The launching of the website, recently announced by the Delaware attorney general, is part of an effort to assist companies in meeting the notification requirements of the state’s recently amended data breach law.

As we previously reported Delaware amended its data breach law for the first time in 12 years on April 17, 2017. The amendments went into effect on April 14, 2018, and are discussed in detail in a Morgan Lewis blog post.

A year after the passage and coincident with the effective date of the new law, Delaware Attorney General Matt Denn announced on April 16, 2018, the launching of an online data security breach reporting resource for both companies and consumers.[1]

The website provides approved template forms for companies to use if they are required by the amendments to notify the Delaware attorney general[2] or consumers of a data breach. The website also provides a link for consumers to file a complaint with the Delaware attorney general.

Below is a review of the new obligations the amendments impose on businesses and individuals.

General Data Security Requirement

As a starting point, the amendments require that individuals and businesses take preventive measures to establish procedures and practices that prevent data breaches. Specifically, the law now requires that “[a]ny person who conducts business” in Delaware and owns, licenses, or maintains individuals’ personal information must “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, and modification, disclosure or destruction of personal information collected or maintained in regular course of business.”[3]

Expanded Definition of Personal Information

The amendments update and expand the definition of “Personal Information.”[4] Personal Information now includes a resident’s first name or first initial and last name in combination with any one of the following:

  • Social Security number
  • Driver’s license or identification card number
  • Bank account number, credit card number, or debit card number
  • Passport number
  • Username or email address in combination with a password or security information that would allow an individual to access an online account
  • Medical history, health insurance identification, or DNA profile
  • Biometric data
  • Individual taxpayer’s identification number.

The amendments also expand the exceptions to the definition of “Personal Information” to include not just federal, state, or local government records, but also “widely-distributed media.”[5] This term likely includes information publicly disseminated or available on social media websites and applications such as Instagram, Facebook, and Twitter.

Notice to the Attorney General

Businesses and individuals aware of a breach are now required to notify the Delaware attorney general if a breach occurs that affects more than 500 Delaware residents.[6]

Notice to Individuals Impacted by a Data Breach Is Now Required Within 60 days

Businesses and individuals aware of a breach are now required to notify all affected individuals of a data breach within 60 days.[7]

Substitute Notice

Businesses and individuals are permitted to provide “substitute notice” if they can establish that:

  • the cost of providing notice will exceed $75,000; or
  • the affected number of Delaware residents will exceed 100,000; or
  • the person who is entitled to notice does not have sufficient contact information to provide notice.

“Substitute Notice” is defined to consist of all of the following:

  • Electronic notice if the email addresses of the affected Delaware residents are available and known
  • Posting notice on the web page of the business or individual if the business or individual maintains one
  • Notice to a major statewide media (this would include newspapers, radio, television, and publications on major social media platforms)

Credit Monitoring

If a data breach occurs, businesses are now required to offer and pay for credit monitoring services to those impacted by the data breach for one year.[8]

A business may be exempt from this requirement, however, if they can show that “after an appropriate investigation” it can be reasonably determined that the breach of security is unlikely to result in harm to the individuals whose personal information was breached.

Rights of Action Under Federal Law and Common Law Unaffected by Delaware Data Breach Law

Finally, the amendments make clear that Delaware’s data breach law should not be construed to impact or modify any individual’s common law rights, or rights under any federal or state statute.[9]