Delaware Data Breach Notification Law to be Strengthened
Delaware data breach notification law is likely to be expanded to include medical information in the definition of personal information.
The data breach notification law in Delaware has remained unchanged for 12 years so an update is certainly due. The bill was sponsored by Rep. Paul Baumbach (D), with an updated version (House Substitute No. 1 for HB 180) passed by the House on June 28 with a vote of 37-3. The bill will now go before the Senate where it is expected to be passed. Gov. John Carney (D) is in favor of the amendment and is expected to sign the bill.
The updated breach notification law will see the definition of personal information expanded to include biometric data, usernames together with passwords, routing numbers to accounts, taxpayer identification numbers, health insurance identifiers, passport numbers and medical information.
If passed, the new legislation will apply to all legal and commercial entities that do business in the state of Delaware that collect or use personal information; however, the updated Delaware data breach notification law will still not apply to HIPAA-covered entities or any other industry that is already covered by more stringent federal data protection and notification laws.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Companies will be required to conduct a risk analysis to determine whether a security breach is likely to result in breach victims coming to harm. Only if that risk analysis determines there is a low risk of harm will breach notifications not be required. In line with HIPAA, the updated Delaware data breach notification law will require breach notifications to be issued to all affected individuals within 60 days of the discovery of a data breach.
The bill will also require a substitute breach notice to be placed on the company website, if a website is maintained by the company and a notification must be sent to the state attorney general if a breach impacts more than 500 individuals.
The bill also calls for companies to offer a minimum of one year of complimentary identity theft protection services to breach victims whose Social Security number has been compromised in a breach. Only two other states – California and Connecticut – have similar measures in place.