| Tracking Number | 26-BK-5 |
|---|---|
| Submitter | Dan Brown, Open Bankruptcy Project |
| Date Accepted | April 16, 2026 |
| Status | Pending consideration, Advisory Committee on Bankruptcy Rules and Standing Committee on Rules of Practice and Procedure |
| Subject | Rule 9037, Official Forms 121 and 309E1 -- SSN exposure in filed documents |
Systemic PII Exposure
Systemic exposure of Social Security numbers and other personally identifiable information across federal court filings, verified across all 95 federal bankruptcy districts. Documents containing unredacted PII are published on PACER, where they become permanently available to any user with a PACER account -- and, through RECAP, to the general public.
Rule 9037 of the Federal Rules of Bankruptcy Procedure requires the redaction of Social Security numbers and other personal identifiers in filed documents. Despite this requirement, the current system relies entirely on the filing party to perform redaction before upload. There is no automated screening at the ECF upload point, no systematic audit of filed documents, and no mandatory notification to affected individuals when a breach occurs.
Once a document containing an unredacted SSN is published on PACER, it is immediately available for download. Redaction after publication does not cure the prior disclosure -- the document may have already been cached by RECAP, downloaded by commercial data aggregators, or indexed by search engines.
Five Reforms
-
Amendment 1
Auto-Sealing Event Code
Create a standardized ECF event code that automatically seals documents flagged under Rule 9037 pending review, preventing continued public access while the court evaluates the redaction request.
-
Amendment 2
Template-Integrity Audit for Official Forms
Require a systematic audit of Official Forms 121, 309E1, and other forms that contain PII fields to ensure that form templates do not inadvertently expose full Social Security numbers through auto-fill, metadata, or text-layer extraction.
-
Amendment 3
Pre-Acceptance ECF Screening
Implement automated PII detection at the ECF upload point. Before a document is accepted for filing, the system would scan for patterns consistent with unredacted Social Security numbers, dates of birth, and financial account numbers, alerting the filer before the document becomes part of the public record.
-
Amendment 4
Non-Cure Provision
Codify the principle that redaction after PACER publication does not remedy prior disclosure. Once a document has been publicly available on PACER -- even briefly -- the privacy breach has occurred. This provision would require courts to treat post-publication redaction as a mitigation measure, not a cure.
-
Amendment 5
Mandatory Clerk Notification
Require the clerk of court to notify affected individuals when their PII has been exposed in a filed document. Current practice varies by district and is often discretionary. This amendment would establish a uniform, mandatory notification procedure.
Detection Approach
The analysis employs PyMuPDF for text-layer extraction from PDF documents in the RECAP/CourtListener archive. The detection methodology identifies three categories of PII exposure:
1. Plain-text SSN exposure -- full nine-digit Social Security numbers present in the extractable text layer of filed documents.
2. Cosmetic redaction -- documents where SSNs appear visually redacted (black boxes or other overlay) but remain present in the underlying text layer. These are extractable by any PDF reader and are functionally unredacted.
3. PDF metadata exposure -- PII present in document metadata fields (author, title, subject, keywords) that persists even when the visible content has been properly redacted.
The methodology was validated across documents from all 95 federal bankruptcy districts, using a combination of automated pattern detection and manual review of flagged documents.