 |
| March/April 2006 |
| Features |
Are You Protected?
Information compiled by David Goch
The news of a security breach has become a regular way of life in this day and age. In 2005 at least 130 reported security breaches exposed more than 55 million Americans to potential identity theft. These numbers are only expected to rise in 2006. In light of these alarming numbers, many states are beginning to take steps to protect their citizens in the event of a security breach. In 2003, California was the first state to adopt a security breach bill. This year, security breach notification legislation was introduced in at least 35 states and as of January 2006 at least 23 states have passed security breach notification laws. Security breach notification laws require companies that have lost data to notify affected consumers.
Below is a state-by-state summary of how we are protected:
Alabama
No current bill.
Alaska
Several bills have been introduced, but nothing has been adopted to date.
Arizona
Again, while several bills have been introduced, nothing has been adopted yet.
Arkansas
SB1167
Ark. Code tit. 4, ch. 110, §§ 101 to 108
Effective Date: 3/31/05
Definition of personal information: same as that in California (see below), except its adds medical information to the list.
Definition of Covered Entity: Any person or business that owns or licenses computerized data that includes personal information or maintains such data. “Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the U.S., or of any other country or the parent or the subsidiary of a financial institution.
Key Provisions: Includes data destruction and security procedure requirements. Only allows action by attorney general.
California
AB 700, SB 1386
Cal. Civ. Code §§ 1798.29 and .82
Effective Date: 7/1/03
Definition of Personal Information: individual’s first name or initial and last name in combination with the following: social security number; driver’s license or state ID card number; account number; credit or debt card number; in combination with any required that allows access to account; or any other financial information.
Definition of Covered Entity: Any agency that owns or licenses computerized data that includes personal information or maintains such data.
Key Provisions: Requires notification of breach in data of resident whose personal info was or reasonably believed to have been acquired. California law, which was instituted in 2003, is the basis for all other state laws.
Colorado
SB 137
Col. Rev. Stat. tit. 12, art. 14.3, titl 7 art. 90, and tit. 18, art.
Effective Date: 6/1/05
Definition of Personal Information: none
Definition of Covered Entity: none
Key Provisions: Not a security breach bill. Permits a consumer to put a security freeze on his or her credit report.
Connecticut
SB 650
Effective Date: 1/1/06
Definition of Personal Information: same as California
Definition of Covered Entity: Any person that conducts business in Connecticut and owns or licenses computerized data that includes personal information or maintains such data.
Key Provisions: Includes a “security freeze” by which consumers may freeze their credit report. Only allows action by attorney general.
Delaware
HB 116
Del. Code Tit. 6, Chapter 12B, §§ 101-104
Effective Date: 6/28/2006
Definition of Personal Information: Same as that in California, except adds medical information to the list.
Definition of Covered Entity: Any individual or commercial entity that conducts business in DE and owns or licenses computerized data that includes personal information or maintains such data. “Commercial entity” includes corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments,
governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit.
Key Provisions: Requires written notification of breach to be provided to the Consumer Protection Division of the Delaware Department of Justice. Requires immediate response to data breach, even if data is owned by the organization. Provides for treble damages. Individuals and attorney general may bring action.
Florida
HB 481
Fl. Stat. Tit. XLVI, Ch. 817, § 5681
Effective Date: 7/1/05
Definition of Personal Information: Same as California when addressing computer security breach. However, when dealing with the identity theft provision on the whole, the bill definition of personal information includes (in addition to info listed in California law) postal or email address, telephone number, DOB, mother’s maiden name, alien registration number, passport number, employer or tax ID number, Medicaid or food stamp account number, biometric data, unique electronic number, address, or routing code, medical records, or telecommunication ID info or access device. This ID theft provision is found at 817.568.
Definition of Covered Entity: Any person that conducts business in Florida and owns or licenses computerized data that includes personal information or maintains such data. The word “person” includes individuals, children, firms, associations, joint adventures, partnerships, estates, trusts, business trusts, syndicates, fiduciaries, corporations, and all other groups or combinations.
Key Provisions: Provides various criminal penalties for unauthorized and fraudulent use of personal information without consent. Requires different notification time periods based on ownership of data - 45 if own data and 10 days if you don’t own data. Fines are incremental based on non-reporting of breach. Requires notice to consumer reporting agencies for certain circumstances. Notification may not be required under certain circumstances.
