The Need to Redact Personally Identifiable Data from E-Filings

Electronic filing of court documents has become the norm rather than the exception both here, in New York federal and state courts, and around the country. The trend is driven by the pervasive availability of online technology to conveniently enable filing, as well as the generally held presumption in U.S. jurisprudence that court proceedings are public in nature and should be easily accessible to the public.

At the same time, privacy advocates, concerned about the amount of personally identifiable information easily available on the Internet and the resultant increase of identity theft and other types of fraud, wish to restrict public access to certain types of data. These two somewhat contradictory philosophies intersect on the issue of whether the proliferation of electronic filing has unduly and unnecessarily exposed personally identifiable information to possible exploitation.

At issue is the requirement that attorneys redact personally identifiable information from their e-filings. The obligation of an attorney to preserve the privacy interests of those involved in litigation and in administrative proceedings has arisen in a variety of actual circumstances, and has been touched on in academic circles.

However, whether an attorney’s failure to meet that requirement can create professional liability to either the attorney’s client – or even to a non-client – has not been definitively answered.

The governing rules regarding the protection of confidential information in e-filings are relatively straightforward, but often are unfamiliar to practitioners. For example, Federal Rule of Civil Procedure 5.2 provides, in relevant part, that a party or non-party making an electronic filing (as well as a paper filing) that contains an individual’s Social Security number, taxpayer identification number, or birth date, or the name of a person known to be a minor or a financial account number, may include, unless the court otherwise orders, only:

(1) the last four digits of the Social Security number and taxpayer identification number; (2) the year of the individual’s birth; (3) the minor’s initials; and (4) the last four digits of the financial account number. The remaining material must be redacted from the filing.

The rule also provides that a court may order that a filing be made under seal without redaction (and that, upon a court order, such a filing may be unsealed or the person who made the filing may file a redacted version for the public record), and that, for good cause, a court may require redaction of additional information (such as driver’s license numbers and alien registration numbers) or limit or prohibit a nonparty’s remote electronic access to a document filed with the court.

The Advisory Committee notes to Rule 5.2 explain that the rule was adopted in compliance with Section 205(c)(3) of the E-Government Act of 2002. Section 205(c)(3) required the U.S. Supreme Court to prescribe rules “to protect privacy and security concerns relating to electronic filing of documents and the public availability . . . of documents filed electronically.” As the Advisory Committee points out, the rule was derived from and implements the policy adopted by the Judicial Conference in September 2001 to address the privacy concerns resulting from public access to electronic case files.

In New York state courts, Rule 202.5-b of the Uniform Rules for the Supreme and County Courts, relating to electronic filings, takes a different approach by addressing who may access documents, rather than the information to be redacted from them. The New York rule states that a person electronically filing a document “shall indicate” whether it contains any of the following: individually identifiable health information, a Social Security number, a credit card number, a bank account number, an individual’s date of birth, an individual’s home address, a minor child’s name, or trade secrets. If any of this information is contained in the document, the rule provides that access to it on the e-filing site “may be restricted to consenting parties to the action, the County Clerk, and the court.”

The rule continues by noting that the document will, however, “be available for public inspection at the office of the County Clerk unless sealed by the court.”

Several courts have considered whether an e-filing that contains confidential information such as that referenced in federal and New York rules subjects a party – and a law firm – to a claim. To date, for the most part, courts have been unwilling to allow such claims to move forward. Consider the May 26 decision by a bankruptcy court in Indiana in In re Matthys.

Matthys

The case arose when Ryan and Carrie Matthys voluntarily entered bankruptcy in November 2009. The debtors scheduled PNC/National City Bank as a creditor holding a claim of $73,000 secured by a mortgage on the debtors’ residence.

Green Tree Servicing, LLC, the servicing agent for the bank, electronically filed a proof of claim to which it annexed an exhibit that contained the debtors’ full Social Security numbers. Thereafter, the debtors moved for a protective order under Federal Rule of Bankruptcy Procedure 9037 to either redact the Social Security numbers or to prohibit public access to viewing the proof of claim. The bankruptcy court granted the debtors’ motion the next day and the court clerk removed the proof of claim from public access on PACER.

The debtors then filed a complaint against Green Tree, seeking compensatory damages, sanctions, punitive damages, attorney’s fees, costs and cost of credit monitoring for violation of Bankruptcy Code Section 107; The Gramm-Leach Bliley Act; Federal Rule of Civil Procedure 52 and the court’s “policies and procedure;” and Federal Rule of Bankruptcy Procedure 9037, as well as damages for invasion of privacy; negligent or intentional infliction of emotional distress, and finally, negligence.

Green Tree moved to dismiss all counts on the basis that either there was no private right of action under the statutes for which the debtors sought relief or the debtors failed to plead facts sufficient to establish their claims.

The court first examined whether any of the statutes on which the debtors relied granted a private right of action. It explained that although papers filed in a bankruptcy case are public records, Bankruptcy Code Section 107(c) recognizes there are exceptions and provides that the bankruptcy court, for cause, may protect an individual if it finds that disclosure of information would create an undue risk of identity theft.

