Privacy, Please!

We're there, and we know it: The union of the Internet and commerce has led to increases in productivity, convenience and access for consumers everywhere. At the same time, it has spawned volumes of acute privacy concern. It's not unusual to hear of businesses inadvertently publicizing consumers' personal data ' or, worse, hackers obtaining personal financial information. It seems to happen all too often at credit-card companies, banks and the local supermarket.

Of course, concerns over these privacy issues have reached the sector of the legal trade that advises and defends the banking industry, and with a vengeance, as evidenced by the various privacy related provisions incorporated in the Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCPA). In particular, the BAPCPA incorporated the Leahy-Hatch Amendment, also known as The Privacy Policy Enforcement in Bankruptcy Act of 2001 (PPEBA), which I had the honor of drafting. In particular, the PPEBA, in order to address certain privacy concerns, amended Bankruptcy Code '363(b)(1) and added pre-conditions to the sale or use of consumer data; added a new '332, creating the 'privacy ombudsman'; and defined 'personally identifiable data' in '101(41A). This article will review the development of these amendments, and analyze their potential impact for practitioners.

Toysmart: The PPEBA's Poster Child

To understand the PPEBA amendments, it's important to understand the context in which they arose. Think back, then, to early 2000 ' just about the time when most folks were beginning to realize that their dotcom stocks were never going to bounce back. It was about that time that dotcoms began turning into dot-bombs, going out of business at an alarming rate.

This bubble-burst coincided with an increasing interest by the federal government ' especially the Federal Trade Commission ' in privacy issues and the Internet. As a matter of fact, it was little more than a year earlier that Congress had enacted the Child Online Privacy Protection Act (COPPA), which sought to curb some of the personal-data abuses aimed at and perpetrated upon the Net's youngest consumers. The timing was ripe, then, for a test case on bankruptcy and privacy. Toysmart.com rose ' or perhaps, fell ' to the occasion.

Toysmart, as the name implies, was an online seller of children's educational toys. Toysmart's privacy policy, as set forth on its Web site, unequivocally provided that the company would never share its customers' data with any third party. But it ran into financial difficulties and was forced into Chapter 11. It then attempted, despite its professed policy, to generate a recovery for creditors by selling one of its potentially most valuable 'assets' ' the personal and financial data voluntarily provided by its customers. The FTC pounced. Notwithstanding the bankruptcy, the FTC filed a complaint in federal district court to enjoin the sale because Toysmart had violated its written privacy policy, which constituted a 'deceptive practice' under Section 5 of the FTC Act. Perhaps worse, the proposed sale would violate the newly enacted COPPA.

Toysmart was forced to relent and, rather than hold an outright auction of this data, it consented to a more complicated sales procedure sought by the FTC that, among other things, would require an opt-in procedure for affected consumers. In the end, even that procedure was scuttled by continuing objections from many state attorneys general, each who sought to stop the sale of this data on consumer protection grounds. In the end, Disney, a Toysmart investor, agreed to purchase the data for $50,000 and then destroy it.

This Toysmart issue ' the ability of insolvent dotcoms to sell consumer data ' continued to rear its ugly head in subsequent dotcom cases, such as Living.com, Craftshop.com and others.

The Birth of the PPEBA

As that old saw about laws and sausages suggests, it's probably best if the exact way the PPEBA came about were left for another day. Suffice it to say, however, that in preparing a draft of PPEBA for sponsorship by Senator Leahy, the FTC's proposed settlement with Toysmart became my model. As a result, here are the law's ' and now the Bankruptcy Code's ' key data privacy provisions.

Defining 'Personally Identifiable Data'

Perhaps it's best to review the amendments by starting with the basics ' the type of information at issue. New '101(41A) defines 'personally identifiable information' as data that allows an individual to be specifically identified ' including name, address, e-mail, telephone number, Social Security Number, any birthdate information, credit-card account information or any other information that, if disclosed, would result in contacting or identifying an individual physically or electronically.

