On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice. The new law is effective on January 1, 2015.
The heart of the new law is the obligation of “commercial entities” to take “all reasonable steps” to destroy consumers’ personal identifying information that is “no longer to be retained by the commercial entity” by “shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means. …” By adopting a broad definition of “commercial entity,” the new requirements impact all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entity—whether or not for-profit. Importantly, the law does not specify when documents must be destroyed, but rather, addresses how records should be destroyed when they will no longer be “retained” by a company.
In light of the definition of “commercial entity,” a company’s size, revenues, number of employees, and charitable status are irrelevant to the impact of the new requirements. The definition, however, raises the question of whether the new requirements apply just to entities doing business in Delaware, or if it also extends to entities formed in Delaware regardless of where they transact business. Given the number of companies incorporated in Delaware, the resolution of this ambiguity could have significant implications nationally. Evidencing some degree of restraint, the law does not apply to financial institutions that are subject to the Gramm-Leach-Bliley Act; health insurers or healthcare facilities that are subject to the Health Insurance Portability and Accountability Act; consumer reporting agencies that are subject to the Federal Credit Reporting; and any government, governmental subdivision, agency, or instrumentality.
The Act also defines personal identifying information as “a consumer’s first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information.” Also, “record” is defined equally broad so as to encompass information “inscribe[d] on a tangible medium, or that is stored in an electronic or other medium. …” Combined, the two definitions extend the scope of the new law to cover the destruction of both paper documents and all forms of electronic records, including records located on back-up tapes, local storage devices, and those stored in “the cloud.”
Reflecting a bias towards consumer rights, the law provides for both a public and private cause of action. Consumers who incur actual damages due to a reckless or intentional violation may bring a civil action against the commercial entity and obtain treble damages. Additionally, the Attorney General, through the Division of Consumer Protection of the Department of Justice, may bring an enforcement action in law or through an administrative proceeding if a violation has occurred and the Attorney General believes an enforcement action would be in the “public interest.”
A copy of the law and the relevant legislative history can be found at: http://legis.delaware.gov/LIS/lis147.nsf/vwlegislation/E7AF55FF393A832E85257C590067118D.