Part One of this series identified federal and state privacy laws that might affect troubled companies. Part Two reviews the specific Code provisions that affect business debtors and privacy: (a) the newly enacted Privacy Policy Enforcement in Bankruptcy Act Provisions (PPEBA) (§§363(b)(1) and 332), (b) the new health care record provisions (§§351 and 333) and (c) the new Creditor Committee disclosure provisions (§1102(b)(3)).

The Privacy Policy Enforcement in Bankruptcy Act (PPEBA) (§§363(b)(1) and 332)

In 2001, the Leahy-Hatch Amendment, also known as the PPEBA, was added to the pending BAPCPA amendments. These amendments, which I drafted, represent several "firsts"—the first national law that directly addresses enforcement of privacy policies, and the first law to create an ombudsman to "enforce" a privacy policy law. More specifically, the PPEBA defined protected "personally identifiable data" in §101(41A), added restrictions to the sale of private consumer data under §363(B)(1) and created a consumer privacy ombudsman to aid courts in enforcing the new restrictions.

Consumers and Privacy Policies

As the Internet grew in the late '90s, Web sites, especially e-commerce concerns, routinely asked for personal information from surfing visitors. Reflecting an understandable naiveté, many Internet users initially provided private, personal information. But as the Internet expanded, consumers grew more concerned about the potential use and misuse of their critical financial information.

This lack of consumer confidence threatened to seriously hinder the growth of e-commerce. Online privacy policies starting springing up at about the same time in response to consumer concerns that their information could be misused. Privacy policies are essentially terms that generally inform site users about whether or how their personal information is used or shared both within the company itself and with third parties, including related companies. In fact, several organizations arose at the same time to give their "seal of approval" to a site's privacy policies.

The Crash of Two Forces

As dot-coms became dot-bombs, the Federal Trade Commission's (FTC's) interest in online privacy grew. Relying upon its general powers to protect consumers from unfair or deceptive business practices, as well as on the strong child-privacy protections of the Children's Online Privacy Protection Act (COPPA), the FTC was seeking an opportunity to flex its online muscle.

At the same time, investors and creditors were scrambling to salvage investments in dot-coms, often by seeking to monetize and liquidate any available asset. It became quickly apparent that consumer information was at the heart of many online businesses' value.

Toysmart.com had the misfortune of standing at the crossroads when maximizing asset value and maximizing privacy collided. Toysmart's business model was simple—to sell educational toys online. But like so many Internet companies, its model failed and it was forced to seek protection from its creditors. As part of its liquidation plan, Toysmart sought to sell all of its assets, but especially the personally identifying information of consumers, including information relating to many children. But this directly contravened its express privacy policy, which had promised consumers that it would never sell information to any third party.

The FTC viewed the bankruptcy sale effort as a deceptive business practice—transferring private data despite the express promise not to do so—and as a violation of COPPA. Relying on the police powers exception to the automatic stay, the FTC sued Toysmart in Federal District Court to enjoin any sale. Thirty-five states' attorneys filed similar suits in their home states.

Under this intense pressure, Toysmart ultimately abandoned its sale and instead proposed a complicated sales and opt-in process acceptable to the FTC. But even that procedure was not enough to quell the controversy or pacify the various states' attorneys general. In the end, Toysmart withdrew the sale altogether, and one of its equity owners, Disney, paid $50,000 for the data and destroyed it.

The Toysmart case prompted many sites to carefully modify their privacy policies to allow the transfer of this type of asset. Nonetheless, the FTC found many additional targets—Living.com and Craftshop.com, to name a few—to enforce privacy policies. And states' attorneys general pursued a similar action against eToys.com.

PPEBA Addresses Narrow Privacy Policy Issue

PPEBA sought to address the inherent conflict between maintaining consumer privacy and maximizing assets by barring those sales, or allowing them only after careful examination by an independent party. In many respects, PPEBA incorporates components of the FTC's settlement with Toysmart.

What Information Is Protected?

Defining the information that needs protecting can be an exercise in futility—the more specific the definition, the more potentially identifying data slips out. Nonetheless, §101(41A) defines "Personally Identifiable Information" as any data that allows an individual to be specifically identified, such as name, address, e-mail, telephone number, social security number, any birth date information, credit card account information or any other information which, if disclosed, would result in contacting or identifying an individual physically or electronically. Under this definition, then, even Web searches, such as those recently released by AOL, could be covered and considered personally identifiable information. But the data must have been provided in connection with obtaining a product or a service from the debtor primarily for personal, family or household purposes. Under this restriction, purchased data, or data obtained by any other means, is simply not covered.

Sale Restrictions in §363(b)(1)

Section 363(b)(1) now limits the use, sale or lease of personally identifiable information "if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case." If a non-ordinary-course sale or use is contemplated, then this amended section requires in the first instance that it be consistent with the debtor's privacy policy.

