Delaware House Bill 295 was signed into law on July 1. The law provides that if a commercial entity seeks to dispose of records containing consumers' personal identifying information, the commercial entity must take reasonable steps to destroy or arrange for the destruction of such records by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable. Because Delaware is such a popular state for incorporation, this new law could impact a large number of companies.
"Personal identifying information" means a consumer's first name or first initial and last name in combination with any of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: social security number, passport number, driver's license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information including all information relating to a patient's health care history, diagnosis, condition, treatment, or evaluation.
The law does not apply to financial institutions that are subject to the privacy and security provisions of the Gramm-Leach-Bliley Act; health insurers or health care facilities that are subject to and in compliance with the privacy and security provisions in the Health Insurance Portability and Accountability Act; and consumer reporting agencies that are subject to and in compliance with the Federal Credit Reporting Act. The law also does not apply to any government, governmental subdivision, agency, or instrumentality.
The law provides a right of action for consumers who incur actual damages due to a reckless or intentional violation of the law.