Bankruptcy Court Holds the Plain Meaning of a Security Agreement Dictates

AMERINATIONAL COMMUNITY SERVICES, LLC V. AMBAC ASSURANCE CORP.: PUERTO RICO BANKRUPTCY COURT RULES THAT THE PLAIN LANGUAGE OF A SECURITY AGREEMENT DICTATES

A civil action was recently disputed in which Government Development Bank for Puerto Rico (“GDB”) sought to have the obligations owed to it prioritized over the bond agreements previously executed by the Puerto Rico Highway and Transportation Authority (“HTA”). The court in this case held that the “waterfall provisions” contained within the bond agreements were sufficiently specific to uphold the seniority of the bond obligations owed by HTA over the more recent obligations owed by the HTA to the GDB.

Puerto Rico (the “Commonwealth”), together with HTA began restructuring proceedings as a part of the Puerto Rico Oversight, Management, and Economic Stability Act (“PROMESA”). At the time, HTA had roughly $4 billion in outstanding bond claims, and $2 billion in outstanding loan claims. HTA issued bonds in two parts and under bond resolutions dated 1968 and 1998. These resolutions stated that the bonds issued in 1968 had payment priority over the bonds issued in 1998, and any subsequent debt obligations undertaken by the HTA would be subordinated to both tranches of bonds.

Beginning in 2008, GDB entered into a series of intragovernmental agreements through which they loaned $2 billion to the HTA to continue their complete restructuring under PROMESA. These loans were evidenced by a series of loan agreements. Additionally, as a part of these transactions, GDB and the HTA executed an assignment and security agreement (collectively, the “Security Agreement”), pursuant to which HTA purported to assign certain excise taxes to GDB and granted a security interest in those taxes to secure GDB’s loan claims. These loan claims were later transferred to the GDB Debt Recovery Authority (“DRA”) as part of a consensual restructuring proceeding for GDB under Title VI of PROMESA. The Security Agreement was subject to Puerto Rico Acts 30 and 31 of 2012, which stated that taxed imposed must be used for the payment of principal and interest on any obligations or bonds of HTA.

In 2021, the Commonwealth filed an adjustment plan which provided that HTA bondholder’s payments were subordinate to the DRA’s payments. The collateral monitor and servicer for DRA debt filed a suit against the bondholders, stating that under Acts 30 and 31, the payments owed to them as HTA bondholders were subordinate to any payments owed to GDB under the GDB loans to the HTA.

The United States Bankruptcy Court (the “Court”) held that DRA’s claims did not subordinate HTA bonds, and the waterfall provisions dictated, despite Acts 30 and 31. The Court’s reasoning was that the Security Agreement “unambiguously prioritize[d] Bond payments by establishing a waterfall (or ‘turnover’) mechanism.” In making this observation, the Court further opined that “the plain text of the subordination provisions referred only to “outstanding bonds” issued under the bond resolutions, not to future bonds,” and thus, any debts or bonds incurred or issued subsequent to the 1968 and 1998 agreements was junior to those two initial encumbrances. The Court concluded with: “whatever distinctions may be evident or reasonably inferred in other contexts are precluded here by the plain language of the Security Agreement.”

In this case, having found that the contractual language of the 1968 and the 1998 agreements unambiguously and affirmatively subordinated DRA’s loans to all of the bonds issued by the HTA, the Court dismissed all the counts of DRA’s complaint that sought declaratory relief to prioritize their loans over HTA’s bond obligations.

Id. at *6.
Id. Puerto Rico Oversight, Management, and Economic Stability Act, Pub. L. No. 114-187 (2016).
What’s in a Name? Court Holds that Despite it’s Title, a Security Agreement Also Subordinated Junior Creditor’s Rights to Payment, Cadwalader, Wickersham & Taft LLP (Dec. 1, 2021) https://www.jdsupra.com/legalnews/what-s-in-a-name-court-holds-that-2869667/.
AmeriNational Community Services, LLC v. Ambac Assurance Corp. (in re Fin. Oversight & Mgmt Bd. For P.R.), Adv. Proc. No. 21-00068-LTS, 2021 WL 5121892, at *2 (Bankr. P.R. Oct. 29, 2021).
Id. at *2.
Id. at *3.
Id. at *4.
Id. at *3.
Id. at *4.
Id. at *3.
Id. at *5.
Id.
Id. at *10.
Id. at *9.
Id.
Id. at *10.
Id. at *8.

Connecticut’s Data Privacy Breach Notification Law Gets a Facelift

As of October 1, 2021, Connecticut’s Data Privacy Breach Notification Act’s (“Act”) Amendments (“Amendments”) are in effect.  P.A. No. 21-59.  The Amendments:

Expand the definition of “personal information;”
Create extraterritorial jurisdiction;
Remove the safe harbor provision while conducting an investigation;
Lower the notification period from ninety to sixty days;
Further detail notification methods and procedures; and
Create safe harbors for those in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

The new definition of personal information will require businesses to examine the types of data it stores and how it is stored.  The expanded definition of personal information now includes taxpayer identification numbers, IRS issued identity protection personal identification numbers, passport numbers, military identification numbers or any other commonly issued government identification numbers – in conjunction with the first name or initial and last name of the individual.

Businesses storing COVID-19 vaccination records will also need consider the new definition because it expands coverage to medical information.  The expanded definition now includes medical information regarding an individual’s medical history, conditions (mental or physical), treatment, diagnosis; identifiers used by Health Insurance companies and biometric data – in conjunction with the first name or initial and last name of the individual.

The Amendments also define a breach of security as including the disclosure of a username and password combination including an e-mail address or security question and answer that would provide online access to an account.  The Amendments require, in the event of a breach of login credentials, that (1) a notice informing the person whose information was breached to promptly change their credentials on other websites using the same credentials and (2) not to rely on an email account that was part of the breach to make such notice.

The Amendments remove the limitations that required that: (1) persons subject to the Act must conduct business in Connecticut and (2) that the information subject to the Act be maintained in the ordinary course of business.  Theoretically, any business that stores personal information of a Connecticut resident is now subject to the Act.

The Amendments remove the safe harbor provision allowing for an investigation after discovery of the breach before notification.  Companies now have only sixty-days from the discovery of the breach of security to notify Connecticut residents.   The Act also now includes an ongoing notification duty to Connecticut residents as well.

The notification of affected persons may be avoided if after an “appropriate investigation” the person covered by the Act determines that no harm will befall the individual whose personal information was either acquired or accessed.  However, the sixty-day notification period still applies and any “appropriate investigation” would need to be completed before the duty to notify is triggered.  Furthermore, the Act no longer requires that the information be both acquired and accessed.  Simple acquisition is enough as well as is a brief intrusion into unencrypted protected personal information stored on a secured network.

Finally, the Amendments create a safe harbor for persons in compliance with HITECH and HIPPA privacy and security standards so long as notice to the attorney general is provided.  Materials and information provided to the attorney general are exempt from public disclosure except when provided by the attorney general to third parties for the purpose of furthering an investigation.

The Amended Data Privacy Breach Notification Act is much more onerous to comply with and best practices include having a breach notification plan that can be used at a moment’s notice, creating an inventory of personal information stored by the entity and, encrypting all personal data.  Encrypting personal information remains the best way to comply with Act but the risk of non-compliance can be high since non-compliance is considered a Connecticut Unfair Trade Practices violation which can result in compensatory and punitive damages as well as attorney’s fees.