Georgia
SB 230
Ga. Code, tit. 10, ch. 1, §§ 910- 912
Effective Date: 5/5/2005
Definition of Personal Information: Same as California, except includes passwords or other access codes. In addition, if any element of personal information can be used for identity theft, even absent person’s name, then considered personal information.
Definition of Covered Entity: Applies to Information Brokers that own or license computerized data that includes personal information or a person or business who maintains such data on behalf of Information Broker. “Information broker” means any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes. “Person” means any individual, partnership, corporation, limited liability company, trust, estate, cooperative, association, or other entity.
Key Provisions: No penalties specified for noncompliance.
Hawaii
None
Idaho
A bill was proposed, but did not pass in the 2004 session
Illinois
HB 1633
Ill. Comp. Stat. ch. 815, § 530
Effective Date: 1/1/06
Definition of Personal Information: same as California
Definition of Covered Entity: All data collectors that own or license personal information or maintains computerized data that includes personal information. “Data collectors” include, but are not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.
Key Provisions: Violation constitutes unlawful practice under Consumer Fraud and Deceptive Business Practices Act.
Indiana
HB 1101
Ind. Code, tit. 24, art. 4.9
Effective Date: 7/1/06
Definition of Personal Information: same as that in California.
Definition of Covered Entity: Data base owner, which is a person that owns or licenses computerized data that includes Personal Information. Person includes individual, corporation, or any other legal entity.
Key Provisions: Credit Reporting Agencies must be notified if more than 1,000 people are to receive notice. Breach of security system does not include unauthorized access to portable device if protected by undisclosed password. Allows notification by email. Allows notice on website or by statewide news media if affect more than 500,00 people, or would cost more than $250,000.
Iowa
None
Kansas
None
Kentucky
None
Louisiana
SB 205
La. Rev. Stat., ch. 51, §§ 3071, 3077
Effective Date: 1/1/06
Definition of Personal Information: same as California
Definition of Covered Entity: Any person that conducts business in Louisiana or owns or licenses computerized data that includes personal information, or any person or agency that maintains such data. “Person” means any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity. “Agency” means the state, a political subdivision of the state, and any officer, agency, board, commission, department or similar body of the state or any political subdivision of the state.
Key Provisions: Notification is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers. Civil action may be instituted to recover actual damages.
Maine
LD 1671
Me. Rev. Stat. Tit. 10, ch. 210-B, §§ 1346-1349
Effective Date: 1/31/06
Definition of Personal Information: Same as California, except includes passwords or other access codes. In addition, if any element of personal information can be used for identity theft, even absent person’s name, then it is considered Personal Information.
Definition of Covered Entity: Applies to Information Brokers that maintain computerized data that includes personal information or a person that maintains such data on behalf of Information Broker. “Information Broker” means a person who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring or communicating information concerning individuals for the primary purpose of furnishing personal information to non-affiliated 3rd parties. “Information broker” does not include a governmental agency whose records are maintained primarily for traffic safety, law enforcement or licensing purposes. “Person” means an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity.
Key Provisions: Person maintaining Personal Information for information broker must only alert information broker of breach. Requires notification of consumer reporting agencies if notice is provided to more than 1,000 people. Enforced by Dept. of Professional and Financial Regulation if registered with the Department. All other information brokers enforced by attorney general. Allows for civil violation remedies. Substitute notice allowed if the information broker demonstrates that the cost of providing notice would exceed $5,000 or that the affected class of individuals to be notified exceeds 1,000.
Maryland
None
Massachusetts
Legislation pending
Michigan
Legislation pending
Minnesota
HF 2121
Minn. St., ch. 325E, § 61
Effective Date: 1/1/06
Definition of Personal Information: same as California.
Definition of Covered Entity: Any person or business that conducts business in Minnesota and owns or licenses data that includes personal information, or any person or business that maintains such data.
Key Provisions: Requires notification of consumer reporting agencies if notice is provided to more than 500 people. Attorney general enforcement for remedies.
Mississippi
None
Missouri
Several bills introduced, but nothing adopted
Montana
HB 732
Mont. Code Ann., tit. 30, ch. 14, §§ 1701-1722 and tit. 33, ch. 19. § 321
Effective Date: 3/1/06
Effective Date: 1/1/06
Definition of Personal Information: Same as California when addressing computer security breach. However, when dealing with the identity theft provision on the whole, personal info includes in combination with an individual’s signature, address, or telephone number, the following: Passport number; Insurance policy number; or Bank account number. Social security number constitutes personal information in and of itself.
