By Carl N. Kunz, III*

Recently, The News Journal® published an article titled, “Some still unaware of identity-theft bill.” Mordock, J., (2015, July 26), The News Journal, p.1E. (Editor’s note: It was also published online earlier under a different headline.)

The News Journal article highlighted passage by the Delaware legislature in 2014 of House Bill 295, now codified as 6 Del. C. §5001C et seq.: Safe Destruction of Records Containing Personal Identifying Information.   Much of the article, however, focused on the fact that, despite the law going effective in January 2015, businesses either do not know about the law or do not know what they might need to do to comply.

As Governor Markell is slated to sign into law two additional pieces of privacy related legislation on Friday, August 7, 2015, this article provides a summary of the currently in effect Safe Destruction law and the two that will be signed imminently: the Delaware Online Privacy Protection Act, primarily applicable to businesses with websites, and the Student Data Privacy Protection Act, which seeks to regulate the activities of operators of websites and applications designed and marketed for K-12 public school purposes, or those who collect, maintain or use student data in digital or electronic form for K-12 public school purposes.

Safe Destruction of Records Containing Personal Identifying Information

The law relating to safe destruction of records that was the topic of The News Journal piece provides that a commercial entity (corporation, business trust, partnership or limited partnership, estate, trust, LLC, LLP, association, organization or other legal entity, whether or not for profit) seeking to permanently dispose of records containing consumer’s personal identifying information (PII), “shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.”

The law defines “Personal identifying information” as “a consumer’s first name or first initial and last name, in combination with any 1 of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: Social Security number; passport number; driver’s license or state identification card number; insurance policy number; financial services account number; bank account number; credit card number; debit card number; tax or payroll information or confidential health-care information including all information relating to a patient’s health-care history; diagnosis condition, treatment, or evaluation obtained from a health-care provider who has treated the patient which explicitly or by implication identifies a particular patient.”

A “record” includes information in virtually any tangible, electronic or other medium, but does not include any publicly available directories or sources of information that a customer has consented to have publicly available.

Entities transacting business in Delaware should be aware of this law.  While a civil suit may be brought against an entity only for reckless or intentional (but not negligent) violation of the law, one doesn’t want to be the source of a data breach resulting from the improper keeping or destruction of records.  And with technology changing rapidly from day to day, what might constitute “reasonable steps to destroy” today, might not be reasonable tomorrow.

Since the law requires an entity to “take reasonable steps to destroy or arrange for the destruction of” such records, businesses should carefully control and monitor those steps.  If an entity contracts with a third-party for such destruction, careful review of the contract and an understanding about how the third-party protects such information is paramount.  Indeed, reasonableness might require adherence to a chain of custody with the third-party ultimately certifying to the destruction of such records.  One has to be sure that when the physical records, computer hard drives, thumb drives, CD’s, copier hard-drives, etc. are sent to third-party for destruction that they are actually being destroyed in a manner which renders them “unreadable or undecipherable.”

As with many of the privacy laws being enacted in Delaware and around the country, the law provides an encryption safe harbor.  If the data is encrypted, then, by definition, it does not constitute “Personal identifying information” under the law, and the law would not require specialized destruction of encrypted data.

Delaware Online Privacy Protection Act

The Delaware Online Privacy Protection Act (DOPPA), slated to be codified as 6 Del. C. § 1201C et seq., has three stated purposes: (i) to prohibit the operator of an internet service directed at children from marketing or advertising certain products or services on a website that are deemed harmful to children; (ii) to require an operator of an internet service to conspicuously post its privacy policy, if the internet service collects PII from Delaware residents for commercial purposes; and (iii) to protect the personal information of users of digital book services by prohibiting a provider of book services from disclosing personal information regarding users of book services to law enforcement entities, governmental entities or other parties except under specified circumstances.

DOPP defines PII differently than the safe document destruction law.  DOPPA defines PII as “any personally identifiable information about a user of a commercial Internet website, online or cloud computing service, online application, or mobile application that is collected online by the operator of that commercial internet website, online service, online application, or mobile application from the that user and maintained by the operator in an accessible form, including a first and last name, a physical address, an e-mail address, a telephone number, a social security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator of the commercial Internet website, online service, online application, or mobile application from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph. See DOPPA at § 1202C(15) (emphasis added).

