On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005. The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of “personal information” to include medical information, biometric identifiers, and electronic signatures; and adds additional breach notification and credit monitoring requirements. The bill comes on the heels of other amendments to data breach notification requirements by states such as California, Illinois, Nebraska, Tennessee, and Arizona.
Reasonable Data Security
Delaware’s amended data breach law now requires that any “person” that conducts business in Delaware and “owns, licenses, or maintains” personal information shall “implement and maintain reasonable procedures and practices” for the protection of personal information collected or maintained in the course of business.
Delaware now joins at least 13 other states with data breach laws that affirmatively require private organizations to maintain reasonable security procedures and practices. Under Delaware’s amended data breach law and similar state statutes, private organizations may incur liability for failing to maintain adequate security controls, even where breach notifications to residents are not required.
Breach Notification and Credit Monitoring
Delaware’s amended data breach law also requires that organizations shall provide notice to Delaware residents that their personal information was breached or is reasonably believed to have been breached without “unreasonable delay,” and no later than 60 days after the discovery of the breach, unless a shorter notification period is required by federal laws (e.g., HIPAA or the GLBA), or law enforcement requests a delay. Organizations are not required to provide notice if an investigation reveals that the breach was unlikely to result in harm to the affected residents.
The amended law also does not require notification for the breach of encrypted data, unless the breach includes an encryption key that the organization reasonably believes could render the encrypted information readable or useable.
In addition, the amended law now requires organizations to provide one year of credit monitoring to Delaware residents whose Social Security numbers may have been exposed as part of the breach. This provision mirrors similar provisions in California and Connecticut.
Continue Reading Delaware Amends Data Breach Notification Law to Require Reasonable Data Security and Expand the Scope of Personal Information Requiring Notice