Definition of Covered Entity: Any person or business that conducts business in MT and owns or licenses computerized data that includes personal information, or any person or business that maintains such data. “Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the U.S., or any other country or the parent or the subsidiary of a financial institution. The term includes an entity that destroys records. The term also includes industries regulated by the public service commission or under Title 30, chapter 10.
Key Provisions: Privacy protections for credit card solicitations, renewals thereof, and telephone accounts. Prevents businesses from printing more than 5 digits of credit Card number or expiration date on electronically generated receipts. Requires consumer reporting agencies to block or expunge info on a report that is the result of ID theft. Records destruction provisions. State may enjoin violations and impose civil penalties.
Nebraska
None
Nevada
SB 347
Nev. Rev. Stat., ch. 205, §§ 461-4675
Effective Date: 10/1/05, 1/1/06, or 1/1/08 depends on provision
Effective Date: 1/1/06
Definition of Personal Information: Same as California when addressing computer security breach. However, when dealing with the identity theft provision on the whole, personal information includes, in addition to the information provided in California law, an extensive amount of additional information in the definition of personal information, including biometric data, DOB, place of employment, mother’s maiden name, utility account number, electronic ID number, and certain other forms of ID and all information is independently defined as personal information.
Definition of Covered Entity: Applies to data collector that owns or licenses computerized data that includes personal information or maintains such data that it does not own. “Data collector” means any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.
Key Provisions: Requires notification of consumer reporting agencies if notice is provided to more than 1,000 people. Data destruction requirements. Requires reasonable security procedures and practices to be followed by owners and licensees of personal info. Requires credit card issuers to disclose policies regarding ID theft and the rights of cardholders. Requires business to encrypt all transmissions other than faxes outside of the secure system of the business. Definition of encryption may go beyond the typical con-ception of “encryption.”
New Hampshire
None
New Jersey
A4001
N.J. Perm. Stat. tit. 56, §§ 8-161-163
Effective Date: 7/2/2006 except for sections governing police reports, which were effective 9/22/06.
Effective Date: 1/1/06
Definition of Personal Information: same as California.
Definition of Covered Entity: Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that includes personal information or any business or public entity that compiles or maintains such records. “Business” means a sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this State, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution. “Public entity” includes the State, and any county, municipality, district, public authority, public agency, and any other potential subdivision or public body in the State.
Key Provisions: Specifically address collection, use and disclosure of social security numbers. Consumer may elect a security freeze on consumer report. Includes data destruction provisions. All security breaches must be reported to the State Police before notifying customers. Credit reporting agencies must be notified if 1,000 or more customers affected. Notification not required if the business establishes that misuse of the information is not reasonably possible. Knowing or reckless violations of security breach or social security number provisions are an “unlawful practice” under NJ’s consumer protection statutes. Allows individuals to file and receive a copy of a policy report regarding suspected ID theft.
New Mexico
None
New York
AB 4254
N.Y. Cons. Law, St. Tech., Sect. 208
Effective Date: 12/8/2005
Definition of Personal Information: Same as California, but includes any information concerning a natural person which, because of name, number, symbol, mark or other identifier, can be used to ID that natural person, in conjunction with social security number; driver’s license or non-driver ID card number; or account number, credit or debit card number, in combination with any required that allows access to account.
Definition of Covered Entity: Any person or business that conducts business in NY and owns or licenses computerized data that includes personal information, or any person or business that maintains such data.
Key Provisions: Electronic notification can only be given if (i) the individual has expressly consented to its receipt and (ii) logs are kept. However, businesses may not require persons to consent to accepting electronic notices as a condition of entering a business or transactional relationship. If a business must notify one or more NY residents, the attorney general, Consumer Protection Board, and State Office of Cyber Security and Critical Infrastructure Coordination must be notified. If more than 5,000 persons must be notified at one time, consumer reporting agency must also be notified. Attorney general may enjoin activities and may sue on behalf of affected parties.
North Carolina
HB 1248
N.C. Gen’l Stat., ch. 75, §§60-66
Effective Date: 12/1/2005
Definition of Personal Information: Same as California, but includes checking and savings account numbers, PIN, digital signatures, biometric data and fingerprints and parent’s legal surname prior to marriage. Also includes any information that would allow id theft against a person, regardless of connection with name.
Definition of Covered Entity: Any business that maintains or otherwise possesses personal information or any business that conducts business in North Carolina that maintains or otherwise possesses personal information of consumers in any form. “Business” is defined as a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit. The term includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. Business shall not include any government or governmental subdivision or agency.
