Data Privacy Required in Bankruptcy Filings
In this era of growing concerns over privacy and data security, financial institutions must take affirmative steps to comply with Rule 9037 of the Federal Rules of Bankruptcy Procedure (“Rule 9037”), which requires that any entity filing a document in a bankruptcy case (such as a proof of claim or a motion for relief from the automatic stay) redact all personal identifying information, including Social Security and loan account numbers.
Due to growing concerns over identity theft and other data crimes, the United States Trustee’s Office (“USTO”), a Division of the Department of Justice, has begun independent audits of past filings of banks and lending institutions to determine Rule 9037 violations. In situations involving a pattern of Rule 9037 violations (as few as five offending filings), the USTO will likely issue a demand letter for the offender to provide in detail: (i) an explanation as to the circumstances for the offending filings; (ii) proposed efforts and arrangements of the offender to cure the violations; (iii) processes and internal controls by which the offender will prevent future violations; (iv) a list of all filings in all bankruptcy courts from December 1, 2007, to present that may contain Rule 9037 violations; and (v) how and when the offender compiled the list.
The USTO will thoroughly review the offender’s submission and proposed procedures and will likely require additional action such as mailing a notice to affected parties explaining the steps they can take for future privacy protection. In many instances the USTO also requires the offender to provide affected parties complimentary protection measures such as a year of free credit monitoring.
Compliance programs for offenders can be complex because they require offenders to exercise knowledge of numerous jurisdiction-specific procedures in order to cure past violations and to implement internal processes to avoid future violations. Proactive implementation of a self-directed program of correction for existing and potential Rule 9037 violations may mitigate or eliminate the significant costs and remedial steps typically required by the USTO and implement best practices for management of data privacy.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result. Follow Troutman Sanders on Twitter.