Data Disposal Regulations

As of January 2019, at least 35 states and Puerto Rico have created data disposal laws.⁴⁰ They have created these laws to make sure that personal information is properly disposed of. Personal data must be protected throughout its life cycle. This includes disposing of the information in an appropriate way.

Washington: Everyone Has an Obligation

Washington State created its personal data disposal law in 2002.⁴¹ In creating the law, the state legislature made comments about how important the law was. It said that:

• Careless disposal of personal information causes a significant risk of identity theft.
• Improper disposal threatens a person’s privacy and financial security.
• Everyone in the state has a duty to dispose properly of personal information.⁴²

The Washington disposal law applies to any person or entity in the state. It requires an entity to take reasonable steps to destroy records that contain health and financial data when it determines that it no longer needs those records.

The law requires entities to properly destroy information held in their records. Records are defined as any material—paper or electronic—that holds information. Entities must make sure that they destroy any personal financial or health information in their records. Personal financial and health information is data that identifies a person and is commonly used for financial or healthcare reasons.

The law states that an entity must destroy information in records so that it is no longer readable or decipherable. The law also states that proper destruction includes shredding, erasing, or modifying records so that they are no longer readable.⁴³

The Washington law allows a person harmed by a violation of the law to sue the entity that violated it. The law provides the plaintiff with several remedies that vary depending on the type of violation. If the entity’s failure to comply with the law was because of negligence, a court may award a penalty of $200 or actual damages. The court must award a plaintiff whichever amount is greater.

If an entity’s failure to comply with the law was intentional, then the court can award a penalty of $600 or actual damages. Again, the court must award whichever amount is greater. The law also allows the court to award “treble” (triple) damages, which are three times the amount of the actual damages incurred. The law states that treble damages may not be more than $10,000.⁴⁴

The law also allows the state attorney general to prosecute an entity that violates the law. In that instance, a court must award damages the same way that it awards damages to an individual plaintiff. The court may also grant injunctive relief. This means that it can order the entity to stop violating the law.

New York: Any Physical Record

On the other side of the country, New York State also has a data disposal law.⁴⁵ Its law states that no person or business may dispose of a record containing “personal identifying information” without shredding, destroying, or modifying it so that the information is no longer readable. The law requires that any person or business destroying the records must take action that is consistent with commonly accepted industry practices. They must use these practices to make sure that no unauthorized person has access to information in the record.

Under the New York law, records are any information held in any physical form, either paper or electronic. They include reports, letters, and computer tapes. Any type of data storage medium is a record. Personal identifying information is information in a record that identifies a person by name and includes any of the following:

• SSN
• Driver’s license number or identification card number
• Mother’s maiden name, financial account numbers or code, or any other identification number

The law allows for penalties of up to $5,000 for improper disposal. The attorney general alone has the authority to pursue violations of the law. There is no private cause of action.