Delaware Data Breach Law has been Amended
Earlier this month, the act to amend the data breach law was signed by the Governor. This amendment will become effective on April 14, 2018. The amendment is to increase notice requirements for breaches or potential breaches and reduces the protection provided by previous safe harbor provisions.
Key changes in the amendment include:
-
Preventive Measures. Businesses must now implement reasonable procedures to prevent unauthorized access to personal information they collect or maintain. Which is a new requirement.
-
Amendment to the Definition of Breach. The definition been replaced with “breach of security,” which is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
-
Amendment to the Definition of Personal Information. The definition of "personal information" has been expanded to include a broader range of data elements, if unencrypted and not lawfully made publicly available, such as along with a Delaware resident's first name or first initial and last name and one or more of the following data elements:
-
Social Security number
-
Driver's license number or identification card number
-
Account number, credit card number, or debit card number
-
Passport number
-
Username or email address with password or security question and answer
-
Medical history, treatment, diagnosis, or deoxyribonucleic acid profile
-
Health insurance policy number, subscriber identification number, or other unique identifier
-
Unique biometric data for authentication purposes
-
Individual taxpayer identification number.
-
-
Notification Requirements. If a breach occurs, businesses must promptly notify affected Delaware residents, unless it's determined that no harm is likely. Notification must be made within 60 days unless delayed by law enforcement or difficulties in identifying affected individuals. This also includes notice to and cooperate with the owner or licensee of the information of any breach of security immediately following determination of the breach of security.
-
Attorney General Notice. If over 500 Delaware residents need to be notified, the person responsible must also inform the Delaware attorney general as well.
-
Notice Requirements for Social Security Numbers. For breaches involving Social Security numbers, affected residents must be offered free credit monitoring services for a year free of charge along with information on how to enroll or place credit freezes.
-
Notice Requirements for Email Account Credentials. For breaches involving login credentials of an email account, alternative notification methods must be used.
These updates emphasize the importance of safeguarding personal data and ensuring swift, transparent communication in case of security incidents affecting Delaware residents. For businesses operating in Delaware, compliance with these new requirements is essential to mitigate risks and uphold consumer trust.
Stay Ahead of the Curve! Explore our comprehensive CLIClaw Compliance Library for in-depth resources and insights.
© 2017 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.