Key Provisions: A business shall not be required to disclose a technical security breach that does not seem reasonably likely to subject consumers to a risk of criminal activity. Person may bring civil actions. Provides for security freezes and social security number protection, and includes data destruction provisions.
North Dakota
SB 2251
N.D. Cent. Code, tit. 51, ch. 30
Effective Date: 6/1/2005
Definition of Personal Information: Same as California, but includes operator’s license number assigned by the DOT, DOB, mother’s maiden name, ID number assigned by employer, and digitized or other electronic signature.
Definition of Covered Entity: Any person that conducts business in FL and owns or licenses computerized data that includes personal information or maintains such computerized data.
Key Provisions: Includes criminal penalties for ID theft. Attorney general enforcement, with no express right of private action.
Ohio
HB 104
Oh. Rev. Code, tit. XIII, ch. 1349, §19
Effective Date: 11/17/2005
Definition of Personal Information: Same as California
Definition of Covered Entity: Any person that owns or licenses computerized data that includes personal information or maintains such computerized data. “Person” includes an individual, corporation, business trust, estate, trust, partnership, and association, except that “person” includes a business entity only if the business entity conducts business in this state.
Key Provisions: If more than 1,000 persons must be notified at one time, consumer reporting agencies must also be notified. Attorney general may enjoin activities and may sue on behalf of affected parties.
Oklahoma
None
Oregon
Legislation proposed but no action taken.
Pennsylvania
SB 712
Act 94-2005 (free standing Act)
Effective Date: 6/20/06
Definition of Personal Information: Same as California
Definition of Covered Entity: An entity that maintains, stores or manages computerized data that includes personal information or a vendor that maintains, such data. An “entity” is a State agency, a political subdivision of the Commonwealth, or an individual or a business doing business in Pennsylvania.
Key Provisions: Only applies if unauthorized acquisition of computerized data materially compromises the security of a system. Party can give telephonic notice of breach. Substitute notice allowed if the information broker demonstrates that the cost of providing notice would exceed $100,000 or that the affected class of individuals to be notified exceeds 175,000. If more than 1,000 persons must be notified at one time, consumer reporting agencies must also be notified.
Rhode Island
HB 6191
R.I. Gen’l Law, tit. 11, ch. 49.2, §§1 thru 7
Effective Date: 3/1/06
Definition of Personal Information: Same as California
Definition of Covered Entity: Any state agency or person that owns or licenses computerized data that includes personal information or maintains such data. “Person” shall include any individual, partnership association, corporation or joint venture.
Key Provisions: Notification of a breach is not required if breach has not and will not likely result in a significant risk of identity theft to the individuals whose personal info has been acquired. Substitute notice may be given under lower monetary and contact requirements.
South Carolina
Several bills introduced, but nothing adopted.
South Dakota
nothing
Tennessee
SB 2220
Tenn. Code, tit. 47, ch. 18, §§2101-2107
Effective Date: 7/1/05
Definition of Personal Information: Same as California
Definition of Covered Entity: Any information holder or information holder that maintains computerized data that includes personal information. “Information holder” means any person or business that conducts business in this state, or any agency of the state of Tennessee or any of its political subdivisions, that owns or licenses computerized data that includes personal information.
Key Provisions: Notification of a breach is not required if breach has not and will not likely result in a significant risk of id theft to the individuals whose personal info has been acquired. Substitute notice may be given under lower monetary and contact requirements.
Texas
SB 122
Tex. Stat., tit. 4, ch. 48, §§101 - 103, and 201 - 203
Effective Date: 9/1/05
Definition of Personal Information: Same as CA, except labeled “sensitive personal information” instead of Personal Information.
Definition of Covered Entity: Any person that conducts business in TX and owns or licenses computerized data that includes sensitive personal information or maintains such computerized data.
Key Provisions: Requires that reasonable measures be taken to protect sensitive personal info. Requires credit reporting agencies to be notified if more than 10,000 persons affected. Data destruction provisions. Attorney general may enjoin activities. Civil penalties for violations. Provides for equitable relief for ID theft victims, declaration that an individual is an ID theft victim.
Utah
SB 69
Utah Code, tit. 13 ch. 42, §§101-301
Effective Date: 1/1/2007
Definition of Personal Information: same as that in California.
Definition of Covered Entity: Any person that conducts business in Utah and maintains Personal Information. Also applies to organizations that perform document destruction.
