It is also a fairly safe bet that by now, most people have heard about the potential risks associated with data breaches, or at the very least, have heard about the Target data breach during the holiday season in 2013.
However, did you know that many states regulate how
personal information can be destroyed?
Or, more specifically, how documents and records that contain
such personal information may be discarded?
To date, at least thirty-one
states have enacted laws like this (the link attached omits the Delaware
law that was just enacted).
Leaving aside the specific rules and regulations relating to
the protection from disclosure of personal health information (e.g.,
HIPAA, HITECH, etc.), many states mandate that business records containing
personal information of a consumer (including, perhaps, the business’s employees, too)
may only be discarded by “shredding, erasing or otherwise destroying or
modifying the personal identifying information in those records to make it
entirely unreadable or indecipherable through any means . . . . ” E.g.,
6
Del. Code §§ 50c-101 through 50c-104 (enacted July 1, 2014 – effective as
of Jan. 1, 2015); N.J. Stat. Ann. 56:8-162
(same methods, adding “or nonreconstructable through generally available means”
at the end); see also N.J. Stat. Ann. 56:8-161
(for applicable definitions).
In Illinois, the law is even more specific. It requires documents containing personal
information to be “redacted, burned, pulverized or shredded” if the documents
exist in paper form, or “destroyed or erased” if they are electronic
files. 815
ILCS 530/40. In both cases, these
methods are recommended to ensure that the “personal information [contained in
the document] cannot practicably be read or reconstructed.” Id.
In general, this means that you cannot simply throw out old
records that contain personal information of a customer (or, perhaps, even an
employee) by throwing it in the trash, or setting it aside for recycling. They have to be handled appropriately. (Note that some commercial vendors offering
shredding services can ensure that the shredded material is handled in an
environmental-friendly manner.)
Many of these statutes also carry penalties – whether in
the form of government fines or in civil remedies to the consumers whose personal data have
been compromised. For instance,
Illinois’ statute provides that any violation of the document destruction law automatically constitutes a
violation of the state’s unfair business practices act (which has its own
penalties) and is subject to civil penalties, payable to the state Attorney
General, of at least $100 per individual whose information has been improperly
destroyed, but not more than $50,000 total.
Id.
In Delaware, not only can the Attorney General seek penalties
from any “commercial entity that does not take all reasonable steps in
disposing of a customer’s personal identifying information,” but any consumer
who has suffered actual damages as a result of this violation of this statute
can sue the responsible commercial entity.
6
Del. Code § 50c-103(b). In these
cases, courts are permitted to treble (triple) the damages awarded. Id.
So, here’s the lesson – if your company (whether a for-profit or not-for-profit entity) creates, maintains
or discards personal information owned by a customer, check to see whether one
of these state records destruction laws applies to your operations. If your company operates in more than one
state, dig deeper and check all relevant states. Find out if there are “records destruction
laws” that apply to your company and read them carefully. Some have different requirements, and some are more stringent than others.
Complying with these laws may also have the added
benefit of helping your company avoid, or at least minimize, the significant losses associated
with an unfettered data breach.