On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005. The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of “personal information” to include medical information, biometric identifiers, and electronic signatures; and adds additional breach notification and credit monitoring requirements. The bill comes on the heels of other amendments to data breach notification requirements by states such as California, Illinois, Nebraska, Tennessee, and Arizona.

Reasonable Data Security

Delaware’s amended data breach law now requires that any “person” that conducts business in Delaware and “owns, licenses, or maintains” personal information shall “implement and maintain reasonable procedures and practices” for the protection of personal information collected or maintained in the course of business.

Delaware now joins at least 13 other states with data breach laws that affirmatively require private organizations to maintain reasonable security procedures and practices. Under Delaware’s amended data breach law and similar state statutes, private organizations may incur liability for failing to maintain adequate security controls, even where breach notifications to residents are not required.

Breach Notification and Credit Monitoring

Delaware’s amended data breach law also requires that organizations shall provide notice to Delaware residents that their personal information was breached or is reasonably believed to have been breached without “unreasonable delay,” and no later than 60 days after the discovery of the breach, unless a shorter notification period is required by federal laws (e.g., HIPAA or the GLBA), or law enforcement requests a delay. Organizations are not required to provide notice if an investigation reveals that the breach was unlikely to result in harm to the affected residents.

The amended law also does not require notification for the breach of encrypted data, unless the breach includes an encryption key that the organization reasonably believes could render the encrypted information readable or useable.

In addition, the amended law now requires organizations to provide one year of credit monitoring to Delaware residents whose Social Security numbers may have been exposed as part of the breach. This provision mirrors similar provisions in California and Connecticut.

Definition of Personal Information

Delaware’s amended data breach notification law expands the definition of “personal information” to include a Delaware resident’s first name or first initial and last name in combination with one or more of the following data elements: Social Security number, driver’s license number (or other federal or state identification card number), credit card or financial account number, passport number, shared secrets or security tokens, combined username and password, marriage certificate or marriage certificate number, date of birth, medical history or condition, health insurance policy number, unique biometric data used for authentication, taxpayer identification number, data from an automated license plate recognition system, or an individual’s digital or electronic signature.

The expanded list of elements reflects increased concern by states in the use of biometric identifiers and electronic signatures for authentication in an increasing number of areas, including personal devices, electronic transactions, and building access.

Attorney General Notification and Enforcement

Delaware’s amended data breach law also provides an expanded role for the Delaware state attorney general to enforce data security practices and collaborate with organizations. Organizations are now required to notify the attorney general of a breach if more than 500 Delaware residents are affected. As in Delaware’s previous data breach law, the Delaware attorney general is authorized to take action in law and equity to ensure compliance with the data breach law, or to recover “direct economic damages.” The amended data breach law does not provide for a private right of action.