Corporations incorporated in Delaware, regardless of whether they are domiciled in Delaware, should take note of a new Delaware law that went into effect on January 1, 2015 regarding the destruction of unencrypted personal identifying information concerning employees.  Under the new Safe Destruction of Records Containing Personal Identifying Information law (19 Del. C. § 736), employers are required to take “reasonable steps to destroy or arrange for the destruction” of unencrypted records containing employees’ “personal identifying information.”  Upon passing this law, Delaware joined the list of 30 other states that have laws regulating the disposal of personal information, including New York and New Jersey.

The new safe destruction of records law is part of Delaware’s “Right to Inspect Personnel Files Act,” which broadly defines “employer” to include “any individual, person, partnership, association, corporation . . .”  While courts have yet to determine the issue of whether the Act’s expansive definition of employer automatically includes all corporations incorporated in Delaware, regardless of where they are domiciled, a reasonable interpretation of the Act and recent speculation in the media is that the Act, and the new safe destruction of records law are intended to apply to all Delaware incorporated corporations.

The new law also broadly defines both the terms “records” and “personal identifying information.”  The term “records” is defined as “information that is inscribed on a tangible medium,” and includes information “stored in an electronic or other medium.”  Under the law, “personal identifying information” means “an employee’s first name or first initial and last name” combined with any one of the following:

  • Social Security number;
  • passport number;
  • driver’s license or state identification card number;
  • insurance policy number;
  • financial services account number;
  • bank account number;
  • credit card number;
  • debit card number;
  • tax or payroll information; or
  • confidential health care information.

Companies wishing to destroy unencrypted personal identifying information must shred, erase or otherwise destroy or modify the personal identifying information in the records so that it is rendered unreadable or indecipherable.  A company who fails to properly destroy unencrypted personal data in accordance with the law could be subject to a civil action as the law provides a civil remedy to employees who incur actual damages due to a reckless or intentional violation of the law.

Given the number of companies that are incorporated in Delaware, this law has the potential to affect a large number of individuals and corporations located outside of Delaware, and further guidance should be monitored.  Employers who are incorporated in Delaware should examine and update their data destruction policies to ensure they are in compliance with the new Delaware law, as well as any other similar applicable laws that are in effect in states where they are domiciled and/or have employees located.  Epstein Becker & Green, P.C., attorneys can assist with updating existing, or developing new, policies to comply with these data destruction laws.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.