Contractual Obligations to Destroy Consumer Information
Consumers and business are expressing increasing concerns over data privacy and security risks. Increasing frequency of data breach headlines show these concerns are not trivial. Recent breaches involving Target and Neiman-Marcus, for example, are just the latest high profile incidents that underscore the need to know that financial transactions are secure. When there is a Target- or Neiman-Marcus-sized breach involving personally identifiable information (PII) resulting in PII landing in the hands of unscrupulous third-parties, there are significant consequences: our own information can be used against us (identity theft) and also to harm retailers and credit card companies. Financial and transactional security and cyber-privacy concern everyone.
Many businesses find themselves covered by a patchwork of state and federal laws governing consumer protection, privacy and data security. A client recently asked us to research the new Delaware law on data destruction (DE Code §50C-101). Specifically at issue was the definition of “consumer” under the Act.
A company in the financial services industry may have several different subsidiaries incorporated in Delaware. Most of them are likely covered by the Graham Leach Bliley Act (“GLBA”) exception for regulated financial institutions with respect to the obligation to protect a consumer’s information. However, a subsidiary may function as a service provider to regulated and unregulated businesses providing administration, accounting and other services and may not regulated. This entity will probably have contractual agreements with these other businesses entities but probably not with the end “consumer.” As such, the service provider may still have an obligation to protect consumer information via these contracts.
When drafting such contracts, the question arises regarding the scope of the information to be protected since the GLBA defines consumer differently than the Delaware Act. GLBA mentions “financial products or services” where Delaware talks about “entering into a transaction.”
Delaware statute: “A commercial entity shall take all reasonable steps to destroy or arrange for the destruction of a consumer’s personal identifying information within its custody and control that is no longer to be retained by the commercial entity by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means …”
Delaware Definition of Consumer: “an individual who enters into a transaction primarily for personal, family, or household purposes.”
GLBA Definition of Consumer: “an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes.”
The Delaware definition of consumer appears to require a service provider to destroy the “consumer” information irrespective of any contractual agreement. This would appear to place responsibility for data destruction with the service provider rather than the entities it serves, e.g. those that have the true relationship with the consumers according to GLBA.
The Delaware definition of consumer is fairly standard and is used by most states in their “Unfair Trade Practices and Consumer Protection” type laws. The definition can be reasonably understood as intended to exclude businesses from the protection of such laws. It appears that a “Consumer” under Delaware law is a broader and more inclusive than under the GLBA. Since state courts may have more expansive powers to protect a consumer under state law than the would be permitted under the GLBA (a law primarily intended to regulate financial institutions) and since the Delaware Act is consumer protection statute, it is wise to presume that Delaware courts would interpret and apply the alw as expansively as possible to protect consumers.
From a contractual relationship standpoint, it is incumbent on service providers to clearly address these issues in their contract and balance compliance risks and burdens among the parties best situated to ensure compliance.
NOTE: THIS IS NOT LEGAL ADVICE. If you have questions regarding application and interpretation of any laws, rules or regulations, you should consult a qualified attorney regarding your specific situation.
You may contact the Adler Law Group to schedule a free consultation by calling (866) 734-2568.