Companies that conduct business in Delaware will need to consider whether their current response plans surrounding data breaches meet the requirements of a new law that is set to take effect in 2018.
On August 17, 2017, the state of Delaware passed a law imposing stricter obligations on companies in the event of a data breach. The law, which goes into effect April 14, 2018, will require companies to inform Delaware residents affected by a data breach within 60 days following discovery of the breach and notify the state attorney general if a breach affects more than 500 residents.10 Previously, companies were not required to notify the attorney general of data breaches. In addition, the law requires businesses that own, license or maintain personal information to implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use or disclosure of such information.
Definition of Personal Information
The revised law broadens the definition of "personal information" to include a Delaware resident's first and last name in combination with any one or more of the following: (1) Social Security number; (2) driver's license or state or federal identification number; (3) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a financial account; (4) passport number; (5) a username or email address in combination with a password or security question and answer that would permit access to an online account; (6) medical history, treatment or diagnosis by a health care professional or DNA profile; (7) health insurance identification number; (8) biometric data; and (9) individual taxpayer identification number.
Data Breach Notification
The law also changes the conditions that trigger the requirement to notify Delaware residents and the attorney general in the event of a data breach. Previously, companies were required to notify affected residents after investigating a data breach and concluding that a "misuse of information about a Delaware resident has occurred or is reasonably likely to occur." The revised law requires notice within 60 days following discovery of the breach unless a company investigation "reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached." We anticipate that companies likely will provide notification rather than take the risk that they have improperly determined no harm will result.
If a data breach involves a Social Security number, companies must offer free credit monitoring services to the affected individuals for one year, unless the company has reasonably determined that the breach is unlikely to result in harm to the affected individuals. The Delaware State Chamber of Commerce criticized this aspect of the new law because of its potential to impose a disproportionate burden on small businesses that may be unable to meet the requirement's financial obligations.
Companies that conduct business in Delaware should consider whether their current practices and incident response plans meet the requirements of the new law and, if not, update such practices and plans prior to April 14, 2018.