August 4, 2021

Volume XI, Number 216


August 03, 2021

Subscribe to Latest Legal News and Analysis

August 02, 2021

Subscribe to Latest Legal News and Analysis

Delaware Passes Amendment to Data Breach Notification Law

For the first time since 2005, Delaware has amended its data breach notification law (DE Code Tit. 6, 12B-101-104). Whereas Delaware’s previous law only required companies to notify affected residents of a breach “as soon as possible” after determining that “misuse of information about a Delaware resident has occurred or is reasonably likely to occur,” House Substitute 1 for House Bill 180 strengthens the requirements for companies that conduct business in Delaware in several ways.

Reasonable Data Security

Any “person” who conducts business in Delaware and “owns, licenses, or maintains” personal information is required to “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.” This puts Delaware in line with 14 other states that require private organizations to maintain reasonable data security practices. It also makes private organization susceptible to liability for failing to maintain adequate security procedures, even where notification of a breach is not required.

Definition of Personal Information

Delaware’s law previously defined “personal information” as a Delaware resident’s first name or first initial and last name in combination with their (1) Social Security number, (2) driver’s license number or state identification number, or (3) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a financial account. The revised law adds the following data elements to the definition of “personal information,” which continues a trend of states focused on protecting information related to health, technology and personal finance:

  • Federal identification number

  • Passport number

  • Username or email address in combination with a password or security question and answer that would permit access to an online account

  • Medical history, treatment or diagnosis by a health care professional

  • DNA profile

  • Health insurance identification number

  • Taxpayer identification number. 

Threshold for Notification – Risk of Harm & Encryption Safe Harbor

Notification to affected individuals (and in certain instances the Delaware Attorney General) is not required if the company reasonably determines through an investigation that the data breach is unlikely to result in harm to the affected individuals. Notification also is not required if the breach involves encrypted data, unless the breach includes the encryption key that could reasonably render the data readable or useable, which is another new element of the law.


Notification to affected individuals must be made “without unreasonable delay” and within 60 days after discovering the breach. Some states have more restrictive timelines, such as Florida, which requires notification within 30 days, and Vermont, Ohio, Rhode Island and Washington, which require notification within 45 days. Whereas the previous law required notification “in the most expedient time possible,” the amendment offers clear guidance. The amendment further notes that the new timing requirement does not apply where a shorter time is required under federal law or if law enforcement requests that notice be delayed so as not to impede a criminal investigation.

Attorney General Notification

If the breach affects more than 500 Delaware residents, companies are required to notify the Delaware Attorney General “not later than the time when notice is provided to the resident.” Similar to the previous law, the Attorney General may bring an action in law or equity to ensure proper compliance or to “recover direct economic damages resulting from a violation.”

Credit Monitoring Now Required

If the breach includes an individual’s Social Security number, companies are required to offer credit monitoring and identity theft protection services for one year. California and Connecticut are the only other states with such a requirement.

© 2021 Wilson ElserNational Law Review, Volume VII, Number 244

About this Author

Gregory Bautista, Wilson Elser, Civil Litigation Lawyer, Data Privacy matters Attorney

Gregory Bautista is an experienced civil litigator with a focus on data breach response. He is keenly aware of the growing importance of assisting clients in developing and implementing data security risk management measures related to the receipt and use of highly sensitive and confidential data. Greg provides his clients with knowledge and guidance on information governance and e-discovery matters. He has embraced the concept of information governance, which melds the disciplines that exist in all businesses into a powerful enterprise-wide strategy.

Jeremy Merkel, White Plains Attorney, cybersecurity, data management, wilson Elser law firm

Jeremy Merkel focuses his practice in the areas of cyber security and information governance in the context of the significant challenges presented by the management of data across the information life cycle. He helps client address regulatory requirements, privacy laws and litigation obligations, while leveraging their data in support of operational requirements.

Jeremy gained considerable experience with technology and the law through positions at Facebook, the Federal Trade Commission and Harvard's Berkman Klein Center for Internet & Society. He also served as a legal intern...