A critical part of the definition, however, is that this 'private' information must have been provided by an individual to the debtor in connection with obtaining a product or a service from the debtor primarily for personal, family or household purposes. Presumably, then, information obtained via other means or for other purposes is wholly unaffected by the PPEBA.

Data Use, Sale Or Lease: 363(b)(1)

Next, amended '363(b)(1) limits the out-of-the-ordinary use, sale or lease of personally identifiable information 'if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.' If such a privacy policy is in effect, then the data can be used, sold or leased only if such use, sale or lease is consistent with the established privacy policy.

Alternatively, the section allows the court to appoint a 'privacy ombudsman,' pursuant to new '332. After notice and a hearing with the ombudsman's input, the court may approve the use, sale or lease of the data after:

• Giving due consideration to the facts, circumstances and conditions of such sale; and
• Finding that no showing was made that such sale or such lease would violate non-applicable bankruptcy law.

Note the preconditions to this section's application:

• The sale or lease must be outside the ordinary course;
• The information must have been obtained in connection with the offering of a product or service;
• The policy must prohibit the transfer of the information to third parties; and
• The policy must be in effect on the filing date.

These preconditions will limit this section's applicability; indeed, merely discontinuing the policy before the filing could be enough to avoid the statute.

Also, these consumer-data provisions are contained in '363, and not in '1123. Transferring this type of asset pursuant to a plan, then, would appear to be another means of circumventing these restrictions.

Finally, as a more practical matter, this restriction hinges on the terms of the debtor's privacy policy. As evidenced by Toysmart, these policies may be quite restrictive. But, because of the impact of Toysmart and other cases, many privacy policies incorporate provisions that allow for sales or liquidation in the insolvency context. In fact, clients should be counseled to modify their privacy policies to permit such use, whenever possible.

The Consumer Privacy Ombudsman

If a hearing is required under '363(b)(1), then the Bankruptcy Court must order the United States Trustee to appoint a 'consumer privacy ombudsman.' Other than this so-designated person being a 'disinterested person' and not the trustee, the section contains no restrictions on who may serve as ombudsman. Given this flexibility, in the right cases, an appropriate FTC representative or an attorney general, or other government official, could serve in that role. The appointed ombudsman apparently may retain other professionals and all are eligible for compensation under '330(a)(1)(A).

Once retained, the ombudsman's role is certainly skewed toward protecting consumer privacy, but overall is limited to informing the court about certain issues. In order to assist the court in its consideration of the facts, circumstances and conditions of the proposed sale or lease of personally identifiable data, the ombudsman may inform the court of:

• The debtor's privacy policy;
• The potential losses or gains of privacy to consumers if such sale or such lease is approved by the court;
• The potential cost or benefits to consumers if the transaction is approved; and
• Any alternatives that would mitigate potential privacy losses or potential costs to consumers.

The ombudsman's role is not an entirely enviable one, either. The statute requires that he or she be appointed no less than 5 days before the scheduled '363(b)(1) hearing, but that hardly seems like enough time to gather the necessary information, or to prepare an adequate report. In a litigious environment, one suspects that the court's order of appointment will have to incorporate some mechanism to compel the debtor and buyer's cooperation.

Conclusion

The enacted PPEBA provisions are hardly a comprehensive response to the problem of protecting privacy in distressed, and distressing, situations. Indeed, these provisions are really directed at protecting consumers who provided information while relying on a business' expressed privacy policy.

But given the growing concern for preserving privacy and the attention that this area of law is attracting, it is simply inevitable that bankruptcy and privacy will continue to intersect. Even where the PPEBA provisions don't apply, practitioners can still expect the FTC or state attorneys general to inject themselves into cases to protect privacy, where circumstances warrant. The Information Age has propelled privacy concerns to the forefront, and the PPEBA enactment is certainly but a sign of things to come.

