Privacy in the Tech Age: Delaware Law Protects Personal Identifying Information

May 25th, 2016 in Analysis, News, State Legislation

On Jan 1, 2015, Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law (“§736”) went into effect. Under this law, a Delaware business that tries but fails to adequately destroy a record containing an employee’s personally identifying information (“PII”) could face liability.  Any employee who suffers actual harm due to such a failure can sue their employer for violating §736.

While a seemingly straight-forward and pragmatic law, the details (or the definitions in this case) may prove particularly problematic for a vast majority of the nation’s businesses.  Specifically, §736 defines both “PII” and “record“ in extremely broad terms.

Legislative Hall Dover, Delaware

Legislative Hall
Dover, Delaware

Any information that is “inscribed on a tangible medium, or that is stored in an electronic or other medium and is retrievable in perceivable form on which personal identifying information is recorded or preserved” qualifies as a record under this law. Practically speaking, that includes any document, note, email, or database that contains PII.

Similarly, the law’s definition of PII encompasses a vast array of information. Under §736, a record contains PII if it includes an employee’s first name or first initial and last name in combination with one of the following:

  • social security number
  • passport number
  • driver’s license or state identification card number
  • insurance policy number
  • financial services account number
  • bank account number
  • credit card number
  • debit card number
  • tax or payroll information
  • confidential health care information.

These highly inclusive definitions create a law with broad protections for employees and their personal data. A company faces liability in the event that records containing an employee’s PII were not properly destroyed, those records were improperly accessed, and the employee suffered real harm as a result.

Records Containing PII

 Based on §736’s definitions of “PII” and “record” many different sources of information could result in liability under this law. Some of these sources are obvious.  Such as the physical piece of paper that an employee fills out to sign up for direct deposit or a database containing a company’s payroll information.

But there are less obvious sources of PII that could also result in liability. For example, consider a company that typically combines an employee’s first initial and last name to create that employee’s login credentials and email account.  That employee is travelling for business and emails their passport number to a travel coordinator.  Under §736, that email could trigger liability.

These more obscure one-off emails may prove difficult if not impossible to identify and consequently protect. As such, identifying the records that require proper destruction could present a challenge. In order to truly guard against a §736 violation, a company may need to ensure that all records, even records free of PII, are destroyed appropriately.

shredding

Properly Destroyed Records.

 The law specifies that a company must take “all reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.” While most companies implement document destruction policies for sensitive documents, this law requires additional steps for the destruction of digital records.  Ensuring that digital data is erased is easier said than done. Even data deleted from a hard drive is typically recoverable. Digital forensics experts and simple data recovery software programs tout the ability to quickly recover previously deleted data. In order to completely destroy data from a hard drive, experts recommend deleting the information, re-writing over the information, and physically destroying the drive. This process is just not practical every time someone deletes an email. As such, the requirement that the company takes “all reasonable” steps may prove difficult to comply with.

Improperly Accessed Data

 In order for a company to face liability, the PII must be improperly accessed. Unfortunately, corporate security and data privacy breaches have become increasingly common. While breaches involving customer data typically receive more media coverage, the nefarious actors stealing data do not always differentiate between employee and customer PII. The increasing frequency of these breaches indicates that companies should be ready for a breach. Companies should take all necessary steps to ensure data security and avoid a breach but should also be prepared to respond to one. In the context of §736, being prepared means ensuring that record deletion and destruction policies are adequate under the law.

Employee’s Harm

 Any improperly accessed PII has the potential to result in a stolen identity, which can then lead to a number of horrible outcomes. Victims of identity theft have experienced severe financial consequences, mistaken jail time, and even life-threatening medical consequences. Identity theft results in real and substantive harms. That harm compounds as the number of people whose data was stolen increases. For companies with thousands of employees, a single data breach could result in significant liability.

Business that Must Comply with §736

Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law also has broad impact due to its expansive reach. Since Delaware is a preferred location to incorporate or organize a business, this law could have affected a significant number of US companies.  In response to this fear, the Legislature passed an amendment to the law in May 2015 to limit the law’s reach to only commercial entities that “transact business” in Delaware.

In order to avoid liability under §736, Delaware companies may need to update existing data deletion and security processes. Because of the complexity in identifying all records that contain PII, the increasing probability of a breach, and difficulty in completely deleting digital data, however, the best way to avoid liability under §736 may be to ensure the encryption of all digital records that could possibly contain PII. Under §736, if all of the data that comprises the PII is encrypted then a company avoids liability should a breach occur. If either the name or the additional information is unencrypted, however, the company may face liability under §736. As such, this solution may not cover the email containing a passport number sent from an email address comprised of the employees name, but will capture many other obscure records that may contain PII.

Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law provides pragmatic privacy protections for employees, but may create significant challenges for Delaware companies. While large corporations may be able to both implement appropriate measures to avoid liability under §736 and absorb the cost of any resulting liability should the measures fail, smaller companies may not be able to do either.

As is true in many aspects of corporate law, Delaware may be leading the way in how companies will deal with data and privacy in the future.  Other state, therefore, may look to this law as a model to amend their data laws.

