Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices.  In addition to expanding the types of information that would require notification of affected individuals if breached, the amendments will also require an entity to provide credit monitoring services if the breach involves Social Security numbers.  Once the bill enters into force, entities will also have to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.  The amendments will enter into force on approximately April 14, 2018.

Similar to many other state data breach notice laws, the current Delaware law requires notification of affected residents following a breach of personally identifiable information (“PII”).  The current law limits the definition of PII to an individual’s name along with (1) a Social Security number, (2) a driver’s license or government identification card number, or (3) a credit card, debit card, or account number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.  The new bill will expand this definition of PII to require notice following breaches impacting (4) a passport number, (5) a username or email address, in combination with a password or security question that would permit access to an online account, (6) an individual’s medical history, treatment, diagnosis, or DNA profile, (7) a health insurance policy number or other unique identifier used by a health insurer, (8) unique biometric data generated for authentication purposes, or (9) an individual taxpayer identification number.

In addition, the bill will change the statutory language that triggers a notification obligation following a data breach.  The current Delaware law only requires notification if an entity determines that a breach compromises the “security, confidentiality, and integrity of personal information.”  The bill, however, will require notification once a breach occurs unless the entity conducts an appropriate investigation and reasonably determines that the breach is unlikely to result in harm to affected individuals.

The bill will also require entities to notify affected individuals within 60 days after determining that a breach has occurred.  If, despite reasonable diligence, the entity cannot identify affected individuals within 60 days after it determines that a breach has occurred, it must notify affected individuals as soon as practicable.  The entity must also notify the Delaware Attorney General no later than the time it notifies affected individuals if more than 500 Delaware residents are affected.

Delaware will also join a short but growing list of states that require entities to provide some form of credit monitoring services after a breach once the bill enters into force.  The bill will require an entity to provide credit monitoring services for at least one year to any individuals whose Social Security numbers were compromised, or reasonably believed to have been compromised, as the result of a data breach.  The notification to these individuals must include all information necessary to enroll in these services and place a credit freeze.  However, if the entity conducts an appropriate investigation and reasonably determines that the breach is unlikely to result in harm to the individuals whose personal information was breached, the entity does not need to provide credit monitoring services.

Finally, the bill will also require entities that conduct business in Delaware and own, license, or maintain PII to implement and maintain “reasonable” security procedures to protect this information.  Although the bill does not provide any specific information on what constitutes “reasonable” security procedures, the current law does permit the Delaware Attorney General to bring an action to address any violations.  The bill also adds language to clarify that the law should not be construed to modify any right a person “may have at common law, by statute, or otherwise.”

Tags: breach notification, Cybersecurity, Data Breach, Data Security, Delaware, Legislation, Personal Information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less