Owners of commercial websites directed at children will need to make sure that their sites are not marketing any of the prohibited items listed in section 1204C(f) of the new law.  For example, websites directed to children may not market or advertise alcoholic beverages, tobacco products, firearms, fireworks, tanning equipment, lotteries, body piercing, branding, tattoos, drug paraphernalia and tongue splitting.  See DOPPA at §1204C(f)(1) – (15).  Such websites also may not advertise or market “any material . . . which predominantly appeals to the prurient, shameful, or morbid interest of minors, is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable materials for minors, and taken as a whole lacks serious literary, artistic, political, social, or scientific value for minors.”   DOPPA at § 1204C(f)(16).

The law also mandates that a website’s privacy policy either be conspicuously available on a website, or that a link to the privacy policy be conspicuous.  It also specifies certain types of information that must be disclosed in such a policy, including what information a website gathers, how it responds to “do not track” signals, the effective date of the privacy policy, and whether the operator of a website maintains a process for the user to review and request changes to that user’s PII, and a description of that process.  The law specifies that a website operator will only be in violation of the privacy policy posting requirements only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified that it is noncompliant.

Finally, the law proscribes the circumstances in which a “book service” (defined as “an entity, [which] as its primary purpose, provides individuals with the ability to rent, purchase, borrow, browse, or view books electronically or via the Internet”) may disclose information about the users of their services to “to any person, private entity or government entity.”  Generally, proper legal process and/or court order will be required as will notice to both the user and/or book service provider sufficient to permit the user or book service provide to timely appear and quash the request or contest issuance of any court order.  In the case of a user of such services, a minimum of 35 days advance notice is required.

Website operators will need to carefully review their websites and privacy policies to be sure that they will be in compliance with the new law.  And they should not wait until the Delaware law goes into effect to do so.  Indeed, although DOPPA will not become effective until January 1, 2016, many other states have already enacted similar statutes to protect their own residents.  If a website is collecting information from those states’ residents, a website operator may already be in violation of those others states’ laws.

Student Data Privacy Protection Act

With the continuing push for more prolific and creative use of technology in Kindergarten through 12th grade classrooms, student data has become more valuable, and the protection of that data of greater concern.  In the face of the perceived need for greater protection of student data, the Delaware General Assembly, on June 25, 2015, approved SS1 for SB 79, slated to be codified as 14 Del. C. § 8101A et seq. (the “Student Data Privacy Protection Act” or “SDPPA”).  Expressly modeled on California’s Student Online Personal Information Privacy Act, the SDPPA is designed to prohibit educational technology service providers from selling student data, using student data to engage in targeted advertising to students and their families, or creating student profiles for non-educational purposes.

When the law goes effective, the SDPPA will regulate the activities of operators of websites and applications designed and marketed for K-12 public school purposes, or those who collect, maintain or use student data in digital or electronic form for K-12 public school purposes.  In particular, operators must provide reasonable security to prevent unauthorized access to, destruction of, use, modification or disclosure of student data.  Operators must also delete a student’s data within a reasonable period (not to exceed 45 days) following a school or school district’s request for such deletion.

Operators also must not engage in targeted advertising using student data or state-assigned student identifiers where the data or student identifiers have been obtained as a result of use of a website, online or cloud computing service, online application or mobile application.  Such data also may not be used to create a student profile except in furtherance of K-12 public school purposes.  Student data may not be sold – except in instances of sale, merger or acquisition of an operator by another entity, and provided that the operator and/or successor entity continues to be subject to the SDPPA with respect to previously acquired student data.  Operators also must not disclose student data except in certain specified instances, including responding to judicial process, to protect the security of the operator’s website or application, and protecting the safety of users of a website or application.  Operators, however, may disclose student data when another provision of federal or state law requires disclosure, or for other legitimate research purposes.  Finally, operators may use student data when supporting, evaluating or diagnosing the operator’s website, and may also use student data or de-identified student data to develop and improve an operator’s website or application, or to demonstrate the effectiveness of an operator’s products or services.

