Delaware’s Governor has signed legislation related to the safe destruction of documents containing personal identifying information. The bill is effective January 1, 2015, and requires that commercial entities take all reasonable steps to destroy a consumer’s personal identifying information within the business’s custody and control, when the information is no longer to be retained. Destruction includes shredding, erasing, or otherwise destroying or modifying the personal identifying information to make it entirely unreadable or indecipherable through any means.
Personal identifying information includes, but is not limited to, a consumer’s first name or first initial and last name in combination with any one of the following: a signature; date of birth; social security number; passport number; driver’s license number, insurance policy number; or financial information (such as a credit card number).
There are exceptions for federally regulated financial institutions, healthcare organizations subject to HIPAA, consumer reporting agencies subject to the FCRA, and governmental bodies.
Violation of the statute carries stiff penalties, including treble damages.
The legislation is not a model of clarity, and leaves a lot of questions as to how it will be applied to Delaware businesses. Until the courts provide additional guidance, Delaware businesses are well advised to carefully review their document security.