It noted that among the types of disclosure of information that may create such a risk is the disclosure of an individual’s Social Security number in an attachment to a proof of claim. However, it found, nothing in §107 “expressly creates a private right of action. Nor has Congress implied that a private right of action exists.” Thus, it ruled, the count seeking relief and damages under §107 had to be dismissed.

Gramm-Leach-Bliley

The court next turned to the Gramm-Leach-Bliley Act, explaining that Chapter 94 recognizes each financial institution’s “affirmative and continuing obligation to respect the privacy of its customers and protect the security and confidentiality of those customers’ nonpublic personal information.”

The act, however, “makes no mention of an individual’s right to sue under the Act and an implied right to sue cannot be gleaned from the Act.” It then dismissed the count seeking relief and damages under the act.

With respect to the debtors’ claim for relief and damages for violation of “Federal Rule of Civil Procedure 5.2, and the orders, policies and procedures of this Court,” the court observed that the debtors failed to denominate the specific court orders, policies, and procedures under which they sought relief.

Turning to Rule 5.2, the court found that it “is a procedural rule which governs the electronic filing of documents containing private information.” The Court then found that rules governing procedure in the federal courts “do not give rise to a private cause of action,” and it therefore dismissed the count seeking relief and damages under Rule 5.2 and the court’s orders, policies, and procedures.

With respect to the debtors’ invasion of privacy claim, the court noted that one element of that claim (under applicable Indiana law) was that the information “must have been made to the public at large or to so many persons that the matter is substantially certain to become one of public knowledge.”

Interestingly, the court found that the debtors had failed to allege that their Social Security numbers had been viewed by any member of the public or by the bankruptcy clerk’s office – their only allegation was that the allegedly “public” dissemination of their Social Security numbers “put them at increased risk of identity theft.”

In the court’s view, the complaint failed to allege that other entities obtained and attempted to use the debtors’ Social Security numbers.

Furthermore, it continued, for an individual to access information on bankruptcy court and claims dockets, the individual “must register for a PACER account, and establish a login and a password, a far cry from leisurely surfing the net and stumbling upon private information.”

Affirmative Actions

Put differently, it stated, a party would be required to “take affirmative actions to seek out the information.” Because “the mere electronic filing of a document containing personal information viewable in the PACER system does not rise to the level of ‘publicity’ needed to establish an invasion of privacy claim,” and because the debtors’ complaint did not suggest that the debtors’ personal information, which was viewable by PACER registrants for less than two weeks, was divulged to the extent that it was “substantially certain to become one of public knowledge,” the court dismissed the invasion of privacy claim, too.

The court easily dismissed the debtors’ claim for negligent infliction of emotional distress, finding no serious “emotional trauma,” and the claim for intentional infliction of emotional distress, finding that Green Tree had not engaged in “extreme and outrageous conduct which intentionally or recklessly caused severe emotional distress.”

It similarly dismissed the debtors’ negligence claim, finding that the debtors had failed to allege any specific facts and failed to plead any damages arising from Green Tree’s alleged breach of a duty.

Finally, it refused to rely on Bankruptcy Code Section 105(a) as the basis for relief, finding that “this section alone does not create a private right of action.”

It did find, however, that the debtors had pleaded sufficient facts to state a claim for contempt under §105 for Green Tree’s failure to comply with Rule 9037 that could go to trial. It noted that the “act of limiting access to the proof of claim may be a sufficient remedy under Rule 9037, and a finding of contempt would require that [Green Tree] was aware of its violation of Rule 9037.”

Malpractice Actions

It is not yet known whether lawyers who include unredacted confidential information in e-filings may face malpractice claims, as was asserted in a law review article a few years ago.

New York courts have not, as of yet, addressed whether – or by whom – such a claim could be stated. Certainly, inasmuch as New York requires privity or a relationship approaching privity to state a claim for malpractice, a non-client will be required to demonstrate some other cognizable theory of relief to state a cause of action, such as a statutory scheme that permits a private right of action or breach of a confidentiality agreement that requires the information to be handled in a manner to protect its disclosure.

However, whether a client has a claim against his or her lawyer for improperly e-filing personally identifiable information may depend more on the individual facts and circumstances.

Indubitably, there is a well-established duty of a lawyer to preserve a client’s confidences and secrets. Therefore, as hypothesized by the above-mentioned article, clients may be able to sue their attorneys “when they lose their identities due to their attorneys’ failure to redact the clients’ personal information from court filings.”

Of course, the client will still have to establish all other essential elements of the claim, including proximate cause and damage, which may not have occurred by the mere e-filing of the information. .

Whether New York or elsewhere recognizes a claim for damages as a result of e-filing non-redacted documents remains to be seen. What is clear, however, is that the best way to avoid such a claim is for lawyers to be cognizant of the applicable statutory and regulatory requirements.

In every filing, electronic or paper, lawyers should consider whether any included piece of personally identifiable information is truly necessary for submission to the court and, if so, whether an application for sealing should be made. 

Reprinted with permission from the August 17, 2010 issue of the New York Law Journal. Copyright ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.