Under a law enacted last week in Delaware, companies doing business in the State must satisfy significant new data breach requirements by the middle of April 2018. The law amends Delaware’s existing statute relating to data breaches of “personal information” by, among other changes, expanding the definition of “personal information” to include medical information, biometric data, usernames and passwords, and health insurance identification information. On or around April 14, 2018, anyone who conducts business in Delaware and owns, licenses or maintains “personal information” must comply with various additional requirements to Title 6 of the Delaware Code relating to breaches of security involving personal information.

New Law Adds New Compliance Requirements for Delaware Businesses

As of the effective date of the new law, companies conducting business in Delaware will be required to implement and maintain “reasonable procedures and practices” to prevent the compromise of customers’ personal information. They must also meet significant new notification requirements, in the event of a data breach, including a requirement to notify any affected Delaware resident of a breach of their personal information within 60 days of determining a breach has occurred, unless (1) an “appropriate investigation” reveals the breach is unlikely to result in harm; (2) federal law requires faster notification; or (3) law enforcement requests notice be delayed to prevent impeding a criminal investigation.

In cases where a Delaware resident’s Social Security number has been compromised in a data breach, the new law will require that the Delaware company that was breached provide to the Delaware resident one year of free credit monitoring services. If a data breach affects more than 500 Delaware residents, the law will additionally require notification of the Delaware Attorney General.

Delaware is Only the Latest State to Expand Categories of Personal Information Covered by Data Breach Laws

The Delaware law, which amends a 12-year-old State law relating to data breaches of “personal information,” is only the latest example of states filling in gaps in the kinds of personal, sensitive information covered by existing data breach laws. Earlier this month, Maryland enacted a similar law, which amended its Personal Information Protection Act to include health and biometric data as “personal information.” As companies seek to comply with their existing and future data privacy protection and breach notification obligations, understanding the Delaware and Maryland amendments is essential for businesses in those states, and useful for businesses seeking to anticipate legal and regulatory changes that may be coming to their jurisdictions.