Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices.  In addition to expanding the types of information that would require notification of affected individuals if breached, the amendments will also require an entity to provide credit monitoring services if the breach involves Social Security numbers.  Once the bill enters into force, entities will also have to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.  The amendments will enter into force on approximately April 14, 2018.

Similar to many other state data breach notice laws, the current Delaware law requires notification of affected residents following a breach of personally identifiable information (“PII”).  The current law limits the definition of PII to an individual’s name along with (1) a Social Security number, (2) a driver’s license or government identification card number, or (3) a credit card, debit card, or account number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.  The new bill will expand this definition of PII to require notice following breaches impacting (4) a passport number, (5) a username or email address, in combination with a password or security question that would permit access to an online account, (6) an individual’s medical history, treatment, diagnosis, or DNA profile, (7) a health insurance policy number or other unique identifier used by a health insurer, (8) unique biometric data generated for authentication purposes, or (9) an individual taxpayer identification number.

In addition, the bill will change the statutory language that triggers a notification obligation following a data breach.  The current Delaware law only requires notification if an entity determines that a breach compromises the “security, confidentiality, and integrity of personal information.”  The bill, however, will require notification once a breach occurs unless the entity conducts an appropriate investigation and reasonably determines that the breach is unlikely to result in harm to affected individuals.

The bill will also require entities to notify affected individuals within 60 days after determining that a breach has occurred.  If, despite reasonable diligence, the entity cannot identify affected individuals within 60 days after it determines that a breach has occurred, it must notify affected individuals as soon as practicable.  The entity must also notify the Delaware Attorney General no later than the time it notifies affected individuals if more than 500 Delaware residents are affected.

Delaware will also join a short but growing list of states that require entities to provide some form of credit monitoring services after a breach once the bill enters into force.  The bill will require an entity to provide credit monitoring services for at least one year to any individuals whose Social Security numbers were compromised, or reasonably believed to have been compromised, as the result of a data breach.  The notification to these individuals must include all information necessary to enroll in these services and place a credit freeze.  However, if the entity conducts an appropriate investigation and reasonably determines that the breach is unlikely to result in harm to the individuals whose personal information was breached, the entity does not need to provide credit monitoring services.

Finally, the bill will also require entities that conduct business in Delaware and own, license, or maintain PII to implement and maintain “reasonable” security procedures to protect this information.  Although the bill does not provide any specific information on what constitutes “reasonable” security procedures, the current law does permit the Delaware Attorney General to bring an action to address any violations.  The bill also adds language to clarify that the law should not be construed to modify any right a person “may have at common law, by statute, or otherwise.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.