If a nonconsistent sale is nonetheless pursued, however, the court must appoint a "consumer privacy ombudsman" pursuant to §332. The requirement of a privacy-focused ombudsman is truly unique, and a remedy found in virtually no other privacy legislation. The ombudsman's role, however, is less advocate than advisor to the court.

After notice, a hearing and input from the ombudsman, the court may approve the use, sale or lease of the data after (1) giving due consideration to the facts, circumstances and conditions of such sale and (2) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

Given the multiple requirements for §363(b)(1) to apply to a non-ordinary-course sale or lease, or the data gained in connection with the offering of a product or service, a restrictive privacy policy must be in effect on the filing date, only time will tell whether it will deliver the expected protections.

It is also worth noting that these restrictions are contained solely in §363. Thus, the sale or use of personally identifying information pursuant to a plan would appear to remain unfettered.

The Ombudsman Duties

Given its unique role in bankruptcy and privacy law, a few more points about the consumer privacy ombudsman should be added. To start, he or she must be a "disinterested person" other than the trustee. Other than that, anyone can serve in the role, even a representative of the more usual privacy enforcers—the FTC or a state attorney general. There is also no limitation on whether the ombudsman may retain other professionals. And of course, the ombudsman is to be compensated like any other estate professional.

The ombudsman's duties are limited to advising and assisting the court in digesting the considerable facts and applicable privacy laws that may come to play in any §363 sale of consumer data. The section specifically provides that the ombudsman may advise the court on (1) the debtor's privacy policy, (2) the potential losses or gains of privacy to consumers if such sale or such lease is approved by the court, (3) the potential cost or benefits to consumers if the transaction is approved and (4) any potential alternatives that would mitigate potential privacy losses or potential costs to consumers.

Timing will be a critical part of the ombudsman's role, since he or she may be appointed up to five days before the scheduled §363(b)(1) hearing. That leaves a very brief period of time within which to produce any required report.

First Ombudsman Appointed

Happily, the first reported test of these ombudsman provisions appear to have gone without a significant hitch. In July, the U.S. Bankruptcy Court for the District of Arizona appointed the first consumer ombudsman, Donald L. Gaffney of Snell & Wilmer LLP, in In re Engaging and Empowering Citizenship Inc., Case No. 2-05-28175-CGC. Although laboring under significant time constraints, the ombudsman managed to produce a 51-page report that both reviewed applicable privacy law and analyzed the debtor's privacy policy provisions and the impact of the proposed sale.

In order to effectuate a sale and protect consumers' privacy concerns, the ombudsman proposed an opt-out procedure and notice period, allowing affected consumers to avoid the transfer of their data, if they so desired. By and large, the court adopted the ombudsman's recommendations and incorporated the proposed procedure in its order approving the sale.

Thus, although it falls far short of addressing the many privacy concerns raised by the bankruptcy process, PPEBA is a significant leap in privacy protection.

Health Care Provisions¹

Title XI of BAPCPA—Healthcare and Employee Benefits—amends federal bankruptcy law to provide greater protections to patients in health care facilities, including the secure disposal of patient records and the appointment of a patient ombudsman. Historically, a bankrupt health care provider's patients have often been "overlooked" in the bankruptcy process. Most of these changes are thus aimed at enhancing the rights of patients in a bankruptcy case involving their health care provider, while imposing duties on the debtor-in-possession (DIP) or trustee to recognize the rights of patients and providing the patients with standing in the bankruptcy case under certain circumstances.

Disposal of Patient Records

The greatest impact on privacy comes with new Bankruptcy Code §351, governing disposal of medical records when a health care facility is closing. For a patient, these provisions help ensure confidentiality and maintain medical histories for their future use.

Section 351 also helps solve another problem—a trustee's or DIP's inability to maintain or store patient records for the required time periods under federal or state law due to lack of money to pay the storage costs. Under §351, a trustee or DIP must comply with any existing federal or state laws concerning the storage and disposal of patient records, if possible (e.g., if the trustee has sufficient monies to do so). If unable, then the trustee must publish notice informing patients and insurance providers (if appropriate under state law) that (1) they may claim their medical records and (2) if those medical records are not claimed within 365 days after the publication notice (the Publication Notice Period), the records will be destroyed. In addition, during the first 180 days of the Publication Notice Period, the trustee must attempt to notify each patient and each insurance company directly to inform them of their right to claim the medical records and the impending destruction of records. If the medical records are not claimed during the Publication Notice Period, the trustee must send a written request, by certified mail, to any appropriate federal agency seeking permission to deposit the records with such agency.

