We are just two Mondays away from Labor Day, the traditional end of summer in the United States. Here are some privacy tidbits to get your week started. See especially Jake Romero’s piece on the new Delaware data destruction law.
Lack of Information on the Russian Hackers
A company called Hold Security dropped a bombshell last week at the Black Hat security conference in Las Vegas, but has since gone silent on what companies were affected, what websites, or any other specifics, except to sell a $120 corporate security package. I wrote a piece for JD Supra Perspectives last week on the “what now?” question, and on Friday, the Federal Trade Commission’s Business Blog posted a similar question. Read here to see what personal steps to take.
The question that has been most often asked since the Hold Security announcement is “what’s the value of what the hackers grabbed?” One of the best articles written about this question is from theKrebs on Security archives. Read here.
Cute ”Baby Walls” at the OB-GYN = HIPAA Violation!
An article in yesterday’s New York Times outlines one of the more unintended consequences of HIPAA. Read here.
Delaware’s New Data Destruction Law to Set Standard for Disposing of Consumer Data and Authorize Civil Claims (and treble damages) -by Jake Romero
We all have a general sense of what it means to “destroy” something. You know, like how that new Teenage Mutant Ninja Turtles movie just destroyed all of your fond memories of the 1990s cartoon. Well Delaware wants to make sure that when it comes to destroying and disposing of consumer information, everyone is on the same page. Delaware House Bill 295, recently signed into law by Governor Jack Markell, requires commercial entities, in the destruction of personally identifying information collected from consumers, to take reasonable steps to destroy such information to ensure that it is unreadable. Effective, January 1, 2015, the new requirements to be added as sections 50C-101 – 50C-104 of the Delaware Code will apply to a broad swath of entities and could lead to substantial damages in private rights of action. In preparation for the coming change, here are four things to keep in mind:
- H.B. 295 Imposes Specific Requirements on Destruction, but Do Not Govern Timing
Under the new law, a commercial entity will be required to take all reasonable steps to destroy or arrange for the destruction of consumer personally identifiable information in its custody or control that is no longer to be retained by that entity. Consumer personally identifiable information includes a consumer’s name in combination with that consumer’s signature, date of birth, social security or passport number, driver’s license or state identification number, insurance or financial account numbers, credit card data or health information, when either the name or the other data element are not encrypted.
To comply with the provisions of H.B. 295, the method of destruction must ensure the security and confidentiality of consumer personally identifiable information by shredding, erasing, destroying or modifying the records containing consumer information (including tangible and electronic records) to make them entirely unreadable or indecipherable. H.B. 295 notably does not address the timing of destruction; for example, by requiring that commercial entities destroy consumer personal information as soon as it is no longer required for the purpose for which the consumer provided it. The bill also does not require that the destruction of information be pursuant to a written data retention plan.
- The Scope of the Bill is Broad . . .
The definition of “commercial entity” under H.B. 295 makes it clear that the new requirements apply to a variety of entities, including corporations, business trusts, estates, partnerships, limited liability companies and other legal entities, regardless of size or revenue, and including non-profit entities. Limited exemptions under the law exempt include financial institutions that comply with the Gramm-Leach-Bliley Act (GLBA), health insurers and facilities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), consumer reporting agencies subject to the Federal Credit Reporting Act (FCRA) and government agencies.
- . . . and Just How Broad Remains to be Determined
One key ambiguity of the law is that it does not make it clear whether the new requirements apply just to commercial entities doing business in the State of Delaware, or to all entities incorporated under the laws of the State. Delaware is a particularly popular state for incorporation, so the latter interpretation would significantly expand H.B. 295’s reach. The Information Security Media Group, however, reports that H.B. 295’s sponsor, Rep. Stephanie Bolden, intends to introduce an amendment to H.B. 295 to clarify that the law does not apply to entities incorporated in the State of Delaware that are not doing business with consumers within the State.
- H.B. 295 Authorizes Both Public and Private Rights of Action . . . and Damages May Be Substantial
Finally, H.B. 295 adds teeth to the new law by authorizing both civil and administrative actions. The Division of Consumer Protection of the Department of Justice may bring an action under law or an administrative enforcement proceeding seeking remedies, cease and desist orders or penalties. Even more daunting, consumers who incur actual damages due to a violation of the law may bring a civil action and H.B. 295 authorizes courts to award treble damages. To be clear, each record unreasonably disposed of constitutes an individual violation, so these numbers could add up fast. This represents a significant move toward consumer protection on Delaware’s part, and could serve as a model for other states.
We expect further developments regarding H.B. 295 in the few months that remain before the law goes into effect. Although (as noted above) a written data retention and destruction plan is not specifically required, having a written and properly-implemented plan is the best way to ensure that the requirements are consistently followed.