Key Provisions: In addition to regular notification methods, allows notification via public newspapers. Only requires notification if after investigation, the organization determines that the Personal Information will be misused.
Vermont
Nothing
Virginia
Several bills introduced, but nothing adopted.
Washington
SB 6043
Wa. Rev. Code, tit. 19, §255.010
Effective Date: 7/24/05
Definition of Personal Information: Same as California.
Definition of Covered Entity: Any person or business that conducts business in WA and owns or licenses computerized data that includes personal information or maintains such data.
Key Provisions: Allows civil actions for damages and injunctive relief.
West Virginia
Several bills introduced, but nothing adopted.
Wisconsin
SB 164
Wisc. Stat., ch. 895, §507
Effective Date: 3/16/06
Definition of Personal Information: same as that in California, except it adds DNA profile and biometric data to the list.
Definition of Covered Entity: Any person, other than individual, that conducts business in Wisconsin and owns or licenses Personal Information, maintains depository accounts for residents, or lends money to residents.
Key Provisions: Requires Credit Reporting Agencies to be notified if more than 1,000 persons are affected. Does not require report if acquisition of Personal Information does not create material risk of Identity theft or fraud. Allows notification via mail or by means the organization has previously used to contact victim. If there is no address or other form of contact, then organization can use a form of communication reasonably calculated to provide notice.
Wyoming
Nothing
Washington D.C.
Nothing
Dueling Systems, Goals in Conflict
By Paula Lucas
With a great number of consumer financing agreements requiring resolution of consumer disputes by means of arbitration, how are these arbitration clause affected
by the consumer filing bankruptcy? Should the arbitration clause prevail or should the premises of the Bankruptcy Code prevail?
Code vs. Federal Arbitration Act
The policy under the Bankruptcy Code is to retain all proceedings involving the debtor and the debtor’s estate in one central forum, the bankruptcy court. The recognition and enforcement of an arbitration clause is at the discretion of the court.
The Federal Arbitration Act, 9 U.S.C. §1-14 (“FAA”), was enacted by the United States Congress in 1925 to affirm the enforceability of arbitration contract clauses and arbitration awards and to create a basic framework for business arbitration agreements. The FAA was expanded to include consumer transactions in 1995. Under the FAA amendments merchants are allowed to negotiate and resolve disputes outside of the judicial forum, i.e., via arbitration.
The Match Up
Round 1: Arbitration vs. No arbitration
In determining whether to enforce an arbitration clause when a party to the contract files bankruptcy, the courts weigh and consider several issues.
The punches….
• Is this the type of evidence and litigation that is better suited to a judicial forum?
• Will resolution require certain expertise?
• Who will hear the matter and have they been successful at this type of dispute resolution before?
The bell tolls…
• It is a “no decision.”
Round 2: The Courts Weigh In
Depending up on the case and the appropriateness of the situation the courts are split as to whether or not an arbitration clause will be recognized within a bankruptcy proceeding.
In MBNA America Bank v. Hill, the Second Circuit stayed an adversary proceeding filed for violations of the automatic stay in favor of an arbitration clause. MBNA America Bank v. Hill, 436 F.3d 104 (2d Cir. 2006). Noting that an important distinction must be made between claims where the bankruptcy judges have discretion to refuse arbitration or where the cases must be sent directly to arbitration, the Court found that in resolving conflicts between bankruptcy courts and arbitration forums, courts must defer to arbitration. Id. at 108. The court found that “bankruptcy courts generally do not have discretion to refuse to compel arbitration or ‘non-core’ bankruptcy matters, or matters that are simply ‘related to’ bankruptcy cases.” Id.
In attempting to find a balance between bankruptcy’s preference for centralized dispute resolution and the importance of respecting private agreements to arbitrate, courts have generally premised their decisions based upon the notion that core bankruptcy issues should be sent to arbitration unless they create an inherent conflict with important bankruptcy concerns.
The current direction courts are taking is towards compelling arbitration in non-core matters as they do no materially effect the Bankruptcy Code provisions. See e.g., In Re Ethel Marie Mintze, 2006 U.S. App. LEXIS 564 (3d Cir. Jan. 10, 2006) (holding that the court should enforce arbitration clauses unless to do so would controvert the objectives of the Bankruptcy Code) and Insurance Company of North America v. NGC Settlement Trust & Abestos Claims Management Corp. (In re National Gypsum Co.), 118 F.3d 1056, 1067 (5th Cir. 1997) (adopting and combining the holdings of Shearson/American Express, Inc. v. McMahon, 482 U.S. 220 (1987) and Hays and Co. v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 885 F.2d1149 (3d Cir. 1989) in its finding that the arbitration agreement at hand was in direct conflict with the Bankruptcy Code and that denial and enforcement of an arbitration clause is discretionary where the issue is a core matter under the Code).
