Privacy issues implicate several Bankruptcy Code sections and Bankruptcy Rules.  The debtor must also comply with non-bankruptcy rules concerning privacy to the extent that such rules are not inconsistent with the Bankruptcy Code. 28 U.S.C. § 959(b).

This blog post provides an overview of notable non-bankruptcy provisions that must be consulted to ensure compliance with privacy issues. In a subsequent blog post, we will address the privacy issues implicated by several Bankruptcy Code sections and Bankruptcy Rules.

Federal and State Laws on Privacy

There are numerous federal, state, and local laws that govern privacy. Trustees and debtors in possession must comply with these laws unless the laws are preempted by the Bankruptcy Code. 28 U.S.C. § 959(b). Below are several important privacy laws that impact companies, along with links to other practice notes for an expanded discussion of such laws.

1. Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) is a federal law enacted in 1999 that allows for the combination of different types of financial institutions, such as commercial banks and investment banks (Financial Institution).

Generally, the GLBA requires Financial Institutions to:

• Protect the personal and financial information of their customers against unauthorized access or use

• Not disclose nonpublic personal information to nonaffiliated third parties, unless the consumer receives sufficient notice

• Give customers the opportunity to opt out from having their information shared in certain situations

• Regularly provide customers with their privacy policies and practices

See 15 U.S.C. § 6801; 15 U.S.C. § 6802(a)–(b); 15 U.S.C. § 6803. GLBA compliance is mandatory and therefore, a policy must be in place to protect private information from foreseeable security threats.

Counsel representing financial institutions in a bankruptcy case and debtor's counsel should understand the GLBA requirements when working together on providing notices, plan solicitations, and negotiations.

2. FTC Act

The Federal Trade Commission Act of 1914 (FTC Act), 15 U.S.C. §§ 41–58, established the FTC in order to regulate questionable business practices. Pursuant to the FTC Act, the FTC is empowered to (1) prescribe rules that set forth in particular detail the acts that the FTC considers unfair or deceptive, along with establishing requirements in order to prevent such acts from transpiring in the first instance, (2) fine violators, as well as prescribe other forms of relief (such as issuing cease and desist orders) for conduct considered deleterious to consumers, (3) conduct investigations in order to enforce the FTC Act, and (4) provide recommendations and reports to Congress in connection with its findings.

Section 5 of the FTC Act (15 U.S.C. § 41) is the U.S.' primary federal statute addressing unfair and deceptive advertising and marketing claims. Section 5 of the FTC Act's prohibition on unfair or deceptive commercial practices has been broadly applied to cover violations of consumer privacy and improper data collection, storage, and use. Companies that collect, store, transmit, utilize, or analyze big data should ensure that their behavior is not in violation of Section 5. They must never violate the promises made to their consumers respecting their collection, use, storage, or dissemination of personal, private information. Informed consent should be obtained prior to any collection or use of personal information, and companies should re-seek consent when and if previously obtained data is intended for reuse at a later time for a purpose other than the one for which consent was initially provided. Additionally, big data should never be transferred to a third party that a company knows (or should reasonably know) will use such information for discriminatory, fraudulent, or otherwise illegal purposes.

The FTC will become involved in a bankruptcy proceeding to enforce judgments and address privacy issues. For example, the FTC objected to the sale of customer records databases containing personal consumer information in the RadioShack bankruptcy. The sale was approved only after a settlement was reached with the FTC.

3. HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub. L. 104-191, 110 Stat. 1936) (HIPAA) was enacted in 1996 to provide protection to workers and their families when they lose or change their jobs. Specifically, HIPAA regulates the use, collection, storage, protection, and dissemination of personal medical records by covered entities. Specifically, Title II (i.e., the “Administration Simplification” provisions) of HIPAA requires the establishment of national standards for transactions involving electronic healthcare information as well as national identifiers for employers, providers, and health insurance plans. HIPAA has been amended by the HITECH Act (defined and described below).

HIPAA issues can arise in healthcare and other bankruptcies, including issues concerning, among other things, inadvertent disclosures in bankruptcy filings, improper disposal of patient records, and/or disclosure during the due diligence for the sale. Bankruptcy counsel should be familiar with or consult with an attorney familiar with HIPAA requirements to ensure compliance.

4. HITECH Act

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5). Subtitle D of the HITECH Act entitled “Privacy” requires HIPAA covered entities to report privacy and data breaches to:

• The U.S. Department of Health and Human Services

• The news media –and–

• Those individuals affected by any particular breach.

5. State Privacy Laws

Companies should be familiar with the privacy laws of the states in which they do business and where relevant consumers reside, both for privacy notice and for data breach remediation purposes.

California, for instance, has been at the forefront of state privacy legislation. For example, in the summer of 2018, the California legislature passed the California Consumer Privacy Act of 2018 (CCPA) that dramatically changes the way companies who do business in California will handle personal data.

The CCPA added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California statute, or provided pursuant to California's “Shine the Light” law, online privacy policies and any California-specific notice must include:

• A description of consumers' rights under the CCPA

• A description of the categories of personal information collected by the business in the preceding 12 months

• The commercial and business purposes for which the personal information is collected

• The categories of personal information sold or disclosed for a business purpose in the preceding 12 months

• The categories of third parties with whom personal information is shared

• A link to a “Do Not Sell My Personal Information” web-based opt-out tool

• A description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a 15% discount to individuals who provide their email address for marketing purposes, this incentive must be disclosed in the privacy policy) –and–

• Two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable)

Additionally, the California Online Privacy Protection Act (Cal-OPPA) applies to any business that collects personally identifiable information about California residents through websites, mobile applications, or online services. As such, Cal-OPPA has a broad reach and extends to most companies that conduct business online or engage in other online activities.

Cal-OPPA requires an operator of a commercial website or online service (which includes mobile apps) to do the following:

• Conspicuously post a privacy policy on its website (or in the case of an online service, make the policy available)

• Include various disclosures in the policy (such as what information is collected and with whom it is shared, how the business responds to web browser “Do Not Track” signals, and whether any third parties may collect PII on the business's website or online service) –and–

• Adhere to the policy

See Cal. Bus. & Prof. Code § 22575.

Other notable California data privacy laws include:

• Privacy Rights for California Minors in the Digital World. Allows minors to request the removal of content or information posted online and restricts the online advertising of certain products and services to minors (see Cal. Bus. & Prof. Code §§ 22580–22582).

• Student Online Personal Information Protection Act. Protects the use of student data by operators of websites, mobile applications, or online services that have actual knowledge that the site, service, or application is primarily used for K-12 school purposes and was designed and marketed for such purposes (see Cal. Bus. & Prof. Code §§ 22584–2285).

Other states may have similar laws to those in California (see, e.g., the Delaware Online Privacy and Protection Act, 6 Del. Code Ann. §§ 1201C–1206C) or laws that address other aspects of privacy, such as biometric data (see, e.g., Illinois's Biometric Information Privacy Act, 740 ILCS 14/1–740 ILCS 14/99).

It is therefore critical to research the privacy laws of all states in which your client does business, as well as the federal laws and regulations that govern data privacy in your client's industry sector, to ensure that the privacy policy complies with any applicable requirements. If your client does business in countries other than the United States, your client will also need to comply with those countries' laws.