In addition to the proscriptions on the use and disclosure of student data, the SDPPA establishes a Student Privacy Task Force to “study and make findings and recommendations regarding the development and implementation of a comprehensive framework to govern the privacy, protection, accessibility, and use of student data within and as part of the State’s public education system.”  SDPPA at Section 3.  The act also gives to the Consumer Protection Unit of the Delaware Department of Justice the power to enforce the new law.

When the SDPPA is signed into law, the proscriptions applicable to operators will not take effect until August 1 of the first full year following the act’s enactment into law, with all other provisions taking effect immediately upon the Governor’s signature.  SDPPA at Section 5.

*Carl N. (“Chuck”) Kunz, III is a co-chair of the Morris James Data Privacy and Information Governance Group.
This article is for informational purposes only.  It is not to be construed as legal advice or to create an attorney/client relationship. The views stated herein are the views of Mr. Kunz, and not necessarily the views of Morris James LLP, or its clients.

If you would like additional information, please visit our webpage for the Morris James Data Privacy and Information Governance Group, or follow us on Twitter.

by Matt Amis, Senior Communications Officer, Rodel Foundation

Ernie Dianastasis—perhaps more than ever—is eager to go back to school this fall.

The longtime business leader and education advocate serves as chairman of the Vision Coalition Leadership Team, a cadre of local influencers who work collaboratively and cooperatively to improve Delaware schools.
This month, the coalition releases Student Success 2025. Like its well-known predecessor, Vision 2015, Student Success 2025 is an ambitious 10-year plan designed to boost Delaware’s public education system to world-class status.

Delaware Business caught up with Dianastasis—who, when he’s not leading his CAI (Computer Aid, Inc.) global IT firm, also leads the Delaware Business Roundtable Education Committee—to talk about the plan and the vision for the future of Delaware schools.

Tell us about a little about Student Success 2025.
This is a 10-year vision for public education in Delaware. We started back in 2014 by asking a question: What are the skills and attributes that an educated Delawarean needs to have by the year 2025?—and worked backward from there to develop the strategies to achieve that vision. And we’re not just jumping straight to 2025—these are issues we can begin working on today.

The plan itself deals primarily with six core areas: quality early learning, personalized learning, postsecondary and career attainment, educator support, school funding, and governance. The thinking is, by aligning those six areas better, Delaware can build a more modern and seamless education system, and our kids can take advantage of that in numerous ways.

So whose vision is this, exactly?
The ideas in this report don’t come from me. They don’t come from the Department of Education. Over the last few years, our group talked and collaborated with more than 4,000 Delawareans—including 1,300 students. They reached out online, in surveys, at community meetings, cups of coffee—you name it. The people of Delaware told us where they think we need to go as a state. They told us their hopes for providing more social and emotional support for kids, and for more collaboration between families and schools. And the kids themselves said they wanted more real-life career experiences and flexibility in their school experience. We took the student input very seriously. They’re at the center of this whole thing.

We also called upon leading experts in Delaware, across the country, and around the world—to help inform our thinking.

This is a follow-up to Vision 2015. Did that plan work? Is this the sequel?
 Vision 2015 came out in 2006, and since its release around 75 percent of its recommendations have been acted upon in Delaware. That includes higher academic standards overall, new investments in teacher prep programs, and huge increases in the number of children enrolled in high-quality early learning environments. We have more kids than ever taking and passing AP courses, taking foreign language immersion classes, applying to college, and participating in career pathways.

So, I’d say it has worked, but to be candid some things simply haven’t—like improvements to our funding system, and big shifts that we didn’t anticipate a decade ago, like the explosion of technology in our daily lives. When the community sees Student Success 2025, they will see that we looked to address those gaps and build on the foundation we started. There’s still so much more we can do to support our schools and our kids. We also need to remember that transforming a multi-century old system does not happen overnight. It is a multi-year journey with many phases. There is no finish line where we declare victory. Rather, it is a life-long commitment to excellence that we must all embrace.

