In the nearly 30 years since the passage of the Bankruptcy Code, the global economy has witnessed revolutionary changes—many simply beyond the ability of the original drafters to imagine, much less plan for. Perhaps the greatest of these changes is the explosive growth of computer usage and the Internet to conduct everyday business, and with it, the pervasive reliance by business and government of personally identifying information.

Personal information is now a valuable commodity, with readily available market prices—a consumer's address can be purchased for 50 cents, an unpublished number for $17.50, a Social Security number for a mere $8, and so on. Concerns of consumers—and hence politicians—about the availability of this personal and private data has likewise grown. With data breaches having put some estimated 98 million consumers at risk of identity theft, numerous data privacy laws have been, or are about to be, passed.

These burgeoning privacy concerns and laws are starting to seep into the world of bankruptcy, most openly with the passage of the new consumer privacy ombudsman provisions of the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (BAPCPA), but also by the growing pervasiveness of federal and state laws governing consumer and employee privacy. Increasingly, bankruptcy practitioners will have to consider and plan for these new legal requirements when advising troubled companies.

This is the first of three articles aimed at providing bankruptcy practitioners an overview of potential privacy issues that may impact their clients or practices. Part I—this article—reviews privacy law origins, key privacy players and some of the more notorious state and federal law. Part II will review applicable Code provisions relating to privacy issues, including the privacy policy provisions of §363. Finally, Part III will review new provisions and administrative orders that affect consumer filings.

Privacy Overview

Privacy consists of the diverse ways by which people, personal information, certain personal property and personal decision-making can be less accessible to others. Although there are different types of privacy, informational privacy—the type at issue in cases about medical records, employer access to e-mail, online anonymity, data encryption, etc.—is the subject of this series. Concerns about informational privacy are often connected with the terms "secrecy," "confidentiality," "anonymity," "security," "data protection" and "fair information practices." See Allen-Castellitto, Anita L., "Origins and Growth of U.S. Privacy Law," Third Annual Institute on Privacy Law (2002).

Bankruptcy practitioners may encounter privacy laws both in and out of bankruptcy proceedings. Outside of bankruptcy, for example, in a restructuring or workout, state and federal privacy laws may impact the sale of assets—by foreclosure or otherwise—owned by a troubled company. Or, for that matter, a company's obtaining personal identification data (PID) in violation of state and federal laws may be the cause of their financial troubles, such as when a governmental agency obtains an injunction against the use of PID obtained or stored unlawfully.

These same possibilities may impact a business in a bankruptcy proceeding, chapter 7 or 11. Generally, a trustee or debtor-in-possession (DIP) must operate a business in accordance with "the law." See 28 U.S.C. §959 ("A trustee...shall manage and operate the property in his possession as such trustee...according to the requirements of the valid laws of the state in which the property is situated"). Similarly, a number of Code provisions forbid actions contrary to the law, such as in §§363(d)(1) and 1129(a)(16), to cite a few examples.

Key Players in the Privacy Field

Privacy concerns have given birth to numerous organizations dedicated to the protection of consumer privacy, especially as impacted by the Internet. But for bankruptcy practitioners, the enforcement of privacy laws will most likely be either the Federal Trade Commission (FTC) or a state attorney general. Under §5 of the Federal Trade Commission Act (FTC Act), the FTC is empowered, among other things, to (a) prevent unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce; (b) seek monetary redress and other relief for conduct injurious to consumers; (c) prescribe trade regulation rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; and (d) conduct investigations relating to the organization, business, practices and management of entities engaged in commerce.

The FTC has used this broad authority to inject itself in a number of privacy disputes. In fact, it was the FTC's involvement in In re Toysmart that precipitated the Privacy Policy Enforcement provisions added to the Bankruptcy Code in 2001, to be discussed in Part II of this series. To cite but a few additional examples, the FTC has also brought enforcement actions against Geocities for providing consumers with misleading information about how PID was collected and how it was used, and another against Guess? Inc. for representing on its Web site that credit card and other information it obtained from consumers was secure, when it was in fact extremely vulnerable to hackers. State attorneys general have often "piggy-backed" on FTC actions because most states have enacted consumer protection laws that contain a §5 variant.

