On January 1, 2015, Delaware employers who dispose of records which contain the unencrypted personal identifying information of employees must take steps to ensure the privacy of such information.  The bill, H.B. 294, was recently signed by Delaware’s Governor Jack Markell.

The new law defines personal identifying information as an employee’s first name or first initial and last name in combination with one of the following data elements that relate to the employee, when either the name or the data elements are not encrypted:

  • the employee’s signature;
  • full date of birth;
  • social security number;
  • passport number;
  • driver’s license or state identification number;
  • insurance policy number;
  • financial services account number;
  • bank account number;
  • credit card number;
  • debit card number;
  • any other financial information; or
  • confidential health care information.

Under the law, employers are required to take reasonable steps to destroy or arrange for the destruction of an employee’s personal identifying information when in a “tangible medium,” or that is stored in an electronic or other medium and is retrievable.   Destruction is to be by shredding, erasing, or otherwise modifying the personal identifying information to make it entirely “unreadable or indecipherable” through any means.  Importantly, the law permits a private right of action for any employee who incurs actual damages due to the reckless or intentional violation of this statute.

Delaware also enacted a companion bill, H.B. 295, in July which imposed the same requirements for the proper destruction of personal data on Delaware businesses disposing records containing consumers’ personal identifying information.

Both of these statutes are aimed at addressing one of the more common ways in which a business may experience a data breach, namely the improper disposal of records.  Notably, both of this measures include broader definitions of personal identifying information than Delaware’s data breach notification statute which only includes the following data elements:  Social Security number; driver’s license number or Delaware Identification Card number; or account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.

Upon enactment, Delaware joins the list of 30 other states which in some way regulate the disposal of personal information.