Delaware has modified its data breach notification law in an amendment set to take effect in April 2018. Signed on August 17, 2017, the amendment is the first significant change to Delaware’s data breach notification law since its original enactment in 2005. The amended law requires companies to notify affected Delaware residents of a breach involving their personal information within 60 days (replacing the current requirement of notification “as soon as possible”) after determination of a breach and adds a requirement to notify Delaware’s attorney general of any breach affecting more than 500 residents. Additionally, companies will now have to provide a year of free credit monitoring services for any resident whose Social Security number was breached. Other changes to the law include broadening its definition of personal information and narrowing its safe harbor for encrypted data.
The changes are generally in line with trends among other state data breach notification laws. Although most states still require notification within a non-specific timeframe (e.g., “the most expedient time possible” or “without unreasonable delay”), a number of states already set specific time limits for notification, several of which are shorter than Delaware’s new 60-day deadline. (For example, Florida requires notice within 30 days after discovery of a breach.) Likewise, more than 20 states already require notice to the state attorney general or other state regulator in the event of a breach.
Less typical is Delaware’s new requirement to provide credit monitoring services to affected individuals. Previously, only California and Connecticut had enacted requirements addressing the provision of credit monitoring services as part of their data breach notification laws. Connecticut, for example, requires companies to provide “appropriate identity theft prevention services and, if applicable, identity theft mitigation services” for at least 12 months to residents whose Social Security numbers have been breached. Similarly, California requires companies to provide affected individuals with “an offer to provide appropriate identity theft prevention and mitigation services, if any, … at no cost to the affected person for not less than 12 months.”
Delaware also expanded its definition of “personal information” to include biometric data, online account access credentials, medical history and other categories of information increasingly covered by other state data breach notification laws. (An entity that is subject to the Health Insurance Portability and Accountability Act (HIPAA) is deemed to be in compliance with the Delaware requirements if it complies with HIPAA’s breach notification requirements.) Delaware’s existing safe harbor for encrypted data has also been narrowed to exclude breaches of encrypted data that include the encryption key, following the trend of other states’ laws.
The amendment will go into effect 240 days after its enactment (i.e., on or about April 14, 2018).