Data Encryption: Delaware Passes Law That Requires Destruction Of PII.

Delaware has passed a law (which becomes effective on January 1, 2015) declaring that “commercial entities” must destroy any personally identifiable information (PII) belonging to consumers that is “no longer to be retained by the commercial entity.”  In other words, when disposing of PII, commercial entities must destroy customers’ information.  Of course, like most legislation, you have to take a look at the details.

Among them: encrypted data is not affected by this law, in effect creating a safe harbor clause.  What this means, it looks like, is that you’re allowed to dispose of computers with disk encryption without any additional work to be done on them

Definition of Commercial Entity

One of the more surprising twists of the law is how the Delaware law opted to define “commercial entity.”  According to jdsupra.com, the definition is overly broad and thus will

impact all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entity—whether or not for-profit.

You might be thinking, “well…that doesn’t appear overly broad at all.  It sounds reasonable.”  Except, there is this caveat:

The definition, however, raises the question of whether the new requirements apply just to entities doing business in Delaware, or if it also extends to entities formed in Delaware regardless of where they transact business. Given the number of companies incorporated in Delaware, the resolution of this ambiguity could have significant implications nationally.

The author at jdsupra.com notes that there are signs of restraint (HIPAA covered entities are not exempted from the law, for example), but it seems to me that, just because there are signs of restraint, it doesn’t mean that the above quoted section is meant to be interpreted with restraints.

For example, in 2011, Texas amended its Business and Commerce Code Section, 521.053 so that residents across the USA (possibly the world) are notified of data breaches if the business in question (that experienced the breach) did business in Texas.  If I’m not mistaken, an out was given for particular commercial entities that were covered by other data breach laws, such as HIPAA.  The Delaware law could also be aiming to have similar reach.

Defining Personal Information

In addition, the law defines personal information as follows (my emphasis):

a consumer’s first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information.

In other words, the law made an effort to ensure that it didn’t unnecessarily burden companies or create legal oddities.  For example, is the Yellow Pages in breach of the law if someone tosses their freely delivered canary tome?  It shouldn’t be in principle, and it won’t be legally, either.  On the other hand, you really don’t need the correct name to make use of an SSN.

Yet Another Up Vote for Encryption

As more laws are passed addressing the issue of personal information security, the more they seem to include exceptions for data protected with encryption software.  Why?

Well, you could grab your roll of aluminum foil and proclaim that the government is in cahoots with the encryption industry.  But the truth of the matter is that encryption is one of the most effective ways of securing data from being accessed by unauthorized eyes.  Not only is it effective, the cost-to-benefit ratio is unprecedented: when the US government must throw all of its computing resources to break into a machine protected with $100 worth of software (and possibly fail in the process), that’s a lot of bang for your buck.

You can also assume the protection will be at least doubly effective if it’s someone else trying to break in and doesn’t have comparable resources.

Related Articles and Sites:
http://www.databreaches.net/delaware-adopts-law-requiring-the-destruction-of-consumers-personally-identifiable-information/
http://www.jdsupra.com/legalnews/delaware-adopts-law-requiring-the-destru-05135/
http://legis.delaware.gov/LIS/lis147.nsf/vwlegislation/E7AF55FF393A832E85257C590067118D



Comments (0)


Let us know what you think