy or before using personal data for different purposes. See, e.g., Borders, 2011 Bankr. LEXIS 4606, at *68–69 (buyer agrees “to notify the Persons whose personally identifiable information is included in the Assets by mail or email and afford such persons the opportunity to opt-out of the changes to the privacy policy or the new uses of their information”).
  • Buyer agrees to employ appropriate information security controls to protect the personally identifiable customer information. See, e.g., Movie Gallery, 2010 Bankr. LEXIS 5823, at *4–5 (buyer agrees to “employ appropriate information security controls and procedures (technical, operational, and managerial) to protect such information”).
  • The buyer agrees to abide by all applicable federal, state, and international laws. See, e.g., Movie Gallery, 2010 Bankr. LEXIS 5823, at *4–5 (buyer agrees to “abide by all applicable laws and regulations”).