Delaware Expands Data Breach Notification Statute

Governor John Carney signed Delaware’s updated breach notification law on August 17, 2017.  The revised law, which will come into force on April 14, 2018, includes key changes to the definition of personal information, introduces credit monitoring obligations, and heightens notice requirements. The law will also create new general information security requirements.

The definition of personal information will now include state or federal identification card numbers, medical information, biometric data, user names and passwords, passport numbers, routing numbers to financial accounts, and individual taxpayer identification numbers. These categories are added to the previous triggering data that included Social Security numbers, driver’s license numbers, and banking and credit or debit card information.  Further, when an incident results in the compromise of Social Security numbers, the amended law requires companies to provide a year of free credit monitoring services to affected residents.

The law mandates that residents receive notice within 60 days of the determination a breach has occurred, although the law does provide an exception pursuant to law enforcement investigations. And beginning next spring, the Delaware Attorney General must also receive notice of breaches that affect more than 500 residents.

The amended Delaware law still incorporates a risk of harm trigger.  Companies are not required to notify individuals if the company “reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.” But vendors and others who maintain data but who do not own or license such data must notify the owner or licensee of the information “immediately following determination of the breach of security.” Importantly, the service provider’s notice obligation is not excused by a reasonable determination that there is no risk of harm.

Under the new law, companies that collect or maintain personal information in the regular course of business are required to “implement and maintain reasonable procedures and practices” to protect it from “unauthorized acquisition, use, modification, disclosure, or destruction.”  Companies should ensure that they have these security procedures and practices in place before the law takes effect in the spring.