Delaware has amended its data breach notification law by introducing some of the strictest requirements of any state. It is the first time in a decade that any change has been made to the law. According to the update, any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information. Furthermore, the ‘person’ must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims.
According to the legislation, patients who have been affected by a breach must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information. Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected.
The update to the breach law included an expansion of the definition of ‘personal information’. This now includes usernames/email addresses in combination with a password/answers to security questions, password numbers, driver’s license numbers, mental health and physical condition, medical histories, health insurance policy numbers, subscriber identification numbers, medical treatment information, medical diagnoses, DNA profiles, unique biometric data (including fingerprints/retina scans), and tax payer identification numbers.
However, it is not in every instance in which companies are required to send notifications and provide credit monitoring services. If the breach includes data that is encrypted prior to a cyberattack or other security incident, these measures are not required, unless it is reasonably believed the breach also resulted in the encryption key being compromised.
Rep. Paul Baumbach, D-Newark, who sponsored the bill, said the new legislation is “A meaningful step forward in addressing these breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyberattack.” House Bill 180 was passed earlier this month. The new law has an effective date of April 14, 2018.