However, notably there is no court discretion to refuse enforcement of a contractual arbitration agreement where the parties’ dispute arises under a state law breach of contract claim as it is outside of the scope of the bankruptcy court. Finally, where a motion for relief from automatic stay that will result in a determination as to whether a debtor may strip off a junior lien (i.e., acore proceeding) is before it, what is the likelihood that a court will allow an arbitration agreement to weigh heavily upon the overall outcome? This issue remains to be determined.
Round 3: Congressional Intent
There is no indication of congressional intent that automatic stay disputes should be exempted from resolution via arbitration. In fact, congressional intent promotes the litigation of automatic stay issues in bankruptcy courts. Shearson/American Express, Inc. v. McMahon, 482 U.S. 220 (1987).
Round 4: Waiver and Consent
Enter the Ring
Arbitration has not been compelled in some instances, where the party that seeks to compel arbitration has waived this right or consented to the litigation in the bankruptcy court. Waiver occurs when the court determines that given the totality of the circumstances, the party seeking to compel has acted in a manner inconsistent with the right to arbitration. Consent occurs when the party seeking arbitration has substantially participated in litigation so as to show inconsistency with the intent to arbitrate (e.g., the filing of a proof of claim) One seeking to compel arbitration should take heed accordingly and determine the best timing for proof of claim filings.
And the Winner Is…
The Supreme Court, in a recent 7-1 decision the held “regardless of whether the challenge is brought in federal or state court, a challenge to the validity of the contract as a whole, and not specifically to the arbitration clause, must go to the arbitrator.” Buckeye Check Cashing Inc. v. Cardegna, 2006 WL 386362 (U.S. Feb 21, 2006). In Buckeye, a putative class action was brought claiming that loan agreements used to extend credit contained usurious interest rates and were in violation of Florida’s lending and consumer protection laws. The plaintiffs argued that because the rates contained in the agreements were illegal, the entire contract, including the arbitration clause should be void. The defendants contended that the entire issue should be decided by an arbitrator as set forth in the contract.The court, siding with the defendants held that challenges to contract validity (both in state and federal court) should be heard by an arbitrator and are not for a court to decide.
The Court relied on and reiterated the federal policy established in the 1980’s favoring arbitration. The Court further determined that theFAA provisions are subject to congressional modification. In either case, the burden rests solely upon the shoulders of the party opposing arbitration.
Deepening insolvency and the United Kingdom’s Wrongful Trading Statute:
A Comparative Discussion©
© William A. Brandt Jr. and Catherine E. Vance 2005. All rights reserved.
American courts continue to struggle with the concept of “deepening insolvency” and whether it is a viable additional claim that may be asserted in a company’s bankruptcy. Although the courts have recognized the theory with increasing frequency in recent years, most notably the United States Court of Appeals for the Third Circuit, its contours remain ill-defined. It is not yet clear, for example, what quantum of misconduct is required to give rise to liability (which could range from outright fraud to a well-intentioned but foolhardy hope of saving a dying company), the various defenses that may be successfully interposed, or the reach of liability for deepening insolvency among the large pool of potential defendants.
In the United Kingdom, there has long been a statutory counterpart to what we are now recognizing as the deepening insolvency theory. This article of law is known as the “wrongful trading” statute. Under the wrongful trading statute, a court can impose liability on a company’s directors where (1) the company is in insolvent liquidation, (2) at some time before commencement of the liquidation proceedings, the director knew or ought to have concluded that there was no reasonable prospect of avoiding the liquidation and (3) the court is not satisfied that the director thereafter took every step with a view to minimizing the potential loss to creditors that ought to have been taken. If found to have wrongfully traded under the statute, the court can order the director to pay to the company an amount of money the court, in its discretion, determines is appropriate. The court can also disqualify the director for a period of two to 15 years. Violating a disqualification order carries potential criminal liability.
