Delaware recently adopted a new law that will add requirements related to the destruction of records containing “personal identifying information.” With that law, Delaware joined a number of other states that place restrictions on the ways in which entities destroy or dispose of personal information. The Delaware law will become effective January 1, 2015.
Significant Data Destruction Obligations
Under the new law, commercial entities are required to destroy securely any data that contains personal identifying information. When a commercial entity no longer wishes to retain personal identifying information in its custody, the new law will require that it destroy the information using a method that makes it “entirely unreadable or indecipherable through any means…,” including shredding or erasing the information. The law generally is designed to promote the security and confidentiality of a consumer’s information, protect against threats or hazards to that security, and protect against unauthorized access or use of the information.
Wide Application to Personal Identifying Information
While the law is focused narrowly on data destruction, the new destruction requirements may apply to many data sets maintained by a company. Any data set that includes “personal identifying information” is subject to these new requirements. This information includes a consumer’s name, in combination with any of the following types of information: social security number, driver’s license number, bank or other account number, credit card number, credit or debit card number, financial information health information, and tax information. The information is only considered identifiable if it is not encrypted, but the definition includes both paper and electronic records, including records stored in the cloud.
Many Businesses Are Covered
As written, the statutory language suggests that the law broadly applies to all commercial entities subject to Delaware law, not just to those retaining personal information regarding Delaware residents. Further, the law covers all types of entities, regardless of size, revenue, number of employees, or charitable status. There are a few exceptions for businesses that are already subject to federal privacy laws. The law will not apply to financial institutions subject to the Gramm-Leach-Bliley Act, health care entities subject to HIPAA, consumer reporting agencies subject to the Federal Credit Reporting Act, and government entities. Despite these exceptions, the law will still apply to a wide swath of businesses that collect, receive or create personal information regarding individuals.
Violations May Result In Government Regulatory Action, Private Lawsuits, And Penalties
The law includes both a private and public right of action. The Delaware Attorney General, through the Division of Consumer Protection at the Department of Justice, is able to bring an action in the event of a possible violation, including initiation of investigations and issuance of other penalties. In addition, courts are authorized to award treble damages to individuals.
Compliance Requires Continued Advance Planning
In response to this new law, companies may wish to review their data disposal practices, including:
reviewing and revising disposal, destruction and asset management policies and procedures; taking inventory of where data is collected, stored, and disposed throughout the organization; educating workforce members regarding disposal, destruction and asset management policies; promoting the use of encryption; and reviewing the practices and contractual obligations of vendors that maintain data on the organization’s behalf.
These steps can also be elements of a sound data management and compliance program and may reduce the likelihood of potential data incidents.
Madeline Gitomer, an associate in our Washington, D.C. office, contributed to this post.