This article first appeared in the February 2011 issue of the Dow Jones DBR Small Cap publication.

One of the great ironies of the bankruptcy process is that a company will often decide to file for bankruptcy protection primarily due to a funding shortfall, yet, to secure good representation and properly manage the bankruptcy process, that same company needs cash flow to survive. Bankruptcy is, quite simply, a costly process.

Typically, and often out of necessity, to maximize available cash, many expenses are deferred or excised all together. Companies should consider whether technology and database-related expenses, which are often put to the bottom and seen as luxuries, should instead be made more of a priority. Given the emerging areas of law focusing on preserving and protecting privacy information, some rules and regulations might deserve more than a passing glance. In fact, some time and effort preparing appropriate internal and external policies and maintaining the technology to implement the same, may prove to indeed be important.

Depending on the nature of a debtor's business, there are many laws on both the national and state level that govern and regulate a variety of different databaserelated issues. For example, companies that regulate and collect personal data information, including financial health care based or credit card related information, are often subject to a variety of privacy laws to protect consumers from the improper dissemination of information. The variety of different rules and laws to protect that may come into play on a national level include (1) the Health Insurance Portability and Accountability Act, 42 U.S. ß 1301, et seq. (HIPAA), which governs the collection of medical information and data and restricts the further dissemination and usage of such information by various regulated entities such as hospitals, doctors' offices and other related medical professionals; (2) the Federal Trade Commission Act, 15 U.S.C. ßß 41-48 (FTCA), which is a consumer-protection law that protects consumers from unfair, deceptive trade practices with respect to online collection of information; and (3) more recently, the Federal Trade Commission (FTC), along with several other federal agencies, including the National Credit Union Administration, which issued regulations known collectively as the "Red Flags Rule" (commonly known as "WISP" or "Written Information Security Policy"). These Red Flag Rules require certain financial institutions and other companies that regularly extend credit or make credit decisions to design and implement a written identify theft prevention program to prevent, detect and mitigate identify theft. In addition to these and many other federal regulatory acts, there are hundreds of coexisting laws at the state level that serve to restrict and prevent the unauthorized access, collection and dissemination of private personal information.

To satisfy these rules and obligations, it is sometimes necessary to expend money. Generally speaking, unless a safe-harbor provision applies, each rule has a very specific, delineated set of impacted companies that are required to comply with certain technological requirements, and to implement internal and external rules and protections to protect and preserve the information that is stored, collected and/or maintained. At times, various steps can be taken by a company to ensure that it is in basic compliance with the requirements of the various acts. While these steps are costly, so can be the failure to comply (or take steps to comply) with these rules and regulations. For instance, compliance with the newly enacted Red Flag Rules requires the retention of monitoring services, implementation of security codes, and verifying and authenticating data and identifies information that is received. These rules further require that each program be specifically tailored to the company in question, keeping in mind the nature of its business and scope of its activities. Given the breadth of the affected entities, the imposition of post filing administrative claims for failure to comply, or the potential for injunctive relief to be granted to the FTC stopping the debtor from operating, which could be viewed as falling under an exception to the automatic stay by virtue of ß 362(b)(4) of the Bankruptcy Code, could be real and costly concerns with the potential of permanently derailing any perceived bankruptcy reorganization.

Specifically, the Red Flag Rules have enforcement measures, and monetary and civil penalties for a failure to implement with the cost of each violation equal to $3,500. Further, each violation stands alone; thus the loss or breach of integrity of information for multiple customers (such as in the retail industry) could run into millions of dollars. When taken together with the FTC's ability to obtain injunctive relief and prohibit operations, the effect on the debtor could very well be catastrophic. Other rules and regulations such as HIPAA have similar provisions (penalties of up to $16,000 per offense).

It is certainly not unique in this day and age of privacy concerns for this to be a viable issue (how many of us cringed at the loss of privacy information by various well known retailers or recall the theft of information from various banks?). Thus, even though the law is not yet clear on the full extent and application of the Red Flag Rules, companies should consider, when sharpening the CEO or CRO's pencil to create the operating budget post-filing, should some funds be set aside for preparing, implementing and/or sustaining these kinds of policies to ensure some reasonable compliance with these rules exists?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.