Delaware Amends Data Breach Notification Law


By: Kacie L. Manisco
On August 17, 2017 Delaware Governor John Carney signed into law a bill amending the state’s Date Breach Notification Statute, marking the first significant change to Delaware’s data breach notification law since 2005. The amendments, which will go into effect on April 14, 2018, bring significant changes to how covered entities must prepare for and respond to data breaches.
Reasonable Data Security: Any “person” that conducts business in Delaware and “owns, licenses, or maintains” personal information shall “implement and maintain reasonable procedures and practices” for the protection of personal information collected or maintained in the course of business. The definition of “person” has been expanded to include any business form, governmental entity, “or any other legal or commercial entity.”
Definition of Personal Information: The amendment expands the definition of “personal information” to include a Delaware resident’s first name or first initial and last name in combination with any one or more of the following that relate to the individual: (1) Social Security number; (2) driver’s license number or state or federal identification card number; (3) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) passport number; (5) a username or email address, in combination with a password or a security question and an answer that would permit access to an online account; (6) medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or DNA profile; (7) health insurance policy number, subscriber identification number or any other unique identifier used by a health insurer to identify the person; (8) unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and (9) an individual taxpayer identification number.
Breach Notification: Delaware’s amended data breach law also now requires that notification be provided to residents affected within 60-days of discovery of the breach, unless a shorter time is required under federal law or a law enforcement agency has made a request that notice be delayed. Prior to this amendment, Delaware’s statute, similar to the data breach statutes of a majority of states, only mandated that disclosure of a data breach be made in the “most expedient time possible” and “without unreasonable delay.”
The amendment further clarifies that covered entities are not required to provide notice if an investigation reveals the breach was unlikely to result in harm to the affected residents. The amended law also does not require notification for the breach of encrypted data, unless the breach includes an encryption key that the organization reasonably believes could render the encrypted information readable or useable.
Attorney General Notification and Enforcement: Additionally, covered entities will now be required to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents. The prior version of the law did not require regulator notification.
Credit Monitoring: Delaware now joins California and Connecticut in mandating covered entities offer individuals affected by a breach of security involving Social Security numbers at least one year of free credit monitoring services unless.
As we have discussed before, these changes highlight the importance of being prepared ahead of time before a breach occurs, which includes having data breach response plan in place that will help you timely comply with notice obligations like these. We have created our FMG Cyber Toolkit to help our clients for this very reason. Please contact one of our Cyber, Data Security, and Privacy practice group attorneys for more information about developing a plan for your organization.
If you have any questions or would like more information, please contact Kacie L. Manisco at [email protected].