Delaware Amends Data Breach Notification Law

Delaware has joined the list of states amending their data breach notification laws, expanding the definition of Personal Information (PI) and adding requirements for credit monitoring, among other items. The changes will be effective on April 14, 2018.

The Delaware amendments contain a hard deadline for providing notice, required notice to the state AG’s office, and credit monitoring. Changes include:

Maintaining Reasonable Procedures. Every “person” subject to the law is required to implement and maintain “reasonable security measures” to prevent unauthorized use, acquisition or destruction of PI. “Person” is defined to include any business form, government entity, or “any other legal or commercial entity.”

Definition for PI. The definition for Personal Information is expanded to include first name or first initial and last name in combination with any one or more of the following:

  • Social Security number
  • Driver’s license or state or federal identification card number
  • Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a financial account
  • Passport number
  • Username or email address in combination with a password or security question and answer that would permit access to an online account
  • Personal Health Information (PHI), including medical history, treatment or diagnosis by a healthcare professional, or DNA profile
  • Health insurance identification number
  • Biometric data
  • Individual taxpayer identification number

Notification Deadline/Harm Threshold. Companies will be required to notify affected individuals of a data breach within 60 days of determination of a breach or “reasonable” determination of a breach. There also is a harm threshold: notice is not required if, after an appropriate investigation, the company reasonably determines that the breach is unlikely to result in harm to affected individuals. There is also an encryption safe harbor.

Notice to AG’s Office. Companies will be required to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.

Credit Monitoring. Companies will be required to offer free credit monitoring services for one year to affected individuals if the breach includes a Delaware resident’s Social Security number.

If you have questions or would like additional information, please contact Josh Mooney (mooneyj@whiteandwilliams.com; 215.864.6345), Jay Shapiro (shapiroj@whiteandwilliams.com; 212.714.3063) or another member of our Cyber Law and Data Protection Group.