What happens next? How do you transition the plan into action?
Well, we’ll officially release the report on September 16 at a special event at the Del Tech Dover campus, and from there, we’ll follow up with our Annual Conference on October 28, where we’ll try to reenergize Delawareans around these issues and keep the momentum going. From there, we’ll establish some dedicated implementation teams to dig in on putting these recommendations into practice. Some will be easier than others, and some of them are already underway. That said, at the end of the day, this is about results, so we are going to hold ourselves accountable by producing a report card on the progress we make every fall. We hope the Chamber and the community as a whole keeps the pressure on to make sure we collectively deliver on what we’ve promised. We all need to own this.

We haven’t seen a whole lot of harmony when it comes to education policy in Delaware lately. What makes this any different?
I think it goes back to the collaborative nature of the plan. At the end of the day, of course we will need political and legislative action to enact some of these recommendations. And we know the state is facing some major revenue issues. But the truth is, we aren’t all going to agree on everything. As a group, the coalition is committed to working on the 80 percent or more that we all agree on, and keep the work moving forward. We accept that there will be real disagreements on the margins, but we can’t let that slow us down.
And in fact, everyone in Delaware can play a part. You already have members of the business community energized around career pathways for students; you have all these wonderful family and community organizations providing support; you have school districts collaborating on things like personalized learning. There are already so many great things happening in pockets throughout Delaware, so our biggest challenge right now is connecting them all together across the state, and doing more of what works. Let’s focus on the things we already agree on, and work toward this vision for the future. It’s closer than we think.

For more info on Student Success 2025, visit www.visioncoalitionde.org.

By Michael Houghton

On June 16, 2015, Senate Bill No. 141 was introduced in the Delaware State Senate.  In the early morning hours of July 1, 2015 (with the Delaware “legislative calendar” still reading June 30, 2015) this legislation, which had already passed the State Senate, passed the Delaware House and awaits Governor Jack Markell’s signature.  The speed with which this legislation passed indicates that Delaware is serious about reforming its Unclaimed Property Program.

Click here to read the full Morris Nichols analysis.

By Meg Campbell
​
Secretary of State Jeffrey Bullock recently met with executives from the Bank of China to discuss ways that companies from China and Delaware can work together.

Secretary Bullock and team members from Global Delaware, the State’s initiative for promoting Delaware abroad, talked to bank executives and Chinese entrepreneurs about opportunities for collaboration, from a distributor looking for food safety products to sell in China to a manufacturer seeking advanced training opportunities in the U.S.

“There are so many opportunities for both sides,” Bullock noted. “Delaware companies can leverage their industry expertise by partnering with Chinese investors; they can develop distribution networks to sell their products and services in China; they can meet with Chinese companies looking to come to the U.S. and need distribution and support here. Forging a special relationship with the Bank of China makes so many options possible.”

Over the last several months, Global Delaware has developed a strong working relationship with the Bank of China, one of the country’s largest and most important banks. As a result of these efforts, the State has been selected to showcase Delaware businesses at the Sino-US SME Forum in New York City on September 28, 2015. This is the first event of its kind in the U.S., and Delaware is one of only a few states invited to participate.

The forum is an opportunity for Delaware companies to explore how to grow their business through collaboration with Chinese trading and/investment partners who are clients of the Bank of China. Chinese investment into the U.S. totaled nearly $50 billion in 2014 and could reach $200 billion by the end of the decade.

More than 40 Chinese business partners and investors will be at the event and available to meet with Delaware companies. After initial pre-qualification discussions, the Bank of China will set up one-on-one partnering meetings. Professional translation services and free consulting will be provided. There is no cost to participate for qualifying companies from Delaware.

“This event is a tremendous opportunity for Delaware companies and organizations of all kinds, from traditional manufacturers and service companies to entrepreneurs, nonprofits and educational institutions,” explained Secretary Bullock, noting that the Bank of China has already had great success with these events in Europe. “New York City is so close. We are so pleased that Bank of China has invited our businesses to be included in this important event.”

Global Delaware plans to charter a bus and escort the group up to NYC for this event, and lunch and dinner will be included.

Interested companies should contact a Global Delaware team member at [email protected] as soon as possible, as spaces will fill quickly.