The wrongful trading statute obviates some of the controversy and lack of definition that presently plague our deepening insolvency theory. The bankruptcy trustee’s standing to act as a deepening insolvency plaintiff, for example, is a question not fully resolved, with some courts finding that the claims asserted actually belong to creditors. Under the Supreme Court’s decision in Caplin v. Marine Midland Grace Trust Co., 406 U.S. 416 (1972), the trustee is not permitted to assert creditors’ claims, although some courts will allow the trustee to proceed as plaintiff if the claim is common among creditors. As Caplin instructs, Congress is free to do via an amendment to the Bankruptcy Code what the administrator of any insolvent estate is expressly conferred the authority and standing to do under the wrongful trading statute. Thus, in the U.K., the case can be made that legislation has dispensed with the need for the courts to wrestle with questions of claim ownership and whether the bankruptcy trustee is the proper party to prosecute the allegations asserted.
Similarly, the wrongful trading statute does not seem overly concerned with whether the directors owe a fiduciary duty to creditors because the company was at or near insolvency. To be sure, the wrongful trading statute requires that directors act in the interests of creditors, taking every step that ought to be taken to minimize creditors’ potential loss. But liability for failing to take those steps does not appear to constitute a breach of duty; rather, the statute creates an exception to the general rule that directors are not personally liable for the corporation’s debts. Thus, as with the standing issue, the wrongful trading statute resolves by its own terms an area of conflict in American courts, which are not in agreement regarding when, if ever, directors owe creditors a fiduciary duty and, if so, what standard determines liability for a breach.
Another area of apparent divergence is the notion of fault, which seems to be rendered irrelevant under the wrongful trading statute. The statute simply looks to whether the company was insolvent and, if so, the conduct of the directors in relation to the company’s creditors. Indeed, the wrongful trading statute coexists with the fraudulent trading statute, which imposes liability where a company’s business was carried on with an intent to defraud creditors or other persons, or for any fraudulent purpose. Read together, the fraudulent and wrongful trading statutes bear a resemblance to § 548 of the Bankruptcy Code, which allows avoidance of transfers as fraudulent both where there is actual fraud and in the far more benign circumstance of insolvency and a lack of reasonably equivalent value for the suspect transfer.
By contrast, courts examining the deepening insolvency theory seem always to be in search of some wrongful conduct. In the leading case of Official Committee of Unsecured Creditors v. R.F. Lafferty & Co., Inc., 267 F.3d 340 (3d Cir. 2001), the court defined deepening insolvency by reference to fraudulent conduct and wrongful concealment of the company’s troubled condition. More recently, another court undertook a review of a number of deepening insolvency cases and concluded that the prolongation of an insolvent company’s life, without more, will not give rise to liability. Rather, “one seeking to recover for ‘deepening insolvency’ must show that the defendant prolonged the company’s life in breach of a separate duty, or committed an actionable tort that contributed to the continued operation of a corporation and its increased debt.” Kittay v. Atlantic Bank of New York (In re Global Serv. Group, LLC), 316 B.R. 451, 458 (Bankr. S.D.N.Y. 2004).
This is not to say that merely prolonging an insolvent company’s life is sufficient under the wrongful trading statute. What is additionally required, however, is not a separate tort or breach of some duty, as the Kittay court states, but the failure of the company’s directors to take every step that ought to have been taken with a view to minimizing the potential loss to creditors.
Despite the differences, the wrongful trading statute and the deepening insolvency theory share a similar goal: Both attempt to undo some of the harm done to creditors once a company reaches insolvency and becomes unable to pay its debts. Moreover, both wrongful trading and deepening insolvency have the potential to reach well beyond a company’s directors or, in the United States, officers and managers. Under the wrongful trading statute, again, the statutory language itself provides the basis for expanding the reach of liability because the statute expressly applies to “shadow directors.”
A shadow director, as the name implies, is not formally a member of the company’s board of directors. Rather, a shadow director can be defined as a person or entity that exerts control over the company because the directors have become accustomed to acting on the shadow director’s directions or instructions. A shadow director can be deemed subject to the same liability that arises for the appointed board members. This includes liability under the wrongful trading statute and the threat of court-ordered director disqualification, which would preclude the person from participating in the formation, operation or liquidation of any incorporated business for a designated period of time.
