Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Delaware recently adopted a new law that will add requirements related to the destruction of records containing “personal identifying information.” With that law, Delaware joined a number of other states that place restrictions on the ways in which entities destroy or dispose of personal information. The Delaware law will become effective January 1, 2015.
Under the new law, commercial entities are required to destroy securely any data that contains personal identifying information. When a commercial entity no longer wishes to retain personal identifying information in its custody, the new law will require that it destroy the information using a method that makes it “entirely unreadable or indecipherable through any means…,” including shredding or erasing the information. The law generally is designed to promote the security and confidentiality of a consumer’s information, protect against threats or hazards to that security, and protect against unauthorized access or use of the information.
While the law is focused narrowly on data destruction, the new destruction requirements may apply to many data sets maintained by a company. Any data set that includes “personal identifying information” is subject to these new requirements. This information includes a consumer’s name, in combination with any of the following types of information: social security number, driver’s license number, bank or other account number, credit card number, credit or debit card number, financial information health information, and tax information. The information is only considered identifiable if it is not encrypted, but the definition includes both paper and electronic records, including records stored in the cloud.
As written, the statutory language suggests that the law broadly applies to all commercial entities subject to Delaware law, not just to those retaining personal information regarding Delaware residents. Further, the law covers all types of entities, regardless of size, revenue, number of employees, or charitable status. There are a few exceptions for businesses that are already subject to federal privacy laws. The law will not apply to financial institutions subject to the Gramm-Leach-Bliley Act, health care entities subject to HIPAA, consumer reporting agencies subject to the Federal Credit Reporting Act, and government entities. Despite these exceptions, the law will still apply to a wide swath of businesses that collect, receive or create personal information regarding individuals.
The law includes both a private and public right of action. The Delaware Attorney General, through the Division of Consumer Protection at the Department of Justice, is able to bring an action in the event of a possible violation, including initiation of investigations and issuance of other penalties. In addition, courts are authorized to award treble damages to individuals.
In response to this new law, companies may wish to review their data disposal practices, including:
These steps can also be elements of a sound data management and compliance program and may reduce the likelihood of potential data incidents.
Authored by Scott Loughlin and Madeline Gitomer