In any event, because the FTC and state attorneys general have limited resources, they often pick a handful of targets and use them to "make an example." As to those targets, the FTC can obtain both injunctive relief and damages. Such actions can be crippling to a business and, to the extent they are to enjoin illegal conduct and to obtain restitution for that conduct, fall squarely within the police powers exception of §362(b)(4). See In re Dolen, 265 B.R. 471, 481 (Bankr. M.D. Fla. 2001).

Federal Privacy Laws

Aside from the FTC Act, there are many other federal laws and regulations that may impact a business. These laws govern the privacy and confidentiality of various types of records and also prescribe and regulate the means for lawful government and other third party access to that information.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Acocuntability Act (HIPAA), Pub. L. No. 104-191, 110 Stat. 136 (1996), is a law that impacts Americans on a daily basis. HIPAA privacy provisions require that individuals be able to access their medical records and request correction of errors, be informed of how their personal information will be used, and that their protected health information (PHI) not be used for marketing purposes without their explicit consent. Individuals can also ask covered entities that maintain PHI about them to take reasonable steps to ensure that their communications are confidential, such as asking to be called at work rather than at home. Entities subject to HIPAA must document their privacy procedures, designate a privacy officer and train their employees. On the other hand, entities may use an individual's information without the individual's consent for the purposes of providing treatment, obtaining payment for services and performing the non-treatment operational tasks of the provider's business. Violators may be subject to stiff penalties, including fines of up to $50,000 and imprisonment of not more than one year.

Children's Online Privacy Protection Act (15 U.S.C. §§6501-6506 (1988))

Among the more prominent Internet-inspired privacy laws is the Children's Online Privacy Protection Act (COPPA). Administered by the FTC, COPPA seeks to protect children's privacy by giving parents the tools to control what information is collected from their children online. Under its implementing regulations, operators of commercial Web sites and online services directed to or knowingly collecting personal information from children under 13 must follow strict procedures designed to obtain full parental consent and safeguard children. In order to encourage active industry self-regulation, COPPA also includes a "safe harbor" provision allowing industry groups and others to request FTC approval of self-regulatory guidelines to govern participating Web sites' compliance with the regulations. The FTC zealously enforces COPPA.

CAN-SPAM (15 U.S.C. §§7701-7713 (2003))

The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial e-mail, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask e-mailers to stop spamming them.

The FTC is authorized to enforce the CAN-SPAM Act, and the Act also gives the Department of Justice (DOJ) the authority to enforce its criminal sanctions. Other federal and state agencies can enforce the law against organizations under their jurisdiction, and companies that provide Internet access may sue violators, as well.

Cable TV Privacy Act (47 U.S.C. §551 (1984))

The Cable TV Privacy Act (CTVPA) protects consumers from unauthorized collection and disclosure of personal information by cable operators. CTVPA requires notice to consumers of the "nature and use" of information collected as well as the "nature and use" of any disclosure of personal information. CTVPA also requires prior written or electronic consent before a cable operator may collect personally identifiable information, generally prohibits disclosure of personally identifiable information and requires a cable operator to take steps to prevent unauthorized access to personally identifiable information collected.

Counterfeit Access Device and Computer Fraud Abuse Act (18 U.S.C. §1030 (1984))

The Counterfeit Access Device and Computer Fraud Abuse Act (CFAA) was the first comprehensive federal legislation to address the growing government and private sector concerns about the growth of computer fraud and crime. In its present form, the CFAA essentially makes "hacking" or trafficking in stolen passwords a punishable felony.

Electronic Communications Privacy Act (18 U.S.C. §§2510-21, 2701-11 (1986))

The Electronic Communications Pivacy Act (ECPA) protects individuals from interception and monitoring of their electronic communications, and imposes liability on any individual who "intentionally intercepts, endeavors to intercept or procures any person to intercept or endeavor to intercept, any wire, oral or electronic communication." Because e-mail, telephone conversations and data stored electronically are covered by this definition, monitoring of such communications is generally prohibited. The ECPA does, however, provide several exceptions that allow interception and disclosure of communications that might extend specifically to organizations using e-mail or doing business on the Internet.

