Del. Data Destruction Law Provides Individual Remedy

July 28 — As of Jan. 1, 2015, businesses in De law are must take “reasonable steps” to protect personal information during its disposal and if they fail to meet the standard, may face possible enforcement action by the state and litigation by individual data subjects, under a recently enacted measure ( H.B. 295 ).

Businesses disposing of information must shred, erase or destroy personal data in electronic, paper or any other form and “make it entirely unreadable or indecipherable through any means.”

The law authorizes the Delaware Office of the Attorney General to file in state court to enforce the law.

An individual who can show “actual damages” related to the failure of a business to properly destroy his or her personal data may file a lawsuit. Under the law, courts are authorized to award treble damages.

Entities covered by the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act or the Fair Credit Reporting Act are exempt from the law. Government entities are also exempt.

The measure unanimously passed the house June 3, and the senate voted unanimously for the legislation June 18.

Delaware Governor Jack A. Markell (D) signed the bill into law July 1.

Full text of H.B. 295, as signed into law, is available at