Delaware Passes Amendment to Data Breach Notification Law
For the first time since 2005, Delaware has amended its data breach notification law (DE Code Tit. 6, 12B-101-104). Whereas Delaware’s previous law only required companies to notify affected residents of a breach “as soon as possible” after determining that “misuse of information about a Delaware resident has occurred or is reasonably likely to occur,” House Substitute 1 for House Bill 180 strengthens the requirements for companies that conduct business in Delaware in several ways.
Reasonable Data Security
Any “person” who conducts business in Delaware and “owns, licenses, or maintains” personal information is required to “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.” This puts Delaware in line with 14 other states that require private organizations to maintain reasonable data security practices. It also makes private organization susceptible to liability for failing to maintain adequate security procedures, even where notification of a breach is not required.
Definition of Personal Information
Delaware’s law previously defined “personal information” as a Delaware resident’s first name or first initial and last name in combination with their (1) Social Security number, (2) driver’s license number or state identification number, or (3) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a financial account. The revised law adds the following data elements to the definition of “personal information,” which continues a trend of states focused on protecting information related to health, technology and personal finance:
Federal identification number
Username or email address in combination with a password or security question and answer that would permit access to an online account
Medical history, treatment or diagnosis by a health care professional
Health insurance identification number
Taxpayer identification number.
Threshold for Notification – Risk of Harm & Encryption Safe Harbor
Notification to affected individuals (and in certain instances the Delaware Attorney General) is not required if the company reasonably determines through an investigation that the data breach is unlikely to result in harm to the affected individuals. Notification also is not required if the breach involves encrypted data, unless the breach includes the encryption key that could reasonably render the data readable or useable, which is another new element of the law.
Notification to affected individuals must be made “without unreasonable delay” and within 60 days after discovering the breach. Some states have more restrictive timelines, such as Florida, which requires notification within 30 days, and Vermont, Ohio, Rhode Island and Washington, which require notification within 45 days. Whereas the previous law required notification “in the most expedient time possible,” the amendment offers clear guidance. The amendment further notes that the new timing requirement does not apply where a shorter time is required under federal law or if law enforcement requests that notice be delayed so as not to impede a criminal investigation.
Attorney General Notification
If the breach affects more than 500 Delaware residents, companies are required to notify the Delaware Attorney General “not later than the time when notice is provided to the resident.” Similar to the previous law, the Attorney General may bring an action in law or equity to ensure proper compliance or to “recover direct economic damages resulting from a violation.”
Credit Monitoring Now Required
If the breach includes an individual’s Social Security number, companies are required to offer credit monitoring and identity theft protection services for one year. California and Connecticut are the only other states with such a requirement.