HB 884

            
2020 SESSION

20104896D

HOUSE BILL NO. 884


Offered January 8, 2020


Prefiled January 7, 2020

A BILL to amend the Code of Virginia by adding in Title 59.1 a 
 chapter numbered 52, consisting of sections numbered 59.1-571 through 59.1-574, 
 relating to the safe destruction of records containing personal identifying 
 information.
----------

Patron-- Subramanyam

----------

Referred to Committee on Communications, Technology and Innovation

----------
 
 
Be it enacted by the General Assembly of Virginia:
 
 
1. That the Code of Virginia is amended by adding in Title 
 59.1 a chapter numbered 52, consisting of sections numbered 59.1-571 through 
 59.1-574, as follows:
 
 
CHAPTER 
 52.
 
 
SAFE DESTRUCTION OF RECORDS 
 CONTAINING PERSONAL IDENTIFYING INFORMATION.
 
 
� 59.1-571. Definitions.
 
 
As used in this chapter, 
 unless the context requires a different meaning:
 
 
"Commercial entity" 
 means a corporation, business trust, estate, trust, partnership, limited 
 partnership, limited liability partnership, limited liability company, 
 association, organization, joint venture, or other legal entity, whether or not 
 for profit, that transacts business in the Commonwealth.
 
 
"Confidential health 
 care information" includes all information relating to a patients 
 health care history, diagnosis, condition, treatment, or evaluation that is 
 obtained from a health care provider who has treated the patient if the 
 information explicitly or by implication identifies a 
 particular patient.
 
 
"Consumer" means an 
 individual who enters into a transaction primarily for personal, family, or 
 household purposes.
 
 
"Personal 
 identifying information" means a 
 consumers first name or first initial 
 and last name in combination with any one of the 
 following data elements that relate to the consumer, when either the name or 
 the data elements are not encrypted: Social Security number, passport 
 number, drivers license 
 or state-issued identification card number, insurance 
 policy number, financial services account 
 number, bank account number, credit 
 card number, debit card number, tax or 
 payroll information, or 
 confidential health care information.
 
 
"Record" means information 
 that is inscribed on a tangible medium, or that is stored in an electronic or 
 other medium, and is retrievable in 
 perceivable form on which personal identifying information is recorded or 
 preserved. "Record" does not 
 include publicly available directories or sources containing information a 
 consumer has voluntarily consented to have publicly disseminated or listed or that is 
 disseminated as provided for by applicable law or regulation, such as name, 
 address, or telephone number, or other directories or sources as are derived 
 solely from such directories or sources.
 
 
"Transacts business in 
 the Commonwealth" means the course or practice of carrying on any business 
 activity in the Commonwealth and includes the solicitation of business or 
 orders in the Commonwealth.
 
 
� 59.1-572. Safe destruction 
 of records.
 
 
A commercial entity that is in possession 
 of, or has within its custody or control, records 
 that contain consumers unencrypted, unredacted 
 personal identifying information and are no 
 longer needed by the commercial 
 entity shall take reasonable steps to destroy or arrange 
 for the destruction of each such record by shredding, erasing, or otherwise 
 destroying or modifying the personal identifying information in those records 
 to make it unreadable or indecipherable in order to ensure the 
 security and confidentiality of the personal identifying 
 information.
 
 
� 59.1-573. Exemptions.
 
 
This chapter does not apply 
 to any of the following:
 
 
1. Any bank, credit union, or 
 financial institution, as defined under the federal Gramm-Leach-Bliley Act, 
 15 U.S.C. � 6801 et seq., as amended, 
 that is subject to the regulation of the U.S. Office of 
 the Comptroller of the Currency, the Federal 
 Reserve, the National Credit Union Administration, the U.S. Securities 
 and Exchange Commission, the Federal Deposit Insurance Corporation, or the State 
 Corporation Commission and is subject to the privacy and security 
 provisions of the federal Gramm-Leach-Bliley Act, 15 U.S.C. 
 � 6801 et seq.;
 
 
2. Any health 
 insurer or health care facility that is subject 
 to and in compliance with the standards for privacy of individually 
 identifiable health information and the security standards for the protection 
 of electronic health information of the Health Insurance Portability and 
 Accountability Act of 1996, P.L. 
 104-191;
 
 
3. Any 
 consumer report agency that is subject to and in compliance with the Federal 
 Credit Reporting Act, 15 U.S.C. � 1681 et 
 seq., as amended; or
 
 
4. Any 
 government agency, instrumentality, or political subdivision.
 
 
� 59.1-574. Violations.
 
 
A consumer who incurs actual 
 damages due to a reckless or intentional violation of � 59.1-572 by a 
 commercial entity may bring a civil action against the commercial 
 entity.