When companies that conduct business in Delaware make their 2015 New Year’s resolutions, they should be sure to add compliance with 6 Del. Code §§50C-101 - 50C -104 ( Section 50C) and 7 Del. Code § 736 (Section 736) to their list. Section 50C and Section 736, which were respectively signed into law on July 1 and Sept. 2, 2014 and both go into effect Jan. 1, 2015, create potential liability for companies that fail to destroy records or documents that contain personally identifiable information (PII) in a manner that renders PII unreadable or indecipherable.
Section 50C requires commercial entities to take “reasonable steps” to destroy records containing a consumer’s PII. Notably, a consumer is defined “an individual who enters into a transaction primarily for personal, family or household purposes, except employees.” PII is defined as including a person’s first name or first initial and last name with any of the following data elements when either the name or the data elements are not encrypted:
- Social Security number
- passport number
- driver’s license or state identification card number
- insurance policy number
- financial services account number
- bank account number
- credit card number
- debit card number
- tax or payroll information, or
confidential health care information, including all information relating to a patient's health care history, diagnosis condition treatment, or evaluation obtained from a health care provider who has treated the patient which explicitly or by implication identifies a particular patient.
If a commercial entity fails to comply with Section 50C, a consumer who incurs actual damages due to the commercial entity’s reckless or intentional violation of Section 50C may bring a civil action against the commercial entity for actual damages. However, Section 50C expressly exempts:
- banks, credit unions and financial institutions
- health insurers or health care facilities
- consumer reporting agencies, and
- governments, governmental subdivisions, agencies or instrumentalities.
Section 736, on the other hand, contains no such exemption, and provides that any employee in any company who incurs actual damages due to his or her employer’s reckless or intentional violation of Section 736 may bring a civil action against the employer for treble damages. Additionally, Section 736 adds an employee’ssignature and full date of birth as additional PII data elements.
It is important to stress that a company may still be exposed to liability even if it is in an exempted industry under Section 50C. Though Section 50C excludes many commercial entities in certain business sectors and government entities, Section 736 makes all employers with employees residing in Delaware liable if they recklessly or intentionally fail to take reasonable steps to destroy employees’ PII.
While Delaware courts have yet to interpret these statutes, consider the following practice points:
- Remember that PII can constitute a broad set of information. Both Section 50C and Section 736 include information that most commercial entities encounter and discard on a daily basis. Section 736 goes even further by making an employee’s signature a PII data element. Be cognizant that the range of documents that might contain PII could be a substantial part of the company’s records.
- Assess the company’s current document and PII destruction procedures now, rather than waiting until potential litigation arises. For example, the company should determine whether it can assure devices containing PII are shredded, fully erased and destroyed. The company might also consider limiting the transmission of PII so that employees cannot access PII on personal devices, such as smartphones and tablets, which will limit exposure in the event a device is lost or stolen. Both statutes allow for liability if a commercial entity or employer acts recklessly regarding the destruction of records and documents containing PII. Sitting on one’s hands when one has knowledge that documents or records containing PII are being improperly destroyed may constitute recklessness.
- Engage employees, contractors, business partners and other partners in the discussion on how to properly destroy customer and employee information. Problems can arise when PII is transmitted to persons both within and outside the company. Employees, contractors, business partners and other partners should be informed of the company’s confidentiality and document destruction policies in employee handbooks, agreements or other materials where appropriate. In addition, consider making confidentiality and document destruction policies a part of new hire/contractor orientation and yearly trainings.
Know when you need help. When a data breach or improper destruction of PII occurs, engage counsel and/or a recovery team sooner rather than later. Damage from privacy issues can often be minimized if it is swiftly engaged and controlled.