On Aug. 17, 2017, Delaware revamped its existing data breach notification statute. In doing so, Delaware became the second state (joining Connecticut) to mandate offering individuals affected by a breach of security involving Social Security numbers at least one year of complimentary credit monitoring services. The new law takes effect on April 14, 2018, and includes some minor reworking of definitions to make the entire statute more cohesive, as well as several major new components.
First, the new law expands the definition of “personal information” to include a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual: (1) Social Security number; (2) driver’s license number or state or federal identification card number; (3) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) passport number; (5) a username or email address, in combination with a password or a security question and an answer that would permit access to an online account; (6) medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or DNA profile; (7) health insurance policy number, subscriber identification number or any other unique identifier used by a health insurer to identify the person; (8) unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and (9) an individual taxpayer identification number.
Second, as noted above, if the security breach involved a resident’s Social Security number, the notice letter must include an offer for one year of complimentary credit monitoring services.
Third, the new law requires companies to use reasonable diligence to identify within 60 days that personal information of Delaware residents was included in a security breach and to provide notice to those Delaware residents. Otherwise, notice must be provided as soon as practicable after the determination that the breach of security included the personal information of Delaware residents.
Fourth, if a company is required to notify more than 500 Delawareans of a security breach, the company will also be required to provide notification of the breach to the Delaware attorney general.
Fifth, the new law affirmatively obligates companies that conduct business within Delaware and that own, license or maintain personal information to “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.”