Gramm-Leach-Bliley Financial Services Modernization Act (15 U.S.C. §§6801-6809 (1999))

Title V, subtitle A, of the Gramm-Leach-Bliley Act requires the FTC, along with the federal banking agencies, the National Credit Union Administration, the Treasury Department and the Securities and Exchange Commission, to issue regulations (promulgated during 2000) to ensure that financial institutions protect the privacy of consumers' personal financial information. Those institutions must develop and give notice of their privacy policies to their own customers at least annually, and before disclosing any consumer's personal financial information to a nonaffiliated third party, must give notice and an opportunity for that consumer to "opt out" from such disclosure. The Act also limits the sharing of account number information for marketing purposes.

USA Patriot Act

The USA Patriot Act, Pub. L. No.. 107-56, 115 Stat. 272 (2006), expands law enforcement powers in ways directly affecting U.S. businesses; in particular, service providers, such as phone companies, Internet service providers (ISPs) and cable companies, could be served with greater numbers of court orders to obtain "private" consumer information. Under the Patriot Act, service providers could be required to provide law enforcement their subscribers' Web browsing information, e-mail correspondence, Internet access history and payment method. Any business could be ordered to produce "any tangible thing," including business records containing confidential information.

Right to Financial Privacy Act (12 U.S.C. §340, et seq. (1978))

The RFPA was enacted following the Supreme Court's ruling in United States v. Miller, 425 U.S. 435 (1976), where the Court held that a bank depositor had no reasonable expectation of privacy in the contents of checks and deposit slips held by the financial institution largely because the institution, not the customer, had physical possession of the records. The RFPA sought to "protect the customers of financial institutions from unwarranted intrusion into their [financial] records while at the same time permitting legitimate law enforcement activity." The statute balances a customer's right of privacy and the needs of law enforcement agencies to obtain financial records as part of investigations. The RFPA, however, only governs government access to consumer financial records.

The Telecommunications Act (47 U.S.C. §222 (1996))

The Telecommunications Act governs privacy of customer information obtained by telecommunications carriers. The Telecommunications Act creates a duty to protect the confidentiality of proprietary information obtained from telecommunications carriers and consumers. Information obtained from another carrier shall not be used for marketing purposes. Generally, information may be disclosed only on consent or as required by law if it is "individually identifiable customer proprietary network information."

State Privacy Laws

Privacy protection at the state level is a rapidly changing environment, and privacy laws and regulations vary greatly from jurisdiction to jurisdiction. The Electronic Privacy Information Center offers a broad overview of the enacted laws in every state. See www.epicepic.org/privacy/consumer/states. Perhaps the most notable entrant into this arena is California, which has led the way in passing privacy laws. Because it has one of the largest economies in the world, California's privacy laws have national, if not global, impact.

In 2003, for example, it enacted the California Online Privacy Protection (BUS & P C §§22575-22579 (2003)). This Act requires an operator of a commercial Web site or online service that collects "personally identifiable information" from customers who are California residents to post its privacy policy on its Web site or online service and to comply with that policy. Covered information includes individually identifiable information about a consumer that is collected online and includes the consumer's name, address, e-mail address, telephone number and social security number, as well as other identifiers that permit the consumer to be contacted physically or online, as well as any other information collected and maintained in combination with those specific identifiers.

The law requires that an operator's home page, or the first significant page after entering its Web site, contain an icon directly linking to its privacy policy, set forth in such a way that a reasonable person would notice the link. In turn, the policy must identify the categories of personally identifiable information the operator collects, the third persons or entities with whom the operator may share that information, describe any process the operator maintains for an individual to review and request changes to his or her information, describe how the operator notifies visitors to the Web site of material changes to their privacy policy, and indicate the policy's effective date.

This act was followed by the enactment of California Code §§1798.29 and 1798.82-84, which require a company to give the consumer notice if an unauthorized person has acquired the consumer's name and either Social Security number, driver's license number or financial account number. Although the law applies to companies based in California, as well as to any person or business that conducts business in California, it also applies to any "person or business that conducts business in California and that owns or licenses computerized data that includes personal information." The California Legislature further protected consumer privacy with CC §1798.81.5, enacted Jan. 1, 2005, which imposes a requirement on businesses to implement reasonable procedures to maintain the security of personal information it stores or discloses to third parties.

Conclusion

For the turnaround and insolvency industry, privacy laws will no doubt play an even larger role in workouts, distressed mergers and bankruptcies in years ahead. The next article in this series will examine specific privacy provisions in the newly amended Code.