The list of states requiring the disposal or destruction of personal data is growing, and companies need to respond accordingly by adopting data destruction plans. Delaware recently became the latest in a series of states to enact legislation addressing the safe destruction of records containing personally identifiable information (PII) of consumers.
The Delaware law, which goes into effect on January 1, 2015, subjects companies to potential civil claims by consumers and potential administrative enforcement actions by the Delaware Department of Justice. The new law requires commercial entities to take reasonable steps to destroy or arrange for the destruction of all consumer PII that will no longer be retained by the entity. These entities must shred, erase or otherwise destroy or modify the PII in these records so they become "entirely unreadable or indecipherable through any means." It is important to note that the new law only addresses how these records must be destroyed, but does not address exactly when these records must be destroyed after it is determined that the records will no longer be retained.
The new Delaware law defines PII as a consumer's first name or first initial and last name in combination with any of the following information, when either the name or the other information is not encrypted: signature, full date of birth, Social Security number, passport number, driver's license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, any other financial information or confidential health care information including all information relating to a patient's health care history, diagnosis, condition, treatment or evaluation obtained from a health care provider who has treated the patient which explicitly or by implication identifies a particular patient. The new law is intended to (a) ensure the security and confidentiality of consumers' PII, (b) protect against reasonably foreseeable threats to the security or integrity of consumers' PII, and (c) protect against unauthorized access to or use of consumers' PII that could result in substantial harm or inconvenience to any consumer. A very broad range of entities will be affected by the new law because it defines "commercial entity" as all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures or other legal entity, whether for-profit or not-for-profit. Because of this broad definition, an entity's size, revenues, number of employees and charitable status do not matter when assessing the impact of the new law.
The new law is also notable in that it specifically includes a private right of action. While a private right of action is not a new concept for state laws regarding the protection of information, increasingly plaintiffs' attorneys have begun in earnest to attempt to use these laws as the next frontier of class action litigation.
Entities in certain industries, however, are exempt under the new Delaware data destruction law. These include financial institutions that are subject to the Gramm-Leach-Bliley Act, health insurers and health care facilities subject to the Health Insurance Portability and Accountability Act, consumer reporting agencies subject to the Federal Credit Reporting Act, and any government, governmental subdivision, agency or instrumentality. It is presumed that these entities also have robust programs covering these issues.
As previously mentioned, Delaware is the latest in a series of states to enact laws addressing the disposal or destruction of PII. Other states with similar data destruction laws include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Florida, Georgia, Hawaii, Illinois, Indiana, Kansas, Kentucky, Massachusetts, Maryland, Michigan, Missouri, Montana, Nevada, New Jersey, New York, North Carolina, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington and Wisconsin. This trend is likely to continue as the national spotlight continues to focus on data breaches, consumer privacy and the protection of PII. Therefore, it is imperative (and, in some states, required) that companies adopt data destruction plans that address when, where and how data is destroyed, as well as the type of data destroyed (electronic and physical records). Also, because state laws may vary, it is critical that companies review their data destruction plans to ensure they comply with the growing number of state data destruction laws.
If your company needs help with its data destruction plan, or if you have questions about this Alert or any other federal or state privacy laws, please contact your Baker Donelson attorney.