Data Destruction Law Allows Civil SuitsAnalysis of Delaware's New Breach Prevention Effort
Delaware has enacted a law that spells out methods that must be used to "destroy" paper or electronic records containing consumers' personal information. What sets the breach prevention measure apart from other regulations, however, is that it permits consumers, under certain circumstances, to file civil suits against those who violate the law's requirements.
The passage of the new Delaware law may spark other states to pass similar legislation, says Boris Segalis, partner at the InfoLawGroup. "We are going to see more and more regulation in the privacy and data security area on the state level," he says. "Congress would probably do a better job of it, and having a single source of information security legislation would reduce compliance burden on businesses. But with Congress frozen, states will certainly act, as they have, to protect the privacy and security of their residents' personal information."
New Law's Provisions
The Delaware law, HB 295, which goes into effect on Jan. 1, 2015, states: "In the event that a commercial entity seeks permanently to dispose of records containing consumers' personal identifying information within its custody or control, such commercial entity shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable." But the law does not specify a certain time frame for when records must be destroyed.
The measure also states that "a consumer who incurs actual damages due to a reckless or intentional violation" of the law has the right to file a civil lawsuit.
"Many of the privacy and data security laws do not allow for a private right of action," says Lisa Sotto, a privacy attorney for the law firm Hunton & Williams. "This one does. This could mean very significant penalties and damages to a company that does not abide by the requirements."
At the federal level, consumers have a difficult time pursuing civil action against an organization following the compromise of their personal information, says Harriet Pearson, partner at the law firm Hogan Lovells. For instance, if a company has violated Section 5 of the FTC Act - a major consumer protection statute - only a state attorney general or the FTC can pursue action, she points out. "That's why you see a lot of consent decrees issued at the federal level."
The new Delaware law provides a private cause of action as opposed to a public cause of action, Pearson explains. "This says a consumer can sue for the inappropriate non-compliant disposal of records. That's a big deal," she adds.
Entities Covered Under Law
Those that must comply with the new Delaware law include commercial entities that are defined as a "corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, or other legal entity, whether or not for profit."
Organizations exempt from the law include any bank, credit union or financial institution as defined under the Gramm Leach Bliley Act; any health insurer or healthcare facility that is subject to HIPAA; any consumer report agency that is subject to the Federal Credit Reporting Act; and any government agency.
The bill's sponsor, Rep. Stephanie Bolden, D-De., plans to introduce an amendment to clarify that companies incorporated in Delaware but not doing business with consumers in the state are also exempt.
"While this consumer protection bill was never intended to impact businesses incorporated in Delaware that do not conduct business with Delaware consumers, I am working with our Department of State to craft a bill to amend this law that we can introduce in January when we return to session," Bolden tells Information Security Media Group. "The good news is that HB 295 does not take effect until Jan. 1, 2015, and we hopefully can have this new bill passed in our first month back."
Because of Delaware's favorable state statutes, more than 1 million businesses, trusts and other entities are incorporated in the state, although many don't do business with Delaware residents, Bolden explains.
Pearson of Hogan Lovells criticizes the exemption of government agencies from the bill's requirements. "I don't think, from a public policy perspective, it's appropriate to exempt government from requirements that industry has to follow," she says. "Government frequently has information that is just as, if not more, sensitive than any information on consumers or citizens that a company has."
Defining Personal Information
The bill outlines the required methods for destroying paper and electronic records that include personal identifying information, including a consumer's first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either their name or the data elements are not encrypted:
- Social Security number;
- Passport number;
- Driver's license or state identification card number;
- Insurance policy number;
- Financial services account number;
- Bank account number;
- Credit and/or debit card number;
- Tax or payroll information or confidential healthcare information including all information relating to a patient's healthcare history, diagnosis condition, treatment, or evaluation obtained from a healthcare provider who has treated the patient which explicitly or by implication identifies a particular patient.