BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:
Section 1. Amend Title 6, Subtitle II, of the Delaware Code by making deletions as shown by strike through and insertions as shown by underline as follows:
CHAPTER 50C. SAFE DESTRUCTION OF RECORDS CONTAINING PERSONAL IDENTIFYING INFORMATION
For purposes of this chapter:
(1) "Commercial entity" means a corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, or other legal entity, whether or not for profit.
(2) "Consumer" means an individual who enters into a transaction primarily for personal, family, or household purposes except employees.
(3) "Personal identifying information" means a consumer’s first name or first initial and last name in combination with any 1 of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: social security number, passport number, driver's license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information including all information relating to a patient's health care history, diagnosis condition, treatment, or evaluation obtained from a health care provider who has treated the patient which explicitly or by implication identifies a particular patient.
(4) "Record" means information that is inscribed on a tangible medium, or that is stored in an electronic or other medium and is retrievable in perceivable form on which personal identifying information is recorded or preserved. “Record” does not include publicly available directories or sources containing information a consumer has voluntarily consented to have publicly disseminated or listed or which is disseminated as provided for by applicable law or regulation, such as name, address, or telephone number, or other directories or sources as are derived solely from such directories or sources.
§50C-102. Safe destruction of records.
In the event that a commercial entity seeks permanently to dispose of records containing consumers’ personal identifying information within its custody or control, such commercial entity shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.
A consumer who incurs actual damages due to a reckless or intentional violation of this chapter may bring a civil action against the commercial entity.
This chapter does not apply to any of the following:
(1) Any bank, credit union, or financial institution, as defined under the federal Gramm Leach Bliley Law, that is subject to the regulation of the Office of the Comptroller of Currency, the Federal Reserve, the National Credit Union Administration, the Securities and Exchange Commission, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision and the U.S. Department of the Treasury, the Department of Business Regulation, or the Delaware Department of Insurance and is subject to the privacy and security provisions of the Gramm Leach Bliley Act, 15 U.S.C. section 6801 et seq, as amended;
(2) Any health insurer or health care facility that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996; or
(3) Any consumer report agency that is subject to and in compliance with the Federal Credit Reporting Act, 15 U.S.C. section 1681 et seq., as amended; or
(4) Any government, governmental subdivision, agency, or instrumentality.
Section 2. This Act shall take effect January 1, 2015.
Approved July 01, 2014