New Data Destruction Law in Delaware Wields Triple Damages Clause

States continue to upgrade data security regulations as US Congress continues to do what it does best.

As meaningful privacy laws languish in Washington for years at a time, Delaware has become the most recent state to upgrade secure data destruction requirements for the disposal of business records that contain private personal data. Effective January 1, 2015, the new law requires businesses to take “reasonable steps” to destroy a consumer’s personal identifying information (PII) such as a signature, full date of birth, Social Security number or passport number, driver’s license or state identification card number, insurance policy number, financial services account numbers (bank account number, credit card number, or “any other financial information”), or confidential health care information.

The new statute targets records that are no longer to be retained and also not encrypted at the time of disposal. Consistent with language found in similar legislation, the guideline indicates the business must “take all reasonable steps to destroy or arrange for the destruction of a consumer’s”. The broad language identifies “shredding, erasing, or otherwise destroying or modifying” the consumer PII in a manner that makes it “entirely unreadable or indecipherable. Backed by several enforcement mechanisms, Delaware’s new law carries a big stick in the form of a treble damages private right of action. Penalties attached to each individual record, which means the legal damages could mount quickly. Both the Delaware Attorney General and Division of Consumer Protection may choose to bring separate enforcement actions as well.