Share this article on:
For the first time in 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims.
Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected.
The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a password/answers to security questions, password numbers, driver’s license numbers, mental health and physical condition, medical histories, health insurance policy numbers, subscriber identification numbers, medical treatment information, medical diagnoses, DNA profiles, unique biometric data (including fingerprints/retina scans), and tax payer identification numbers.
Companies can avoid sending notifications and providing credit monitoring services if data is encrypted prior to a cyberattack or other security incident, unless it is reasonably believed the breach also resulted in the encryption key being compromised.
Rep. Paul Baumbach, D-Newark, who sponsored the bill, said the new legislation is ” A meaningful step forward in addressing these breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyberattack.”
House Bill 180 was passed earlier this month. The new law has an effective date of April 14, 2018.