With respect to the deepening insolvency theory, the shadow director concept is suggested in In re Exide Techs., 299 B.R. 792 (Bankr. D. Del. 2003), in which the court declined to dismiss a complaint alleging, among other things, that a syndicate of lenders structured its loans in a way that allowed the lenders to exercise significant control over Exide and its subsidiaries, and that, by continuing to fund Exide after it was insolvent, the lenders caused the company to fraudulently continue its operations at the expense of other creditors. Lender control over the debtor was at the heart of the Exide complaint, just as control would make a person a shadow director under the wrongful trading statute. Control also allows Exide to be distinguished from the Kittay decision, discussed above. Kittay also concerned a lender defendant, but the rule to be drawn from Kittay is that lending money to a troubled company is not enough, standing alone, to cross the threshold of imposing liability for deepening that company’s insolvency.
The Kittay decision also raises an issue, common to the American insolvency practice experience, of which the wrongful trading statute seems to take no account, that is, whether liability will arise from a good faith, but unsuccessful, attempt to save a struggling company. The Kittay court correctly recollects that “chapter 11 is based on the accepted notion that a business is worth more to everyone alive than dead.” Drawing a direct distinction to the wrongful trading statute, the Kittay court continued: “Thus, in contrast to the laws of some foreign jurisdictions, including the United Kingdom, there is no absolute duty under American law to shut down and liquidate an insolvent corporation. The fiduciaries may, consistent with the business judgment rule, continue to operate the corporation’s business.” Kittay, 316 B.R. at 460.
In expressing the American preference for reorganization over liquidation, however, the Kittay court may have overstated the duty that arises under the wrongful trading statute. A recent decision from a U.K. court involving the directors of furniture retailer Uno and its wholly owned subsidiary, World of Leather, suggests that the duty to liquidate an insolvent company is not, in fact, absolute under English law; rather, directors may have some leeway in continuing to operate the company while undertaking an effort to save it.
Although Uno and World of Leather were retailers, they did not keep merchandise in stock. Instead, customers would pay a deposit at the time they placed their orders and the balance was paid upon delivery of the furniture. After becoming insolvent, the companies continued to take customers’ orders and deposits, which were the key source of the companies’ cash flow, and the directors argued this was done as part of an effort to save the companies and avoid insolvent liquidation.
The directors prevailed in the action and, as the authors of a discussion of the decision explained the court’s reasoning:
Key to his decision was the fact that the directors had relied on good financial information while continuing to accept customer deposits. Evidence showed that if the directors had ceased trading much earlier and placed the company into insolvent liquidation, the unsecured creditors—the customers who provided cash deposits but who had not yet received their goods—would have received nothing.
In addition, the judge commended the directors’ decision to obtain full legal and professional advice before continuing to trade. With such advice in hand, they were able to assert that they believed that there was a reasonable prospect of finding a corporate solution, thereby achieving a satisfactory outcome for all of the group’s creditors, not the least of which included its cash-paying customers.
Jamie White & Natalie Cropps, Despite Uproar, Directors Escape Liability: U.K. Court Finds No Fault in Taking Deposits in Turnaround Try, The Journal of Corporate Renewal, February 2005 at 6.
It must be noted that the Uno/World of Leather decision involved a director disqualification action, not one brought under the wrongful trading statute. But this fact does not diminish the importance of the case as embracing the notion that a good faith decision to attempt to turn a company around, based upon informed judgment made after consulting counsel and other professionals, is not necessarily worthy of punishment, but may, in fact, be a course of action to be encouraged. In this regard, the decision is not distinct from, but actually parallels, the sentiments expressed in Kittay.
Because much remains unclear regarding the application of the law of wrongful trading, and certainly that of deepening insolvency, it would be premature to make sweeping pronouncements about whether these doctrines are headed toward, or away from, each other in their development. Indeed, if the Uno/World of Leather case were brought in the United States, the very professionals that aided in the attempt to save the enterprise could have faced exposure as possible defendants in a deepening insolvency action. Their similarities and differences, however, remain important, as each could lend valuable clarification on the uncertain issues, especially those that arise for many professionals whose business is to save the troubled company.
Even though the concepts of deepening insolvency and wrongful trading originate on opposite sides of the Atlantic, we expect continuing informal convergence toward a common international theory of director and officer liability in coming years. We believe that the continuing evolution of judicial decisions on both sides of “the pond” related to these concepts will likely foster recognition of an evolving thread leading to a more common international approach to the potential assertion of claims against those thought to be in control of economic enterprises as they attempt to manage the affairs of their business on the cusp of insolvency.
William A. Brandt, Jr., is President and Chief Executive Officer of Development Specialists, Inc., headquartered in Chicago, Illinois.
Christine E. Vance is DSI’s Vice President of Research and Policy and is resident in the firm’s Columbus, Ohio, office.
|
|
|
