On August 17, 2017, Delaware Governor John Carney signed into law an Act (“Act”) amending the Delaware Code (“Code”) as it relates to security breaches involving personal information. The Act revises the definition of what constitutes a security breach in this context and includes expanded data breach notification requirements, as well as a new requirement that those conducting business in Delaware implement and maintain reasonable security to protect the personal information of persons.
Under the revised Code, personal information is expanded to expressly include, among other things, passport numbers, usernames and email addresses in combination with passwords or security questions and answers that would permit access to an online account, medical information, health insurance information, and biometric data.
The new security requirement expressly states that any person (defined as “an individual; corporation; business trust; estate trust; partnership; limited liability company; association; joint venture; government; governmental subdivision, agency, or instrumentality; public corporation; or any other legal or commercial entity”) who conducts business in Delaware shall “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business. ”
The revised Code further requires that owners and licensees of personal information provide notice to Delaware residents whose personal information is breached or reasonably believed to have been breached within 60 days of discovering the breach. No notice is required, however, if after an appropriate investigation, the person who would be charged with providing notice determines that the breach is unlikely to result in harm to the individuals whose personal information has been breached. In contrast, if a person maintains computerized data including personal information but is not the owner or licensee of such information, immediate notice and cooperation must be provided to the information’s owner or licensee after discovering the breach.
In addition, the revised Code requires notification to the Delaware Attorney General if there are more than 500 affected Delaware residents. When a breach includes social security numbers, the revised Code also requires offering credit monitoring services at no cost for a period of 1 year.
Like New Mexico’s data breach notification law that went into effect on June 16, 2017 (discussed in a King & Spalding Client Alert from May 12, 2017), the revised Code accounts for persons who may be subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Gramm-Leach-Bliley Act. Under the revised Code, a person regulated by state or federal law is deemed to be in compliance with the Delaware Code’s breach notification requirements if the person maintains procedures for a security breach according to requirements from its regulator (for example, under HIPAA or the Gramm-Leach-Bliley Act) and notifies affected Delaware residents in accordance with those procedures when a breach occurs.
The Act is set to become effective on April 14, 2018, 240 days after its enactment. The time from enactment to effectiveness was extended from 120 days as originally proposed to allow additional time for businesses to comply with the notification requirements.
The text of the Act is available here.