By Emily Riley

Permits and paperwork is what most think of at the mention of Delaware’s Department of Natural Resources and Environmental Control. While those formalities are surely part of the DNREC outfit, newly appointed department secretary David Small wants you to know there’s far more education, policy and entrepreneurial initiatives at work for the First State. From the dynamic growth of Wilmington’s Riverfront destination to managing the state’s air and water quality, the corps of scientists and policy initiators at DNREC are hard at work keeping our state beautiful and environmentally (and economically) viable.

Secretary David Small had a few thoughts to share in regards to current work at DNREC:

What positions have you previously held with DNREC?

I served as acting secretary early in the Markell administration prior to arrival of former Secretary [Collin] O’Mara. For the past 15 years I served as deputy secretary, and prior to that I served as the executive assistant. I joined the agency in 1987 and was chief of the office of information and education, but prior to that, I was a journalist and editor in print media. I’m maybe a bit of an unlikely candidate to be secretary, but the nice thing about being chief of that office is that I had access to every nook and cranny and program and issue the department was dealing with, which has been a wonderful opportunity to learn about the agency.

How will your position as secretary expand on the work you’ve already done with DNREC?

I think having a working baseline knowledge of the agency has been an incredible asset to me – to know not only the issues but the people inside the agency and the challenges on the outside. I’ve come to know many of the regulated entities that we serve as customers and constituents, which has been very helpful to me because it’s given me insights that maybe other folks coming in from the outside haven’t had, so that’s definitely been one advantage.

What goals would you like to see accomplished during your tenure?

Water quality has been a huge priority for the department. Cleaning up the state’s water has been an ongoing effort, and it’s not going to happen overnight and it’s not something that we’re going to accomplish by regulation only. We live in an age where everyone’s attached to a handheld device, and we’re used to instant gratification – the environment doesn’t work that way, and we’ve got a long road ahead of us. Energy efficiency is another area where I think we’ve made good strides but there are still gains to me made there. The kilowatts and megawatts we don’t use are the best ones and the cheapest ones, so making those investments save consumers money and also put people to work.

The revamp of Wilmington’s Riverfront destination is certainly one of DNREC’s most visible achievements. Are there similar plans for other areas in the state?

The Riverfront development plan is our largest and most successful example of a Brownfield project. It was an area that had been previously used for heavily industrialized purposes that left a legacy of contamination. When former Gov. [Russell] Peterson and former University of Delaware Pres. [E. Arthur] Trabant shared their vision for the area, I’m not sure anybody could have imagined creating the economic engine in New Castle County that stands there today. I don’t know that we’ll ever rise to that scale again, but we strive for that “twofer” – repurposing and redeveloping an existing site and eliminating contamination in that area. Using this model, we have our sights set on places like Fort DuPont in Delaware City and Auburn Heights Preserve in Yorklyn, as well as a the Evraz Claymont Steel site, which presents an exciting and dynamic opportunity for commercial investment right along the Delaware River.

What will DNREC do to keep pace with advances in environmental engineering and technology?

Not surprisingly, and like many organizations, we’re aging. Fifty percent of our workforce is eligible for retirement, so our goal is to get the right people with the right skills to manage our agency into the future. We want to make sure that for our younger staff, they’re not only technically competent, but that we’re giving them the right skill sets to be effective managers for policy planning, human resource management and other areas. If we make these investments in our workforce, we can continue to make great strides over the coming years.

Beyond the paperwork and park fees, what is something Delawareans might not know about DNREC?

I would say there’s a lack of understanding or appreciation for all the responsibilities that the agency has. People know DNREC through a singular experience – getting a permit for an activity, buying their state park passes or gaining a surf permit to the drive-on beaches, but there’s really so much more that we do. We’re constantly trying to improve the air quality, protect public health through the quality of the drinking water, clean up contaminated sites, manage storm water and other continual goals. And it’s difficult to isolate these projects too. When you think about that environment and natural resources, you’re tugging on a thread that’s connected to so many other issues. It’s hard to manage them within individual programs, so what we try to do is connect the dots across our body of policies, which gives us a great advantage in trying to achieve those goals.

(This article was previously published in the 2015 July/August issue of Delaware Business magazine).