Privacy in the Tech Age: Delaware Law Protects Personal Identifying Information

May 25th, 2016 in Analysis, News, State Legislation

On Jan 1, 2015, Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law (“§736”) went into effect. Under this law, a Delaware business that tries but fails to adequately destroy a record containing an employee’s personally identifying information (“PII”) could face liability.  Any employee who suffers actual harm due to such a failure can sue their employer for violating §736.

While a seemingly straight-forward and pragmatic law, the details (or the definitions in this case) may prove particularly problematic for a vast majority of the nation’s businesses.  Specifically, §736 defines both “PII” and “record“ in extremely broad terms.

Legislative Hall
Dover, Delaware

Any information that is “inscribed on a tangible medium, or that is stored in an electronic or other medium and is retrievable in perceivable form on which personal identifying information is recorded or preserved” qualifies as a record under this law. Practically speaking, that includes any document, note, email, or database that contains PII.

Similarly, the law’s definition of PII encompasses a vast array of information. Under §736, a record contains PII if it includes an employee’s first name or first initial and last name in combination with one of the following:

• social security number
• passport number
• driver’s license or state identification card number
• insurance policy number
• financial services account number
• bank account number
• credit card number
• debit card number
• tax or payroll information
• confidential health care information.

These highly inclusive definitions create a law with broad protections for employees and their personal data. A company faces liability in the event that records containing an employee’s PII were not properly destroyed, those records were improperly accessed, and the employee suffered real harm as a result.

Records Containing PII

 Based on §736’s definitions of “PII” and “record” many different sources of information could result in liability under this law. Some of these sources are obvious.  Such as the physical piece of paper that an employee fills out to sign up for direct deposit or a database containing a company’s payroll information.

But there are less obvious sources of PII that could also result in liability. For example, consider a company that typically combines an employee’s first initial and last name to create that employee’s login credentials and email account.  That employee is travelling for business and emails their passport number to a travel coordinator.  Under §736, that email could trigger liability.

These more obscure one-off emails may prove difficult if not impossible to identify and consequently protect. As such, identifying the records that require proper destruction could present a challenge. In order to truly guard against a §736 violation, a company may need to ensure that all records, even records free of PII, are destroyed appropriately.

Properly Destroyed Records.

 The law specifies that a company must take “all reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.” While most companies implement document destruction policies for sensitive documents, this law requires additional steps for the destruction of digital records.  Ensuring that digital data is erased is easier said than done. Even data deleted from a hard drive is typically recoverable. Digital forensics experts and simple data recovery software programs tout the ability to quickly recover previously deleted data. In order to completely destroy data from a hard drive, experts recommend deleting the information, re-writing over the information, and physically destroying the drive. This process is just not practical every time someone deletes an email. As such, the requirement that the company takes “all reasonable” steps may prove difficult to comply with.

Improperly Accessed Data

 In order for a company to face liability, the PII must be improperly accessed. Unfortunately, corporate security and data privacy breaches have become increasingly common. While breaches involving customer data typically receive more media coverage, the nefarious actors stealing data do not always differentiate between employee and customer PII. The increasing frequency of these breaches indicates that companies should be ready for a breach. Companies should take all necessary steps to ensure data security and avoid a breach but should also be prepared to respond to one. In the context of §736, being prepared means ensuring that record deletion and destruction policies are adequate under the law.

Employee’s Harm

 Any improperly accessed PII has the potential to result in a stolen identity, which can then lead to a number of horrible outcomes. Victims of identity theft have experienced severe financial consequences, mistaken jail time, and even life-threatening medical consequences. Identity theft results in real and substantive harms. That harm compounds as the number of people whose data was stolen increases. For companies with thousands of employees, a single data breach could result in significant liability.

Business that Must Comply with §736

Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law also has broad impact due to its expansive reach. Since Delaware is a preferred location to incorporate or organize a business, this law could have affected a significant number of US companies.  In response to this fear, the Legislature passed an amendment to the law in May 2015 to limit the law’s reach to only commercial entities that “transact business” in Delaware.

