Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices. In addition to expanding the types of information that would require notification of affected individuals if breached, the amendments will also require an entity to provide credit monitoring services if the breach involves Social Security numbers. Once the bill enters into force, entities will also have to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents. The amendments will enter into force on approximately April 14, 2018.
Similar to many other state data breach notice laws, the current Delaware law requires notification of affected residents following a breach of personally identifiable information (“PII”). The current law limits the definition of PII to an individual’s name along with (1) a Social Security number, (2) a driver’s license or government identification card number, or (3) a credit card, debit card, or account number in combination with any required security code, access code, or password that would permit access to the individual’s financial account. The new bill will expand this definition of PII to require notice following breaches impacting (4) a passport number, (5) a username or email address, in combination with a password or security question that would permit access to an online account, (6) an individual’s medical history, treatment, diagnosis, or DNA profile, (7) a health insurance policy number or other unique identifier used by a health insurer, (8) unique biometric data generated for authentication purposes, or (9) an individual taxpayer identification number.
In addition, the bill will change the statutory language that triggers a notification obligation following a data breach. The current Delaware law only requires notification if an entity determines that a breach compromises the “security, confidentiality, and integrity of personal information.” The bill, however, will require notification once a breach occurs unless the entity conducts an appropriate investigation and reasonably determines that the breach is unlikely to result in harm to affected individuals.
The bill will also require entities to notify affected individuals within 60 days after determining that a breach has occurred. If, despite reasonable diligence, the entity cannot identify affected individuals within 60 days after it determines that a breach has occurred, it must notify affected individuals as soon as practicable. The entity must also notify the Delaware Attorney General no later than the time it notifies affected individuals if more than 500 Delaware residents are affected.
Delaware will also join a short but growing list of states that require entities to provide some form of credit monitoring services after a breach once the bill enters into force. The bill will require an entity to provide credit monitoring services for at least one year to any individuals whose Social Security numbers were compromised, or reasonably believed to have been compromised, as the result of a data breach. The notification to these individuals must include all information necessary to enroll in these services and place a credit freeze. However, if the entity conducts an appropriate investigation and reasonably determines that the breach is unlikely to result in harm to the individuals whose personal information was breached, the entity does not need to provide credit monitoring services.
Finally, the bill will also require entities that conduct business in Delaware and own, license, or maintain PII to implement and maintain “reasonable” security procedures to protect this information. Although the bill does not provide any specific information on what constitutes “reasonable” security procedures, the current law does permit the Delaware Attorney General to bring an action to address any violations. The bill also adds language to clarify that the law should not be construed to modify any right a person “may have at common law, by statute, or otherwise.”