Privacy in the Tech Age: Delaware Law Protects Personal Identifying Information
On Jan 1, 2015, Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law (“§736”) went into effect. Under this law, a Delaware business that tries but fails to adequately destroy a record containing an employee’s personally identifying information (“PII”) could face liability. Any employee who suffers actual harm due to such a failure can sue their employer for violating §736.
While a seemingly straight-forward and pragmatic law, the details (or the definitions in this case) may prove particularly problematic for a vast majority of the nation’s businesses. Specifically, §736 defines both “PII” and “record“ in extremely broad terms.
Legislative Hall
Dover, Delaware
Any information that is “inscribed on a tangible medium, or that is stored in an electronic or other medium and is retrievable in perceivable form on which personal identifying information is recorded or preserved” qualifies as a record under this law. Practically speaking, that includes any document, note, email, or database that contains PII.
Similarly, the law’s definition of PII encompasses a vast array of information. Under §736, a record contains PII if it includes an employee’s first name or first initial and last name in combination with one of the following:
- social security number
- passport number
- driver’s license or state identification card number
- insurance policy number
- financial services account number
- bank account number
- credit card number
- debit card number
- tax or payroll information
- confidential health care information.
These highly inclusive definitions create a law with broad protections for employees and their personal data. A company faces liability in the event that records containing an employee’s PII were not properly destroyed, those records were improperly accessed, and the employee suffered real harm as a result.
Records Containing PII
Based on §736’s definitions of “PII” and “record” many different sources of information could result in liability under this law. Some of these sources are obvious. Such as the physical piece of paper that an employee fills out to sign up for direct deposit or a database containing a company’s payroll information.
But there are less obvious sources of PII that could also result in liability. For example, consider a company that typically combines an employee’s first initial and last name to create that employee’s login credentials and email account. That employee is travelling for business and emails their passport number to a travel coordinator. Under §736, that email could trigger liability.
These more obscure one-off emails may prove difficult if not impossible to identify and consequently protect. As such, identifying the records that require proper destruction could present a challenge. In order to truly guard against a §736 violation, a company may need to ensure that all records, even records free of PII, are destroyed appropriately.
Properly Destroyed Records.
The law specifies that a company must take “all reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.” While most companies implement document destruction policies for sensitive documents, this law requires additional steps for the destruction of digital records. Ensuring that digital data is erased is easier said than done. Even data deleted from a hard drive is typically recoverable. Digital forensics experts and simple data recovery software programs tout the ability to quickly recover previously deleted data. In order to completely destroy data from a hard drive, experts recommend deleting the information, re-writing over the information, and physically destroying the drive. This process is just not practical every time someone deletes an email. As such, the requirement that the company takes “all reasonable” steps may prove difficult to comply with.
Improperly Accessed Data
In order for a company to face liability, the PII must be improperly accessed. Unfortunately, corporate security and data privacy breaches have become increasingly common. While breaches involving customer data typically receive more media coverage, the nefarious actors stealing data do not always differentiate between employee and customer PII. The increasing frequency of these breaches indicates that companies should be ready for a breach. Companies should take all necessary steps to ensure data security and avoid a breach but should also be prepared to respond to one. In the context of §736, being prepared means ensuring that record deletion and destruction policies are adequate under the law.
Employee’s Harm
Any improperly accessed PII has the potential to result in a stolen identity, which can then lead to a number of horrible outcomes. Victims of identity theft have experienced severe financial consequences, mistaken jail time, and even life-threatening medical consequences. Identity theft results in real and substantive harms. That harm compounds as the number of people whose data was stolen increases. For companies with thousands of employees, a single data breach could result in significant liability.
Business that Must Comply with §736
Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law also has broad impact due to its expansive reach. Since Delaware is a preferred location to incorporate or organize a business, this law could have affected a significant number of US companies. In response to this fear, the Legislature passed an amendment to the law in May 2015 to limit the law’s reach to only commercial entities that “transact business” in Delaware.
In order to avoid liability under §736, Delaware companies may need to update existing data deletion and security processes. Because of the complexity in identifying all records that contain PII, the increasing probability of a breach, and difficulty in completely deleting digital data, however, the best way to avoid liability under §736 may be to ensure the encryption of all digital records that could possibly contain PII. Under §736, if all of the data that comprises the PII is encrypted then a company avoids liability should a breach occur. If either the name or the additional information is unencrypted, however, the company may face liability under §736. As such, this solution may not cover the email containing a passport number sent from an email address comprised of the employees name, but will capture many other obscure records that may contain PII.
Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law provides pragmatic privacy protections for employees, but may create significant challenges for Delaware companies. While large corporations may be able to both implement appropriate measures to avoid liability under §736 and absorb the cost of any resulting liability should the measures fail, smaller companies may not be able to do either.
As is true in many aspects of corporate law, Delaware may be leading the way in how companies will deal with data and privacy in the future. Other state, therefore, may look to this law as a model to amend their data laws.
Deborah J. Hinck is a Colorado native who has recently adopted Boston, Massachusetts as home. She received her B.S. with a double major in Electrical Computer Engineering and Applied Mathematics from the University of Colorado and her M.A. in Communications from the University of Washington. Deborah is expected to graduate from Boston University with a Juris Doctor in Spring 2017. She is interested in technology law and policy, including intellectual property, digital privacy, and digital security. Deborah hopes to contribute in these areas in the future.
