Delaware Computer Security Breaches
Del. Code tit. 6 § 12B-100 - § 12B-104
SUMMARY:
EFFECTIVE. June 28, 2005
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in Delaware and owns or licenses computerized data that includes Delaware resident Personal Information; and (2) any person or entity which maintains computerized data that it does not own that includes Personal Information.
WHAT IS A BREACH. An unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by a person or business.
WHAT IS PERSONAL INFORMATION. A Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted:
-
Social Security number or Individual taxpayer identification number.
-
Driver’s license number or Delaware identification card number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
-
Passport number.
-
Username or email address, in combination with a password or security question and answer that would permit access to an online account.
-
Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or DNA profile.
-
Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person.
-
Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the affected Delaware resident(s). If the affected number of Delaware residents to be notified exceeds 500 residents, the person required to provide notice shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General.
EXCEPTION. This Section does not apply to the following:
-
A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not subject to further unauthorized disclosure.
-
After an appropriate investigation, the entity reasonably determines that the breach of security is unlikely to result in harm to the individual whose personal information had been breached.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Delaware individuals are notified by the person or business in accordance with such policies.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section provided the person or business notifies affected Delaware residents in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or entity first becomes aware of a security breach. The disclosure shall be made as soon as possible and without unreasonable delay, consistent with measures necessary to determine the nature and scope of the breach and to restore the reasonable integrity of the data system, but within 60 days after determination of the breach. Notification may be delayed if it will impede a criminal investigation and requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic (if consistent with the provisions regarding electronic records and signatures provided in 15 U.S.C. § 7001 et seq.).
-
Substitute notice as provided below.
Credit Monitoring. If the breach of security affects Social Security numbers, the entity shall offer to each resident whose Social Security number was affected, credit monitoring services at no cost for one (1) year. In addition, the notice must include information necessary to enroll in the services and information about how the resident can place a credit freeze on their credit file.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $75,000, the affected class of Delaware residents to be notified exceeds 100,000, or the person or business does not have sufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has Email addresses for the individuals subject to the notice.
-
Conspicuous posting of the notice on the website of the person or business.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data that includes Personal Information that it does not own, then the person or business shall immediately notify and cooperate with the owner or licensee upon discovery of the breach. Cooperation shall include sharing information relevant to the breach. The person or entity that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The Attorney General may “bring an action in law or equity to address violations” of this Section, or to recover economic damages resulting from a violation, or both.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. 6 DE Code § 5001C - § 5004C. In the event that a commercial entity seeks permanently to dispose of records containing consumers’ personal identifying information within its custody or control, such commercial entity shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.
LEGISLATIVE UPDATES.
HB 116 – Signed into law on 6/28/2005, Effective 6/28/2005.
HB 247 – Signed into law on 6/10/2010, Effective 6/10/2010.
HB 180 – Signed into law on 8/17/2017, Effective 4/14/2018.
For more information, see here: https://delcode.delaware.gov/title6/c012b/index.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.