Delaware passes law requiring destruction of personally identifiable information

July 28, 2014 |

It is a core feature of most privacy and data legislation that organisations and governments should only retain personal information for the period required and for the purpose for which the information was collected.  It is common in cases of data breaches to find organisations who have had poor data security to also have hopeless data management practices; keeping records long after they have no utility, keeping old customer information and generally storing data in one place so as to make a hackers job much easier than would otherwise be the case.  In the UK the Information Commissioner has taken a particularly dim view of this lax practice and handed out some serious monetary penalty notices.  The Privacy Commissioner in Australia has not been nearly as assertive if recent utterances are anything to go by however he has not made public any activities in this area using his new powers under the Privacy Act since 12 March 2014.

Individuals in Australia have very limited rights under statute to take action for interferences with privacy in their own right.  Under the Privacy Act the Privacy Commissioner is the gatekeeper at first instance for most complaints of interferences with privacy (save for seeking injunctive relief under section 98).

The article Delaware Adopts Law Requiring the Destruction of Consumers’ Personally Identifiable Information reports that as of 1 January 2015 commercial entities in Delaware  (bill found here) can be subject to civil lawsuits by consumers in their own right and administrative enforcement actions by the Delaware Department of Justice if they do not destroy or de identify personal information no longer required.

It is important to have a well resourced regulator but also to give individuals the right to take action in the alternative or concurrently.  Regulators don’t live up to their responsibilities on occasion, prioratise differently and can be hamstrung by internal rules and lack of resources.  There is also strong public policy grounds for empowering individuals to take actions for breaches of their privacy.

The article provides:

On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice. The new law is effective on January 1, 2015.

The heart of the new law is the obligation of “commercial entities” to take “all reasonable steps” to destroy consumers’ personal identifying information that is “no longer to be retained by the commercial entity” by “shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means. …” By adopting a broad definition of “commercial entity,” the new requirements impact all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entity—whether or not for-profit. Importantly, the law does not specify when documents must be destroyed, but rather, addresses how records should be destroyed when they will no longer be “retained” by a company.

In light of the definition of “commercial entity,” a company’s size, revenues, number of employees, and charitable status are irrelevant to the impact of the new requirements. The definition, however, raises the question of whether the new requirements apply just to entities doing business in Delaware, or if it also extends to entities formed in Delaware regardless of where they transact business. Given the number of companies incorporated in Delaware, the resolution of this ambiguity could have significant implications nationally. Evidencing some degree of restraint, the law does not apply to financial institutions that are subject to the Gramm-Leach-Bliley Act; health insurers or healthcare facilities that are subject to the Health Insurance Portability and Accountability Act; consumer reporting agencies that are subject to the Federal Credit Reporting; and any government, governmental subdivision, agency, or instrumentality.

The Act also defines personal identifying information as “a consumer’s first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information.” Also, “record” is defined equally broad so as to encompass information “inscribe[d] on a tangible medium, or that is stored in an electronic or other medium. …” Combined, the two definitions extend the scope of the new law to cover the destruction of both paper documents and all forms of electronic records, including records located on back-up tapes, local storage devices, and those stored in “the cloud.”

Reflecting a bias towards consumer rights, the law provides for both a public and private cause of action. Consumers who incur actual damages due to a reckless or intentional violation may bring a civil action against the commercial entity and obtain treble damages. Additionally, the Attorney General, through the Division of Consumer Protection of the Department of Justice, may bring an enforcement action in law or through an administrative proceeding if a violation has occurred and the Attorney General believes an enforcement action would be in the “public interest.”

One Response to “Delaware passes law requiring destruction of personally identifiable information”

  1. Delaware passes law requiring destruction of personally identifiable information | Australian Law Blogs

    […] Delaware passes law requiring destruction of personally identifiable information […]

Leave a Reply