HB884: Personal identifying information; safe destruction of records.

HOUSE BILL NO. 884

Offered January 8, 2020
Prefiled January 7, 2020
A BILL to amend the Code of Virginia by adding in Title 59.1 a chapter numbered 52, consisting of sections numbered 59.1-571 through 59.1-574, relating to the safe destruction of records containing personal identifying information.
Patron-- Subramanyam

Committee Referral Pending

Be it enacted by the General Assembly of Virginia:

1. That the Code of Virginia is amended by adding in Title 59.1 a chapter numbered 52, consisting of sections numbered 59.1-571 through 59.1-574, as follows:

CHAPTER 52.
SAFE DESTRUCTION OF RECORDS CONTAINING PERSONAL IDENTIFYING INFORMATION.

§ 59.1-571. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Commercial entity" means a corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, or other legal entity, whether or not for profit, that transacts business in the Commonwealth.

"Confidential health care information" includes all information relating to a patient's health care history, diagnosis, condition, treatment, or evaluation that is obtained from a health care provider who has treated the patient if the information explicitly or by implication identifies a particular patient.

"Consumer" means an individual who enters into a transaction primarily for personal, family, or household purposes.

"Personal identifying information" means a consumer's first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: Social Security number, passport number, driver's license or state-issued identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information, or confidential health care information.

"Record" means information that is inscribed on a tangible medium, or that is stored in an electronic or other medium, and is retrievable in perceivable form on which personal identifying information is recorded or preserved. "Record" does not include publicly available directories or sources containing information a consumer has voluntarily consented to have publicly disseminated or listed or that is disseminated as provided for by applicable law or regulation, such as name, address, or telephone number, or other directories or sources as are derived solely from such directories or sources.

"Transacts business in the Commonwealth" means the course or practice of carrying on any business activity in the Commonwealth and includes the solicitation of business or orders in the Commonwealth.

§ 59.1-572. Safe destruction of records.

A commercial entity that is in possession of, or has within its custody or control, records that contain consumers' unencrypted, unredacted personal identifying information and are no longer needed by the commercial entity shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable in order to ensure the security and confidentiality of the personal identifying information.

§ 59.1-573. Exemptions.

This chapter does not apply to any of the following:

1. Any bank, credit union, or financial institution, as defined under the federal Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., as amended, that is subject to the regulation of the U.S. Office of the Comptroller of the Currency, the Federal Reserve, the National Credit Union Administration, the U.S. Securities and Exchange Commission, the Federal Deposit Insurance Corporation, or the State Corporation Commission and is subject to the privacy and security provisions of the federal Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.;

2. Any health insurer or health care facility that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191;

3. Any consumer report agency that is subject to and in compliance with the Federal Credit Reporting Act, 15 U.S.C. § 1681 et seq., as amended; or

4. Any government agency, instrumentality, or political subdivision.

§ 59.1-574. Violations.

A consumer who incurs actual damages due to a reckless or intentional violation of § 59.1-572 by a commercial entity may bring a civil action against the commercial entity.