Corporations incorporated in Delaware, regardless of whether they are domiciled in Delaware, should take note of a new Delaware law that went into effect on January 1, 2015 regarding the destruction of unencrypted personal identifying information concerning employees. Under the new Safe Destruction of Records Containing Personal Identifying Information law (19 Del. C. § 736), employers are required to take “reasonable steps to destroy or arrange for the destruction” of unencrypted records containing employees’ “personal identifying information.” Upon passing this law, Delaware joined the list of 30 other states that have laws regulating the disposal of personal information, including New York and New Jersey.
The new safe destruction of records law is part of Delaware’s “Right to Inspect Personnel Files Act,” which broadly defines “employer” to include “any individual, person, partnership, association, corporation . . .” While courts have yet to determine the issue of whether the Act’s expansive definition of employer automatically includes all corporations incorporated in Delaware, regardless of where they are domiciled, a reasonable interpretation of the Act and recent speculation in the media is that the Act, and the new safe destruction of records law are intended to apply to all Delaware incorporated corporations.
The new law also broadly defines both the terms “records” and “personal identifying information.” The term “records” is defined as “information that is inscribed on a tangible medium,” and includes information “stored in an electronic or other medium.” Under the law, “personal identifying information” means “an employee’s first name or first initial and last name” combined with any one of the following:
-
Social Security number;
-
passport number;
-
driver’s license or state identification card number;
-
insurance policy number;
-
financial services account number;
-
bank account number;
-
credit card number;
-
debit card number;
-
tax or payroll information; or
-
confidential health care information.
Companies wishing to destroy unencrypted personal identifying information must shred, erase or otherwise destroy or modify the personal identifying information in the records so that it is rendered unreadable or indecipherable. A company who fails to properly destroy unencrypted personal data in accordance with the law could be subject to a civil action as the law provides a civil remedy to employees who incur actual damages due to a reckless or intentional violation of the law.
Given the number of companies that are incorporated in Delaware, this law has the potential to affect a large number of individuals and corporations located outside of Delaware, and further guidance should be monitored. Employers who are incorporated in Delaware should examine and update their data destruction policies to ensure they are in compliance with the new Delaware law, as well as any other similar applicable laws that are in effect in states where they are domiciled and/or have employees located.