Welcome back to Legal Geek. This week, we take a look at the new personal data destruction law put into effect in Delaware and how this may be the most important development in the hot field of privacy law to date.
https://archive.org/details/LegalGeekEp23
A few weeks ago, Delaware's legislators and governor signed into law a new data destruction policy that requires complete destruction of personal identifying information held by companies after it is no longer being used. More specifically, the law states that entities must "destroy…a consumer's personal identifying information within its custody and control that is no longer to be retained by the commercial entity...by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means."
This sounds good and it follows the lead of many other states which have put in consumer privacy protection laws, but is it the biggest win for consumer privacy in the war against identity theft? I think it is this important for a number of reasons.
First, the law applies to a wide variety of data sets that would be maintained by companies, as any data set including personal identifying information is included in the destruction obligation. With personal identifying information requiring only a non-encrypted consumer's name in combination with any other personal item such as social security number, credit card number, tax information, or bank account number, this should ensure any possible consumer data will be subject to destruction immediately upon the company's intent to stop using the information. The law also has broad applicability to paper and electronic records, including those stored in the cloud.
Second, the law as written appears to broadly apply to all companies subject to Delaware law, which would include the nearly 50% of companies in the U.S. which have chosen to incorporate in Delaware because of favorable business and tax laws there. The law has no exceptions for size, revenue, or charitable status, so all of these companies would now be subject to these tough privacy laws for protecting consumers.
Third, the law has bite on the enforcement side, allowing for the Attorney General to bring regulatory actions as well as allowing for private lawsuits with increased treble damages possible for individual consumers in court. The law applies clear encouragement for companies to destroy documents and information securely, limiting the chance that careless or negligent actions will lead to mass amounts of identity theft.
Bottom Line: companies are storing more and more consumer private data these days, and the attacks of hackers leading to identity theft are becoming more common. This law in Delaware encourages either encryption of all consumer data or destruction of data in a responsible and prompt manner when not being used, which should limit the leaks and openings most often exploited by identity thieves and hackers. Considering the potential coverage of about half of U.S. companies, this is the best state law consumer advocates could ever hope for and is a huge win in the war against identity theft.
Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy or in the comments below.
No comments:
Post a Comment