Subcontractors in Outsourcing

Impact of the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005
The U.S. Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, signed by President Bush, April 20, 2005, targets “abusive practices” in bankruptcy, particularly those relating to individuals petitioning for a fresh start through relief of debts. The new law enacts privacy protections for personally identifiable information. This article focuses on renewal of best practices in outsourcing.

Privacy Law in Bankruptcy.
The bankruptcy of dot.com startups (and some other major companies) in the late 1990’s and early 2000’s produced some sales of data bases of personally identifiable information. Trade in such data bases may have resulted in the exposure of private information to mass marketers engaged in spam in violation of the CAN-SPAM Act of 2003.

Strategic Alliance Agreements with Subcontractors.
Up and down the chain of services in an outsourcing, the service provider and its direct and indirect subcontractors may gain access to private or other personally identifiable information that is sensitive or legally protected from disclosure. In their subcontracts, service providers normally take into account the ownership of such data, regardless whether received from enterprise customers (and subject to contractual protections under a Master Services Agreement) or generated by the service provider as part of its broader operations.

Impact on Outsourcing.
The Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, S. 256 (109th Cong., 1st Sess.) makes explicit the customary contractual protections against potential abuses by subcontractors of personally identifiable information. The new law prohibits any bankrupt person or entity from selling or leasing personally identifiable information unless the sale or lease conforms to the bankrupt’s pre-bankruptcy privacy policy and a consumer ombudsman has reviewed the transaction. Specifically, the law amends Section 363(b)(1) of the Bankruptcy Code so that

if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless–

(A) such sale or such lease is consistent with such policy; or
(B) after appointment of a consumer privacy ombudsman in accordance with section 332, and after notice and a hearing, the court approves such sale or such lease–

(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and
(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

The new law addresses only the data disclosed in a traditional consumer transaction (“B2C”). When the merchant outsources any element of that transaction or the storage of any data, the B2C becomes B2B, and the new law impacts the outsourcing relationship.

The new law fills a gap if the prime contractor fails to require a “flow down” contractual protection for the data of the enterprise customer. This new protection is limited to personally identifiable information and not any other data, such as commercial transactional data that should be protected from disclosure as well.

Protected Personally Identifiable Information.
The new law would create a new category of protected personally identifiable information. This would define “personally identifiable information” from two different sources. First, as to disclosures by consumers in consumer transactions, such protected information includes

(i) the first name (or initial) and last name of such individual, whether given at birth or time of adoption, or resulting from a lawful change of name;
(ii) the geographical address of a physical place of residence of such individual;
(iii) an electronic address (including an e-mail address) of such individual;
(iv) a telephone number dedicated to contacting such individual at such physical place of residence;
(v) a social security account number issued to such individual; or
(vi) the account number of a credit card issued to such individual.

Second, additional information is protected if it is identified in connection with one or more of the items of information listed above, namely

(i) a birth date, the number of a certificate of birth or adoption, or a place of birth; or
(ii) any other information concerning an identified individual that, if disclosed, will result in contacting or identifying such individual physically or electronically.

Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, S. 256 (109th Cong., 1st Sess.).

Impact on Privacy Rules and Unfair Trade Practices Generally.
The new law falls short where the contractor is sold to a solvent company, which in turn uses the data base for its own marketing and commercial opportunities. The law fails to mandate compliance with a company’s published privacy policy. This omission probably exists because the Federal Trade Commission’s privacy rule already expresses a public policy, through administrative regulation rather than by law, of mandating that companies comply with their own privacy policy or face the trade regulator’s charges of “unfair trade practices.”

Best Practices.
The bankruptcy reform law underscores the need for adopting appropriate confidentiality and data protection provisions in all outsourcing contracts and subcontracts. Special attention should now be given to privacy rights governed by this new bankruptcy law.