GLBA
Subscribe to GLBA's Posts

New Data Disposal Law in Delaware Requires Action by Impacted Businesses

While the federal government continues its inaction on data security bills pending in Congress, some U.S. states have been busy at work on this issue over the summer.  A new Delaware law H.B. 295, signed into law on July 1, 2014 and effective January 1, 2015, provides for a private right of action in which a court may order up to triple damages in the event a business improperly destroys personal identifying information at the end of its life cycle.  In addition to this private right of action, the Delaware Attorney General may file suit or bring an administrative enforcement proceeding against the offending business if it is in the public interest.

Under the law, personal identifying information is defined as:

A consumer’s first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted:

  • his or her signature,
  • full date of birth,
  • social security number,
  • passport number, driver’s license or state identification card number,
  • insurance policy number,
  • financial services account number, bank account number,
  • credit card number, debit card number,
  • any other financial information or
  • confidential health care information including all information relating to a patient’s health care history, diagnosis condition, treatment or evaluation obtained from a health care provider who has treated the patient, which explicitly or by implication identifies a particular patient.

Interestingly, this new law exempts from its coverage:  banks and financial institutions that are merely subject to the Gramm-Leach-Bliley Act, but the law only exempts health insurers and health care facilities if they are subject to and in compliance with the Health Insurance Portability and Accountability Act (HIPAA), as well as credit reporting agencies if they are subject to and in compliance with the Fair Credit Reporting Act (FCRA).

Given how broadly the HIPAA and FCRA exemptions are drafted, we expect plaintiffs’ attorneys to argue for the private right of action and triple damages in every case where a HIPAA- or FCRA-covered entity fails to properly dispose of personal identifying information, arguing that such failure evidences noncompliance with HIPAA or FCRA, thus canceling the exemption.   Note, however, that some courts have refused to allow state law claims of improper data disposal to proceed where they were preempted by federal law.  See, e.g., Willey v. JP Morgan Chase, Case No. 09-1397, 2009 U.S. Dist. LEXIS 57826 (S.D.N.Y. July 7, 2009) (dismissing individual and class claims alleging improper data disposal based on state law, finding they were pre-empted by the FCRA).

The takeaway?  Companies that collect, receive, store or transmit personal identifying information of residents of the state of Delaware (or any of the 30+ states in the U.S. that now have data disposal laws on the books) should examine their data disposal policies and practices to ensure compliance with these legal requirements.  In the event a business is alleged to have violated one of [...]

Continue Reading




Trendy “Cybersecurity” Versus Traditional “Information Security” Two Sides of the Same Security Coin

Cybersecurity has become a dominant topic of the day.  The Snowden revelations, the mega-data breaches of 2013, the pervasiveness of invisible online “tracking” and the proliferation of “ data broker” trading in personal data – all feed into the fears of individuals who struggle to understand how their personal information is collected, used and protected.  Over the past year, these forces have begun to merge an old concern by individuals about the security of their personal information into a broader, more universal fear that the country’s infrastructure lay vulnerable.

In many respects, however, the concept of cybersecurity is not new.  Cybersecurity is a form of information security, albeit perhaps with a broader, more universal view of required security controls.  Decades-old statutes include information security requirements for certain types of information, the Health Insurance Portability and Accountability Act (HIPAA) addresses health information and the Gramm-Leach-Bliley Act (GLBA) addresses financial information.  Add to those statutory regimes the U.S. Federal Trade Commission’s (FTC) enforcement authority over corporate information security practices pursuant to Section 5 of the FTC Act (recently upheld in Federal Trade Comm’n v. Wyndham Worldwide Corp.) and certain state-based data security regulations that require corporations to safeguard personal information (e.g., 201 CMR 17.00, et seq.).  The net effect of these regulatory drivers is that many organizations have focused for decades on developing administrative, physical and technical safeguards for effective protection of personal information – resulting in a programmatic approach to information security.

Now, along comes the evolution of cybersecurity with its own emerging standards.  Organizations are asking themselves whether they need to do something different or in addition to the programmatic steps already taken to comply with information security requirements that are applicable to the organization.  The good news is that while some additional work likely will be required as described below, companies with solid programmatic approaches to information security are well on their way to meeting the following emerging cybersecurity standards.

NIST Cybersecurity Framework

On February 12, 2013, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.”  The Executive Order has several key components, but most importantly, it contains a requirement for owners and operators of “critical infrastructure” to develop a cybersecurity framework.  The Order directed the National Institute of Standards and Technology (NIST) to develop a baseline cybersecurity framework to reduce cyber risks to critical infrastructure.  NIST subsequently developed its “Framework for Improving Critical Infrastructure Cybersecurity” (Framework), which was released on February 12, 2014.  The goal of these efforts is to provide organizations with a cybersecurity framework as a model for their business.  While at this point, the Framework is intended to provide a voluntary program for owners and operators of critical infrastructure, it is already starting to seep into federal “incentives” used to encourage the private sector to comply with the Framework.  And the Framework itself may evolve into a sort of “security” standard of care.

SEC Cybersecurity and Disclosure Laws

In addition to the Framework, the U.S. Security and Exchange Commission (SEC) recently [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021