We're there, and we know it: The union of the Internet and commerce has led to increases in productivity, convenience and access for consumers everywhere. At the same time, it has spawned volumes of acute privacy concern. It's not unusual to hear of businesses inadvertently publicizing consumers' personal data ' or, worse, hackers obtaining personal financial information. It seems to happen all too often at credit-card companies, banks and the local supermarket.

Of course, concerns over these privacy issues have reached the sector of the legal trade that advises and defends the banking industry, and with a vengeance, as evidenced by the various privacy related provisions incorporated in the Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCPA). In particular, the BAPCPA incorporated the Leahy-Hatch Amendment, also known as The Privacy Policy Enforcement in Bankruptcy Act of 2001 (PPEBA), which I had the honor of drafting. In particular, the PPEBA, in order to address certain privacy concerns, amended Bankruptcy Code '363(b)(1) and added pre-conditions to the sale or use of consumer data; added a new '332, creating the 'privacy ombudsman'; and defined 'personally identifiable data' in '101(41A). This article will review the development of these amendments, and analyze their potential impact for practitioners.

Toysmart: The PPEBA's Poster Child

To understand the PPEBA amendments, it's important to understand the context in which they arose. Think back, then, to early 2000 ' just about the time when most folks were beginning to realize that their dotcom stocks were never going to bounce back. It was about that time that dotcoms began turning into dot-bombs, going out of business at an alarming rate.

This bubble-burst coincided with an increasing interest by the federal government ' especially the Federal Trade Commission ' in privacy issues and the Internet. As a matter of fact, it was little more than a year earlier that Congress had enacted the Child Online Privacy Protection Act (COPPA), which sought to curb some of the personal-data abuses aimed at and perpetrated upon the Net's youngest consumers. The timing was ripe, then, for a test case on bankruptcy and privacy. Toysmart.com rose ' or perhaps, fell ' to the occasion.

Toysmart, as the name implies, was an online seller of children's educational toys. Toysmart's privacy policy, as set forth on its Web site, unequivocally provided that the company would never share its customers' data with any third party. But it ran into financial difficulties and was forced into Chapter 11. It then attempted, despite its professed policy, to generate a recovery for creditors by selling one of its potentially most valuable 'assets' ' the personal and financial data voluntarily provided by its customers. The FTC pounced. Notwithstanding the bankruptcy, the FTC filed a complaint in federal district court to enjoin the sale because Toysmart had violated its written privacy policy, which constituted a 'deceptive practice' under Section 5 of the FTC Act. Perhaps worse, the proposed sale would violate the newly enacted COPPA.

Toysmart was forced to relent and, rather than hold an outright auction of this data, it consented to a more complicated sales procedure sought by the FTC that, among other things, would require an opt-in procedure for affected consumers. In the end, even that procedure was scuttled by continuing objections from many state attorneys general, each who sought to stop the sale of this data on consumer protection grounds. In the end, Disney, a Toysmart investor, agreed to purchase the data for $50,000 and then destroy it.

This Toysmart issue ' the ability of insolvent dotcoms to sell consumer data ' continued to rear its ugly head in subsequent dotcom cases, such as Living.com, Craftshop.com and others.

The Birth of the PPEBA

As that old saw about laws and sausages suggests, it's probably best if the exact way the PPEBA came about were left for another day. Suffice it to say, however, that in preparing a draft of PPEBA for sponsorship by Senator Leahy, the FTC's proposed settlement with Toysmart became my model. As a result, here are the law's ' and now the Bankruptcy Code's ' key data privacy provisions.

Defining 'Personally Identifiable Data'

Perhaps it's best to review the amendments by starting with the basics ' the type of information at issue. New '101(41A) defines 'personally identifiable information' as data that allows an individual to be specifically identified ' including name, address, e-mail, telephone number, Social Security Number, any birthdate information, credit-card account information or any other information that, if disclosed, would result in contacting or identifying an individual physically or electronically.

