Employer and Commercial Entity Liability for Document Disposal
In Labor & Employment Law | On March 22, 2016
Nearly a year after implementation, it appears that most employers (and perhaps also most commercial entities) remain unaware of relatively new laws that impose requirements and potential legal liability regarding the disposal of records. Because an entity not considered an “employer” might still be considered a “commercial entity” (and vice versa) and an entity can be both, both laws should be considered in forming document disposal policies and procedures. The nuts and bolts of what employers and commercial entities need to know are discussed below.
The law applicable to employers was added inconspicuously to a subchapter in the Delaware Code that has existed for more than thirty years, called the Right to Inspect Personnel Files Act. Specifically, the law can be found at 19 Del. C. § 736. For purposes of the law, “employer” includes any individual, person, partnership, association, corporation, the State, any of its political subdivisions or any agency, authority, board or commission created by them. “Employee” means any person currently employed, laid off with reemployment rights or on leave of absence (but does not include applicants for employment or designated agents). Thus, unlike most employment laws, there is no threshold number of employees that must be employed for an employer to meet the definition. Because the law provides a cause of action against any employer when an employee incurs actual damages due to a reckless or intentional violation, even the smallest employer should pay attention.
This law states that, in the event that an employer seeks permanently to dispose of records containing employees’ personal identifying information within its custody and control, such employer shall take all reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.
“Personal identifying information” means an employee’s first name or first initial and last name in combination with any one of the following data elements that relate to the employee, when either the name or the data elements are not encrypted: Social Security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information. “Record” means information that is inscribed on a tangible medium, or that is stored in an electronic or other medium and is retrievable in perceivable form on which personal identifying information is recorded or preserved. “Record” does not include publicly available directories or sources containing information an employee has voluntarily consented to have publicly disseminated or listed or which is disseminated as provided for by applicable law or regulation, such as name, address, or telephone number, or other directories or sources as are derived solely from such directories or sources.
The law applicable to commercial entities can be found at 6 Del. C. § 5001C et seq. This law protects “consumers” (rather than employees) and it applies to “commercial entities” (rather than employers). “Commercial entity” means any legal entity, whether or not for profit; but exempts certain qualifying entities covered by the federal Gramm Leach Bliley Act (e.g., certain banks, credit unions, or financial institutions), the Health Insurance Portability and Accountability Act (e.g., certain health insurer or health-care facilities), or the Federal Credit Reporting Act (e.g., certain consumer report agencies). While Delaware’s legislative and executive branches apparently determined that this law is reasonable to impose on most commercial entities, exemptions from the law include “any government, governmental subdivision, agency, or instrumentality.”
After the law was passed, it was then amended to narrow the meaning of “commercial entity” to include only those legal entities that have the course or practice of carrying on any business activity in Delaware – including the solicitation of business or orders in Delaware. The bill does not clarify what is meant by “the course or practice”, “carrying on any business activity”, or “solicitation of business or orders.”
Like the law applicable to employers, this law provides that, in the event that a commercial entity seeks permanently to dispose of records containing consumers’ personal identifying information within its custody or [the law applicable to employers uses the word “and” instead of “or”] control, such commercial entity shall take [the law applicable to employers includes the here-omitted word “all”] reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable. As revealed by the observations in the brackets, commercial entities arguably have a duty in more instances than employers (i.e., commercial entities have a duty if they either have custody “or” control while employers only have a duty if they have custody “and” control). On the other hand, employers arguably have a greater duty if they have any duty (i.e., they must make “all reasonable steps” whereas commercial entities only must take “reasonable steps”).
Another noteworthy difference is that the law applicable to commercial entities (unlike the law applicable to employers) adds the following to the meaning of “health care information” within the definition of “personal identifying information”: all information relating to a patient’s health-care history; diagnosis condition, treatment; or evaluation obtained from a health-care provider who has treated the patient which explicitly or by implication identifies a particular patient. Thus, the law applicable to employers arguably has a broader meaning of the term “health care information” than does the law applicable to commercial entities.
Employers and commercial entities should make effort to build the above into policies and procedures governing the destruction of employee or consumer personal identifying information. Doing so should help to avoid legal liability in this new area of legal risk.
* Tim is Chair of the Delaware State Bar Association’s Labor and Employment Law Section’s Legislative Action Subcommittee, Co-Chair of the Delaware State Chamber of Commerce’s Employer Advocacy Subcommittee (“EAC”), and partner in the labor and employment group of Connolly Gallagher LLP. Employers or commercial entities having questions about these issues or other employment law issues are welcome to contact Tim at 302-252-4217.