Beginning January 1, 2015, companies that do business in Delaware will be required to take “reasonable steps” to protect their customers’ personal information when disposing of business documents under a new law signed by Governor Jack Markell on July 1.
The legislation (H.B. 295) provides customers with a civil action to recover potential treble damages against business entities that do not provide for the safe destruction of documents containing personal information. It also provides the attorney general with the authority to file lawsuits or bring administrative enforcement actions against companies that violate the law. However, the new law exempts banks, financial institutions, and certain other institutions covered by federal data destruction laws, as well as all governments and their subdivisions, agencies, and instrumentalities.
According to the National Conference of State Legislatures, at of the end of 2013, 30 states had enacted laws that require business entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable. At the federal level, financial institutions and healthcare providers face significant data destruction requirements under the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. In addition, under the Fair Credit Reporting Act and rules adopted by the Federal Trade Commission, businesses that obtain consumer information from consumer reporting companies must take "reasonable measures" to properly dispose of that information.
Delaware’s new law is consistent with many of those state and federal statutes. For example, it requires businesses disposing of information to shred, erase, or destroy personal data in electronic, paper, or any other form and “make it entirely unreadable or indecipherable through any means.” It also defines “personal identifying information" to mean a consumer’s first name or first initial and last name in combination with a Social Security, passport, driver's license, state identification card, insurance policy, financial services account, bank account, credit card, or debit card number; tax or payroll information; or confidential healthcare information.