Privacy & Information Security Law Blog

On July 1, 2014, Delaware Governor Jack Markell signed into law a bill that creates new safe destruction requirements for the disposal of business records containing consumer personal information. The new law requires commercial entities conducting business in Delaware to take reasonable steps to destroy their consumers’ “personal identifying information” prior to the disposal of electronic or paper records. The law will take effect on January 1, 2015.

Under the new law, destruction requirements apply to a consumer’s “personal identifying information.” The term “consumer” is defined as an individual entering into a transaction “primarily for personal, family, or household purposes” and “personal identifying information” (“PII”) consists of the consumer’s first name or first initial and last name in combination with any of the following data elements:

• a signature;
• full date of birth;
• Social Security number or passport number;
• driver’s license or state identification card number;
• insurance policy number;
• financial services account number, bank account number, credit card number, or “any other financial information;” or
• confidential health care information.

Notably, a consumer’s information qualifies as “personal identifying information” if either his or her name or the accompanying data element is unencrypted at the time of disposal.

Under the new law, when records are “no longer to be retained,” commercial entities must “take all reasonable steps to destroy or arrange for the destruction of a consumer’s” PII within those records. The statute explicitly calls for “shredding, erasing, or otherwise destroying or modifying” the consumer PII in a manner that makes it “entirely unreadable or indecipherable.”

The new law comes equipped with a number of enforcement mechanisms, including a private right of action for consumers who incur actual damages as a result of a violation. Significantly, the statute enables aggrieved consumers to seek treble damages, which could quickly add up given that “each record unreasonably disposed of constitutes an individual violation” of the statute. Under certain circumstances, the Delaware Attorney General and Division of Consumer Protection of the Department of Justice also may bring enforcement actions for violations of the statute.

The statute does carve out several exemptions for regulated entities, including financial institutions subject to the privacy and security requirements of the Gramm-Leach-Bliley Act, consumer reporting agency subject to the FCRA, and certain covered entities subject to HIPAA’s privacy and security requirements.