In order to avoid liability under §736, Delaware companies may need to update existing data deletion and security processes. Because of the complexity in identifying all records that contain PII, the increasing probability of a breach, and difficulty in completely deleting digital data, however, the best way to avoid liability under §736 may be to ensure the encryption of all digital records that could possibly contain PII. Under §736, if all of the data that comprises the PII is encrypted then a company avoids liability should a breach occur. If either the name or the additional information is unencrypted, however, the company may face liability under §736. As such, this solution may not cover the email containing a passport number sent from an email address comprised of the employees name, but will capture many other obscure records that may contain PII.

Delaware’s “Safe Destruction of Records Containing Personal Identifying Information” law provides pragmatic privacy protections for employees, but may create significant challenges for Delaware companies. While large corporations may be able to both implement appropriate measures to avoid liability under §736 and absorb the cost of any resulting liability should the measures fail, smaller companies may not be able to do either.

As is true in many aspects of corporate law, Delaware may be leading the way in how companies will deal with data and privacy in the future.  Other state, therefore, may look to this law as a model to amend their data laws.

Deborah J. Hinck is a Colorado native who has recently adopted Boston, Massachusetts as home. She received her B.S. with a double major in Electrical Computer Engineering and Applied Mathematics from the University of Colorado and her M.A. in Communications from the University of Washington. Deborah is expected to graduate from Boston University with a Juris Doctor in Spring 2017. She is interested in technology law and policy, including intellectual property, digital privacy, and digital security. Deborah hopes to contribute in these areas in the future.

The Demise of the EU-U.S. Safe Harbor Agreement

January 28th, 2016 in Federal Legislation, Legislation in Court

Maximillian Schrems, an Austrian law student, is at the center of a monumental shift in data relations between the United States and the European Union; a shift that revolves around a clash in philosophies regarding data privacy.

The EU views privacy as a fundamental human right. The U.S. does not. Americans seem willing to relinquish control of personally identifying data, as long as the data is protected and used responsibly. When a company does not protect personal data, Americans express their displeasure in the form of civil litigation rather than legislation.

In comparison, the EU codified data privacy rights in 1995 in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, P. 31) (“Data Protection Directive”). This directive provides strong data privacy rights for EU citizens. Most notably, each EU citizen has the right to, at any time, revoke previously given consent to obtain or use personally identifying data, access their own personally identifying data, and correct that personally identifying data.

Because of these stronger data privacy rights, the transfer of personally identifying data from the EU to the U.S. concerns many EU citizens and policy makers. The primary fear, which was intensified by the Edward Snowden revelations, is that U.S. companies will not respect EU Data Privacy Laws.

European Union
Court of Justice

Under the Data Protection Directive, companies can legally transfer data from the EU to the U.S. by obtaining consent from the data owner, entering into data protection agreements, creating binding corporate rules, or implementing model clauses. These methods are far from ideal, however. They are expensive and subject U.S. companies to the jurisdiction of EU Data Privacy Commissions.

As e-commerce, remote work, and social media grew in popularity, the digital transfer of personal data became a regular part of daily life and existing data transfer methods proved unwieldy and burdensome. In response, the U.S.-EU Safe Harbor Agreement (“Safe Harbor”) addressed these concerns by creating a streamlined process for U.S. companies to comply with the Data Protection Directive. Companies that self-certify with the FTC under Safe Harbor agree to abide by the principles of EU data privacy laws but are under FTC jurisdiction instead of EU jurisdiction.

While Safe Harbor addresses the concerns of U.S. companies, many in the EU criticize Safe Harbor as ineffective, maintaining that the self-certification process and lack of substantive enforcement renders Safe Harbor meaningless. In addition, classified documents made public by Edward Snowden in 2013 indicate that certain U.S. intelligence services allegedly tap into the central servers of major U.S. Internet companies and access personal data. By comply with U.S. law and allowing the government access to this data, companies cannot also adhere to the data privacy principles agreed to under Safe Harbor.

