September 10, 2019
Privacy issues implicate several Bankruptcy Code sections and Bankruptcy Rules. The debtor must also comply with non-bankruptcy rules concerning privacy to the extent that such rules are not inconsistent with the Bankruptcy Code. 28 U.S.C. § 959(b).
This blog post provides an overview of notable non-bankruptcy provisions that must be consulted to ensure compliance with privacy issues. In a subsequent blog post, we will address the privacy issues implicated by several Bankruptcy Code sections and Bankruptcy Rules.
Federal and State Laws on Privacy
There are numerous federal, state, and local laws that govern privacy. Trustees and debtors in possession must comply with these laws unless the laws are preempted by the Bankruptcy Code. 28 U.S.C. § 959(b). Below are several important privacy laws that impact companies, along with links to other practice notes for an expanded discussion of such laws.
The Gramm-Leach-Bliley Act (GLBA) is a federal law enacted in 1999 that allows for the combination of different types of financial institutions, such as commercial banks and investment banks (Financial Institution).
Generally, the GLBA requires Financial Institutions to:
See 15 U.S.C. § 6801; 15 U.S.C. § 6802(a)–(b); 15 U.S.C. § 6803. GLBA compliance is mandatory and therefore, a policy must be in place to protect private information from foreseeable security threats.
Counsel representing financial institutions in a bankruptcy case and debtor's counsel should understand the GLBA requirements when working together on providing notices, plan solicitations, and negotiations.
The Federal Trade Commission Act of 1914 (FTC Act), 15 U.S.C. §§ 41–58, established the FTC in order to regulate questionable business practices. Pursuant to the FTC Act, the FTC is empowered to (1) prescribe rules that set forth in particular detail the acts that the FTC considers unfair or deceptive, along with establishing requirements in order to prevent such acts from transpiring in the first instance, (2) fine violators, as well as prescribe other forms of relief (such as issuing cease and desist orders) for conduct considered deleterious to consumers, (3) conduct investigations in order to enforce the FTC Act, and (4) provide recommendations and reports to Congress in connection with its findings.
Section 5 of the FTC Act (15 U.S.C. § 41) is the U.S.' primary federal statute addressing unfair and deceptive advertising and marketing claims. Section 5 of the FTC Act's prohibition on unfair or deceptive commercial practices has been broadly applied to cover violations of consumer privacy and improper data collection, storage, and use. Companies that collect, store, transmit, utilize, or analyze big data should ensure that their behavior is not in violation of Section 5. They must never violate the promises made to their consumers respecting their collection, use, storage, or dissemination of personal, private information. Informed consent should be obtained prior to any collection or use of personal information, and companies should re-seek consent when and if previously obtained data is intended for reuse at a later time for a purpose other than the one for which consent was initially provided. Additionally, big data should never be transferred to a third party that a company knows (or should reasonably know) will use such information for discriminatory, fraudulent, or otherwise illegal purposes.
The FTC will become involved in a bankruptcy proceeding to enforce judgments and address privacy issues. For example, the FTC objected to the sale of customer records databases containing personal consumer information in the RadioShack bankruptcy. The sale was approved only after a settlement was reached with the FTC.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub. L. 104-191, 110 Stat. 1936) (HIPAA) was enacted in 1996 to provide protection to workers and their families when they lose or change their jobs. Specifically, HIPAA regulates the use, collection, storage, protection, and dissemination of personal medical records by covered entities. Specifically, Title II (i.e., the “Administration Simplification” provisions) of HIPAA requires the establishment of national standards for transactions involving electronic healthcare information as well as national identifiers for employers, providers, and health insurance plans. HIPAA has been amended by the HITECH Act (defined and described below).
HIPAA issues can arise in healthcare and other bankruptcies, including issues concerning, among other things, inadvertent disclosures in bankruptcy filings, improper disposal of patient records, and/or disclosure during the due diligence for the sale. Bankruptcy counsel should be familiar with or consult with an attorney familiar with HIPAA requirements to ensure compliance.
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5). Subtitle D of the HITECH Act entitled “Privacy” requires HIPAA covered entities to report privacy and data breaches to:
Companies should be familiar with the privacy laws of the states in which they do business and where relevant consumers reside, both for privacy notice and for data breach remediation purposes.
California, for instance, has been at the forefront of state privacy legislation. For example, in the summer of 2018, the California legislature passed the California Consumer Privacy Act of 2018 (CCPA) that dramatically changes the way companies who do business in California will handle personal data.
The CCPA added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California statute, or provided pursuant to California's “Shine the Light” law, online privacy policies and any California-specific notice must include:
Additionally, the California Online Privacy Protection Act (Cal-OPPA) applies to any business that collects personally identifiable information about California residents through websites, mobile applications, or online services. As such, Cal-OPPA has a broad reach and extends to most companies that conduct business online or engage in other online activities.
Cal-OPPA requires an operator of a commercial website or online service (which includes mobile apps) to do the following:
See Cal. Bus. & Prof. Code § 22575.
Other notable California data privacy laws include:
Other states may have similar laws to those in California (see, e.g., the Delaware Online Privacy and Protection Act, 6 Del. Code Ann. §§ 1201C–1206C) or laws that address other aspects of privacy, such as biometric data (see, e.g., Illinois's Biometric Information Privacy Act, 740 ILCS 14/1–740 ILCS 14/99).
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.