Legal Responsibility for Safe Disposal of Personal Data
This article will be published in an upcoming issue of CyberCrunch newsletter.
Businesses and government agencies collect vast amounts of personal data. As long as they hold the data, it is at risk of being hacked or stolen and then used for purposes that could harm people. That is why at least 35 states, including Delaware, have enacted laws requiring businesses or government agencies to destroy such information in a secure manner when it is no longer needed. This supports a key principle of data security known as data minimization. In other words, what you don’t have cannot be hacked.
Delaware has a number of data disposal laws, the primary one being The Safe Destruction of Records Containing Personal Identifying Information Act. It requires businesses that seek to permanently dispose of records containing personal identifying information to take reasonable steps to destroy or arrange for the destruction of the records. Such reasonable steps include shredding, erasing, or otherwise destroying or modifying the personal identifying information in the records to make it unreadable or indecipherable. “Personal identifying information” is defined as unencrypted data that includes a consumer's first name or first initial and last name in combination with any one of a number of elements, including Social Security number, passport number, driver's license or state identification card number, insurance policy number, financial services account number, bank account number, credit or debit card number, tax or payroll information, confidential health care information, diagnosis, condition or treatment, or evaluation from a health care provider who has treated the patient. The records containing such information can be in paper or electronic form. In the event of violation, the law gives consumers who are harmed the right to bring a civil action against the business.
Certain businesses are exempt from the Safe Destruction of Records law, such as financial institutions subject to the federal Gramm-Leach-Bliley (GLB) Act, health insurers and health care facilities subject to federal HIPAA requirements, consumer reporting agencies subject to the Federal Credit Reporting Act, and governmental agencies. However, each of these types of institutions, as well as others, have their own sector-specific laws requiring safe destruction of personal data. These include the following:
- Health-related institutions under HIPAA are required to implement policies and procedures to address the final disposition of electronic personal health information (ePHI) as well as the hardware or electronic media on which it is stored, and to implement procedures for removal of ePHI from electronic media before the media are made available for reuse.
- Financial institutions are required under the GLB Safeguards Rule to have policies in place and conduct risk assessments of their information systems, including their practices for secure information disposal.
- Consumer reporting agencies are subject to Federal Trade Commission rules requiring the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.”
- Under Delaware’s Student Data Privacy Protection Act, operators in possession of student data must delete such data within a reasonable time (not to exceed 45 days) on the request of a school district or school having control of the data.
- Under Delaware’s Right to Inspect Personnel Files Act, employers seeking to permanently dispose of records containing an employee’s personal data must take all reasonable steps to destroy or arrange for the destruction of the records by shredding, erasing, or otherwise destroying or modifying the data to make it unreadable or indecipherable. Employees are entitled to bring a civil action against an employer for intentional or reckless violations of this requirement.
Data disposal laws apply to information in both paper and digital form that is no longer relevant to the enterprise. Once the personal data is no longer needed, the entity must dispose of it using a method that renders the sensitive information unreadable or indecipherable. Some entities handle this duty in-house, while others contract it out to a vendor. In most states, the business collecting the information is liable for any failure to dispose of the data properly, even if a vendor is at fault, so businesses should choose their vendors carefully and make sure the contract protects them from liability caused by vendor error.
For guidance on different methods of data disposal, the National Institute of Science and Technology (NIST) has published Special Publication 800-88, entitled Guidelines for Media Sanitization.