Tuesday, September 2, 2014

Is Your Company Subject to Laws Regulating Safe Destruction of Documents?

Many companies have document retention policies – in other words, policies determining how long they will keep certain kinds of documentation.  These policies also frequently cover when documents may be destroyed in the normal course of business.  (Assuming, of course, that no litigation is pending and that there is no other reason why the company would be legally obligated to keep these documents.)  It’s almost a business necessity these days given the cost of document storage.

It is also a fairly safe bet that by now, most people have heard about the potential risks associated with data breaches, or at the very least, have heard about the Target data breach during the holiday season in 2013.

However, did you know that many states regulate how personal information can be destroyed?  Or, more specifically, how documents and records that contain such personal information may be discarded?  To date, at least thirty-one states have enacted laws like this (the link attached omits the Delaware law that was just enacted).
Leaving aside the specific rules and regulations relating to the protection from disclosure of personal health information (e.g., HIPAA, HITECH, etc.), many states mandate that business records containing personal information of a consumer (including, perhaps, the business’s employees, too) may only be discarded by “shredding, erasing or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means . . . . ”  E.g., 6 Del. Code §§ 50c-101 through 50c-104 (enacted July 1, 2014 – effective as of Jan. 1, 2015); N.J. Stat. Ann. 56:8-162 (same methods, adding “or nonreconstructable through generally available means” at the end); see also N.J. Stat. Ann. 56:8-161 (for applicable definitions).
In Illinois, the law is even more specific.  It requires documents containing personal information to be “redacted, burned, pulverized or shredded” if the documents exist in paper form, or “destroyed or erased” if they are electronic files.  815 ILCS 530/40.  In both cases, these methods are recommended to ensure that the “personal information [contained in the document] cannot practicably be read or reconstructed.”  Id.
In general, this means that you cannot simply throw out old records that contain personal information of a customer (or, perhaps, even an employee) by throwing it in the trash, or setting it aside for recycling.  They have to be handled appropriately.  (Note that some commercial vendors offering shredding services can ensure that the shredded material is handled in an environmental-friendly manner.)
Many of these statutes also carry penalties – whether in the form of government fines or in civil remedies to the consumers whose personal data have been compromised.  For instance, Illinois’ statute provides that any violation of the document destruction law automatically constitutes a violation of the state’s unfair business practices act (which has its own penalties) and is subject to civil penalties, payable to the state Attorney General, of at least $100 per individual whose information has been improperly destroyed, but not more than $50,000 total.  Id. 
In Delaware, not only can the Attorney General seek penalties from any “commercial entity that does not take all reasonable steps in disposing of a customer’s personal identifying information,” but any consumer who has suffered actual damages as a result of this violation of this statute can sue the responsible commercial entity.  6 Del. Code § 50c-103(b).  In these cases, courts are permitted to treble (triple) the damages awarded.  Id.

So, here’s the lesson – if your company (whether a for-profit or not-for-profit entity) creates, maintains or discards personal information owned by a customer, check to see whether one of these state records destruction laws applies to your operations.  If your company operates in more than one state, dig deeper and check all relevant states.  Find out if there are “records destruction laws” that apply to your company and read them carefully.  Some have different requirements, and some are more stringent than others. 
Complying with these laws may also have the added benefit of helping your company avoid, or at least minimize, the significant losses associated with an unfettered data breach.