Brandywine Consulting Newsletter In the News

Title: Delaware Adopts a Law Affecting the Retention of Consumer Data

Topics: Risk Management, Compliance, Consumer Protection, Personal Data Use and Retention, Background Screening

Author: Benjamin J. Ventresca Jr., Managing Partner, Brandywine Consulting Group, Inc

Newsletter: July 28, 2014

Type: Compliance Alert

Client Segments corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entities, whether or not for profit.


Article

It may seem like government moves at a glacial pace, but this is a case of consumer protection getting heightened attention.

After being introduced April 9, 2014 the Delaware House and Senate approved a law that places new obligations on commercial entities with respect to the retention/destruction of records containing personally identifiable information about consumers. The Act was signed into law by Delaware Governor Jack Markell on July 1, 2014 - only eighty-two days later.

This law becomes effective January 1, 2015 and impacts all organizations (business and non-profit) of all sizes.

This law (signed Delaware House Bill 295), amends Section 6 of the Delaware Code relating to trade and commerce. The newly enacted version of the Act places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. In essence, the focus of the new law is the obligation of commercial entities to take all reasonable steps to destroy a consumer's personal identifying information that is no longer to be retained by the commercial entity.

While the law does not specify when documents must be destroyed, it addresses how records should be destroyed. Specifically, the Act states:

In the event that a commercial entity seeks permanently to dispose of records containing consumers' personal identifying information within its custody or control, such commercial entity shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.

Importantly, the Act exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice. What is unclear in the Act is whether this applies only to entities formed in Delaware (regardless of where they operate) or also to entities that are foreign to Delaware but have a presence in the State. It is very important for all organizations formed or functioning in Delaware that collect selective personal information to verify the degree to which this new law affects them.

The following is a synopsis that is a part of the official Act as recorded. (Click here to read the actual Act.)

This bill will create a new chapter regarding the safe destruction by business entities of documents containing personal information. Aggrieved customers will have a civil action to recover potential treble damages. In addition, the Attorney General may file suit or bring an administrative enforcement proceeding against the business in violation if it is in the public interest. Banks, financial institutions, and certain other regulated institutions are exempt, as are governments and their subdivisions, agencies and instrumentalities.

Explicitly, the Act does not apply to a number of entities including: financial institutions that are subject to the Gramm-Leach-Bliley Act; health insurers or healthcare facilities that are subject to the Health Insurance Portability and Accountability Act; consumer reporting agencies that are subject to the Federal Credit Reporting Act; and any government, governmental subdivision, agency, or instrumentality.

The Act defines personal identifying information as a consumer's first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver's license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information. However, this creates a question as to its applicability to other information collected by an entity in the course of conducting employment/volunteer background checks.

This is not a legal interpretation and you should contact your legal counsel for a complete interpretation of the Act and its effect on your organization.

Source1: Open States which is a product of The Sunlight Foundation, a nonpartisan nonprofit that advocates for open government globally and uses technology to make government more accountable to all. Data on Open States is automatically collected nightly from official state websites, and this specific information was reported from the official website of the Delaware General Assembly.

Source2: the Official Website of the First State

For more information on how this and other operational risks can be avoided, contact Benjamin Ventresca, Managing Partner - Brandywine Consulting Group, Inc at 610.696.5872