This very concern prompted Maximillian Schrems to file a complaint with the Irish Data Protection Commissioner regarding his personally identifying data collected by Facebook. As a Facebook user for over seven years, Mr. Schrems contends that a portion (if not all) of his data was transferred from Facebook’s Irish subsidiary to Facebook data servers located in the U.S.

The Irish Data Protection Commission originally rejected Mr. Schrems’ complaint, citing the Safe Harbor agreement as sufficient evidence that Facebook provided adequate levels of protection for the personally identifying data transferred to the U.S..

While Facebook is Safe Harbor certified, Mr. Schrems maintains that the Snowden revelations prove that U.S. law and policy are such that it is impossible for a company to simultaneously comply with Safe Harbor standards and U.S. law. As such, Mr. Schrems appealed his case to the High Court of Ireland.

On Sept 23, 2015 Advocate General Yves Bot (“AG Bot”) issued a strongly worded opinion in Maximillian Schrems v. Data Protection Commission (case C-362/14), urging the Court of Justice of the European Union to suspend the existing Safe Harbor Agreements.

Less than two weeks later, the Court of Justice of the European Union did just that. On October 6, 2015 the Court invalidated Safe Harbor, declaring that Safe Harbor compromises the fundamental right to privacy, denies the right to judicial protection, and prevents enforcement of EU laws.

Effective immediately, the Court of Justice’s ruling creates very real problems for any U.S. company that relies on Safe Harbor to transfer data from the EU to the U.S. As of October 6, both future and all past data transfers completed under Safe harbor are illegal.

Adding to the confusion is the fact that the European Commission and U.S. authorities are in the process of negotiating Safe Harbor reforms. The Court of Justice’s decision to invalidate Safe Harbor full stop creates an abrupt and unexpected obstacle for these negotiations. The ambiguity surrounding the legal and political future of personal data transfer from the EU leaves U.S. companies, operating under Safe Harbor, a choice between a limited set of less than ideal options:

1. Immediately cease all data transfer and update current systems and processes to comply with the EU Data Protection Directive. While being extremely disruptive to business, it may also be difficult to completely shut off all forms of data transfer (such as employee information needed for hiring and payroll) between the U.S. and the EU.
2. Continue operating as normal while concurrently developing new systems, hoping that the EU delays enforcing the Data Protection Directive and allows formerly Safe Harbor certified companies an opportunity to update systems and processes in order to comply with the Data Protection Directive outright. While the business may not suffer the full effects of a shutdown, a potentially substantial risk of legal proceedings exists.
3. Implement an interim solution that ceases all non-essential transfers of personal data and focuses on ensuring compliance for critical data transfers, while waiting for the European Commission and U.S. authorities to continue their Safe Harbor reform negotiations. Relying on a diplomatic solution is a gamble that some companies may be willing to take. If a satisfactory solution cannot be worked out politically, then there is always Option 4.
4. Cease all business in the EU that may result in the transfer of personal data from the EU to the U.S.. This response to the Court of Justice’s ruling may seem extreme, but for smaller businesses it may end up being the most economically rational response if the cost of compliance is greater than the benefit of doing business in the EU.

None of these options are ideal and each one presents significant challenges and uncertainty for U.S. companies. Not only will the initial expense of updating technological systems and business processes be expensive and time consuming, but the potential of increased oversight, auditing, and regulatory action imposed by EU Data Commissions will also result in a rise in the daily operating costs of any company that transfers personal data from the EU to the U.S.

The full extent of the damage caused by the demise of Safe Harbor remains unknown, but one thing is certain: this change in data relations between the U.S. and the EU signals a substantial increase in the cost of doing business in and with the EU.

Deborah J. Hinck is a Colorado native who has recently adopted Boston, Massachusetts as home. She received her B.S. with a double major in Electrical Computer Engineering and Applied Mathematics from the University of Colorado and her M.A. in Communications from the University of Washington. Deborah is expected to graduate from Boston University with a Juris Doctor in Spring 2017. She is interested in technology law and policy, including intellectual property, digital privacy, and digital security. Deborah hopes to contribute in these areas in the future.