Debbie Hinck 1 2014Deborah J. Hinck is a Colorado native who has recently adopted Boston, Massachusetts as home. She received her B.S. with a double major in Electrical Computer Engineering and Applied Mathematics from the University of Colorado and her M.A. in Communications from the University of Washington. Deborah is expected to graduate from Boston University with a Juris Doctor in Spring 2017. She is interested in technology law and policy, including intellectual property, digital privacy, and digital security. Deborah hopes to contribute in these areas in the future.

Massachusetts Legislature Passes Controversial Solar Energy Bill

May 25th, 2016 in Analysis, News, State Legislation


After months of negotiation, the Massachusetts Legislature finally reached a compromise  to raise the caps on the state’s controversial net metering program. The net metering program enables solar (and other alternate energy) producers to sell excess power their systems produce back to the grid for a credit on their account.  However, the previous law capped the amount of energy that power companies can accept as a percentage of each company’s highest historical peak load.  That is, power companies are currently limited by law from accepting more than 4% at private companies and 5% at public companies of the most electricity historically consumed by their customers at any one time.  These restrictions threatened to make the fledgling solar energy industry in Massachusetts a victim of its own success.  By the end of 2015, some advocates reported that 171 Massachusetts communities had already reached their cap, including much of Eastern Massachusetts.  As these caps were reached, new solar projects were stuck in the shade—with owners unable to capitalize on their solar investments.  Time was also of the essence because federal renewable energy tax credits—which help further incentivize solar development—are set to expire at the end of 2016.  Solar projects hoping to take advantage of these credits need to begin construction soon, and some worried that without an update to the law would result in millions of dollars in solar investment moving out of state.  images

Although the Senate introduced legislation to alter the cap in July 2015, and Governor Baker introduced his own legislation a month later, the House waited until November 17—two days before the legislature was scheduled to enter a recess—to file it’s version: H. 3854.  Although members of the House and Senate joint committee tried to quickly negotiate a compromise between the two proposals, after a short 90-minute session they conceded the issue was too complex and that it would take more time than they had before the recess to reach an agreement.  The House bill—which was considerably more conservative than the Senate or Governor’s versions—was quickly decried by many solar advocacy groups.  While the House agreed with the Senate that the cap should be raised to 1,600 megawatts—a 2 percent increase over existing caps—it also included utility industry friendly provisions allowing for the addition of a  “minimum monthly reliability contribution” to net metering bills, reduced future net metering compensation rates from retail to wholesale prices above the 1600 megawatt cap, included a provision switching all net metering compensation rates to wholesale rates after 15 years, and organized a solar incentive program under the ultimate oversight of the Department of Public Utilities. The House’s last-minute submission drew objections from some lawmakers, including Senate President Pro Tempore Marc Pacheco, who referring to the House’s proposal as the utility bill.

Of course, the question remains whether the net metering program is in the best interest of the public.  Some argue that net metering—particularly residential net metering— essentially shifts electricity distribution costs onto energy customers that do not produce solar energy.  This amounts to a subsidy for alternate energy producers from non-alternate energy producers.  In fact, a recent MIT study and a report from the Louisiana Public Service Commission both concluded that residential net metering should be abolished altogether, in part because pushback from utilities companies will threaten solar power development in general.  However, many solar advocates dispute these conclusions.  In fact, several other state reports have found either neutral or positive effects from net metering programs—including studies from Vermont, Nevada, and Mississippi.  And while net metering remains controversial, states have overwhelmingly chosen to adopt some sort of net metering approach, with only 4 states (South Dakota, Tennessee, Mississippi, and Alabama) currently rejecting any sort program.  However, states almost all impose some sort of cap on net metering credits, with only 3 states (Arizona, New Jersey, and Ohio) imposing no net metering capacity limits.

With the mixed opinions on the effectiveness of net metering credits, Massachusetts lawmakers cannot be blamed for taking a cautious approach, and ultimately, that is what happened when Governor Baker signed a compromise bill into law in April 2016.  The new law raises the net metering cap by 3% for public and privately owned installations while decreasing the value of the credits for power sold by many of the solar producing customers by 40%.  Residential customers, municipalities and small commercial projects will continue to receive retail rate credits and existing projects will be grandfathered in at the retail rates they receive now for 25 years.  According to the State House News, lead Senate negotiator Sen. Benjamin Downing (D-Pittsfield) stated, “Solar will continue to grow and play a vital role here in Massachusetts and its going to do so in a cost effective way.”

This, however, is not the end of the issue.  The Legislature will likely have to revisit the caps within a year when they are again reached.  California and New York have both put into place a long-term and comprehensive plan for increased solar energy production and net metering.  Massachusetts should do the same in the next session, which begins in January 2017.

 

Spunaugle Bio PicTyler L. Spunaugle is from Miami, Oklahoma and graduated from Dartmouth College majoring in both Philosophy and Native American Studies. Tyler is scheduled to graduate from Boston University with a Juris Doctor in Spring 2016, with active participation in two of BU’s clinics. After graduation, Tyler will be working as a staff attorney for the Government Accountability Office in Washington, DC.