If the records remain unclaimed after the foregoing procedures have been followed, the trustee may at last destroy the records. The trustee must shred or burn all written materials contained in the records and must ensure that no optical, magnetic or other electronic records can be retrieved. The method of disposal of medical records is intended to protect the confidentiality of the information and recognize the patients' expectation of privacy with respect to their medical information.

Appointment of Ombudsman to Act as Patient Advocate

Another critical provision that will affect privacy issues is the ombudsman-appointment requirement of §333 of the Bankruptcy Code. An ombudsman must be appointed within 30 days after the commencement of a health care bankruptcy case, unless the court finds under the specific facts of the case that the appointment is not necessary for the protection of patients. The ombudsman's chief duty is to monitor the quality of patient care and report to the bankruptcy court every 60 days regarding patient care issues. In the interim, if any serious matters arise and the quality of patient care declines significantly or is otherwise materially compromised, the ombudsman may notify the court, by report or motion, with notice to the appropriate parties. Patient privacy will certainly be an important ombudsman focus, as evidenced by the ombudsman's own statutory obligation to maintain as confidential all information relating to the patients and their medical records.

The ombudsman will thus act as the patient's advocate in the bankruptcy case. If patients' privacy rights are not protected or if patients are not receiving appropriate medical care, it will be the ombudsman's charge to bring it to the court's attention.

Administrative Expense Claim for Costs of Closing a Health Care Business and Other Administrative Expenses

If expenses incurred in closing a health care facility likely will not be reimbursed under the Code, debtors, trustees and creditors will have little incentive to properly close that facility and protect the rights of patients, including the privacy of their records. New Code §503(b)(8) therefore provides that any actual, necessary costs and expenses incurred by a trustee, a federal agency or a department or agency of a state or a political subdivision in closing a health care facility, including any costs and expenses incurred in disposing of patient records pursuant to new §351, shall be allowed as administrative expense claims. Amended §503(b)(8) makes it clear that if costs are incurred in closing the health care facility, the debtor or trustee should pay such costs ahead of all other priority and nonpriority unsecured claims. Thus, once again, by providing this mechanism—where once there was none—these new Code provisions will work to ensure patient privacy rights.

Committee Provisions

BAPCPA also created privacy concerns of a different sort, at least as far as creditors' committees are concerned. More specifically, new §1102(b)(3) imposes a broad duty on creditors' committees to provide "information" to creditors:

(3) A committee appointed under subsection (u) shall—

(A) provide access to information for creditors who—
(i) hold claims of the kind represented by that committee; and
(ii) are not appointed to the committee;
(B) solicit and receive comments from the creditors described in subparagraph
(A); and
(C) be subject to a court order that compels any additional report or disclosure to be made to creditors described in subparagraph (A).

This amendment comes with no explanation—the legislative history sheds no light on congressional intent, either—but it does come with many questions. For example, what disclosure requirements apply to private or confidential information a committee obtains in the course of fulfilling its duties? Or to privileged information or communications between a committee and its counsel?

These dilemmas came to a head quickly in larger, operating chapter 11 cases, whose committees typically obtain confidential information from debtors as part of the performance of their duties, including the negotiation and formulation of a plan. The typical practice in these cases was for each of the committee members to execute a confidentiality agreement with the debtor as a condition to obtaining information. In light of new §1102(b)(3)'s mandate, there was a concern that such agreements might not be enforceable.

In response, the debtors and committees in several cases sought court orders pursuant to §§105(a) and 107(b) that would impose certain confidentiality protocols by court order. In In re Refco, 336 B.R. 187 (Bankr. S.D.N.Y. 2006), for example, the unsecured creditors' committee sought approval of a confidentiality protocol, arguing that new §1102(b)(3)'s requirements were ambiguous and would lead to a conflict with their fiduciary duties or violations of securities laws.

The court ultimately approved and imposed the protocols. It analogized these new provisions to existing §704(7), which compels a trustee to "furnish information concerning the estate and the estate's administration as is requested by a party in interest." The court also noted that trustees can and have sought protective orders to limit the scope of their duty of disclosure, especially where it would result in waiver of the attorney-client privilege or disclosure of propriety and confidential information. Refco, 336 B.R. at 193. In each instance, the trustee must show how the duty to disclose is overridden by a counterbalancing fiduciary duty.

The court, in fact, agreed that the committee met that burden in the context of §1102(b)(3) and authorized the protocol. In its view, the confidentiality protocols were reasonably drafted to meet the committee's fiduciary obligations while still giving creditors ample ability to obtain vital information.

Conclusion

These newly enacted Code provisions begin to address some of the privacy concerns implicated by the very public bankruptcy process. Part three of this series will examine whether the Code has made some peace regarding individual consumer privacy issues.

Footnotes

1 My thanks to my colleague Nancy Peterman, who also drafted the new Code, for her help in preparing this section.