A critical part of the definition, however, is that this 'private' information must have been provided by an individual to the debtor in connection with obtaining a product or a service from the debtor primarily for personal, family or household purposes. Presumably, then, information obtained via other means or for other purposes is wholly unaffected by the PPEBA.

Data Use, Sale Or Lease: 363(b)(1)

Next, amended '363(b)(1) limits the out-of-the-ordinary use, sale or lease of personally identifiable information 'if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.' If such a privacy policy is in effect, then the data can be used, sold or leased only if such use, sale or lease is consistent with the established privacy policy.

Alternatively, the section allows the court to appoint a 'privacy ombudsman,' pursuant to new '332. After notice and a hearing with the ombudsman's input, the court may approve the use, sale or lease of the data after:

• Giving due consideration to the facts, circumstances and conditions of such sale; and
• Finding that no showing was made that such sale or such lease would violate non-applicable bankruptcy law.

Note the preconditions to this section's application:

• The sale or lease must be outside the ordinary course;
• The information must have been obtained in connection with the offering of a product or service;
• The policy must prohibit the transfer of the information to third parties; and
• The policy must be in effect on the filing date.

These preconditions will limit this section's applicability; indeed, merely discontinuing the policy before the filing could be enough to avoid the statute.

Also, these consumer-data provisions are contained in '363, and not in '1123. Transferring this type of asset pursuant to a plan, then, would appear to be another means of circumventing these restrictions.

Finally, as a more practical matter, this restriction hinges on the terms of the debtor's privacy policy. As evidenced by Toysmart, these policies may be quite restrictive. But, because of the impact of Toysmart and other cases, many privacy policies incorporate provisions that allow for sales or liquidation in the insolvency context. In fact, clients should be counseled to modify their privacy policies to permit such use, whenever possible.

The Consumer Privacy Ombudsman

If a hearing is required under '363(b)(1), then the Bankruptcy Court must order the United States Trustee to appoint a 'consumer privacy ombudsman.' Other than this so-designated person being a 'disinterested person' and not the trustee, the section contains no restrictions on who may serve as ombudsman. Given this flexibility, in the right cases, an appropriate FTC representative or an attorney general, or other government official, could serve in that role. The appointed ombudsman apparently may retain other professionals and all are eligible for compensation under '330(a)(1)(A).

Once retained, the ombudsman's role is certainly skewed toward protecting consumer privacy, but overall is limited to informing the court about certain issues. In order to assist the court in its consideration of the facts, circumstances and conditions of the proposed sale or lease of personally identifiable data, the ombudsman may inform the court of:

• The debtor's privacy policy;
• The potential losses or gains of privacy to consumers if such sale or such lease is approved by the court;
• The potential cost or benefits to consumers if the transaction is approved; and
• Any alternatives that would mitigate potential privacy losses or potential costs to consumers.

The ombudsman's role is not an entirely enviable one, either. The statute requires that he or she be appointed no less than 5 days before the scheduled '363(b)(1) hearing, but that hardly seems like enough time to gather the necessary information, or to prepare an adequate report. In a litigious environment, one suspects that the court's order of appointment will have to incorporate some mechanism to compel the debtor and buyer's cooperation.

Conclusion

The enacted PPEBA provisions are hardly a comprehensive response to the problem of protecting privacy in distressed, and distressing, situations. Indeed, these provisions are really directed at protecting consumers who provided information while relying on a business' expressed privacy policy.

But given the growing concern for preserving privacy and the attention that this area of law is attracting, it is simply inevitable that bankruptcy and privacy will continue to intersect. Even where the PPEBA provisions don't apply, practitioners can still expect the FTC or state attorneys general to inject themselves into cases to protect privacy, where circumstances warrant. The Information Age has propelled privacy concerns to the forefront, and the PPEBA enactment is certainly but a sign of things to come.