[BreachExchange] Delaware Passes Amendment to Data Breach Notification Law

Mon Sep 4 16:54:09 EDT 2017

https://www.natlawreview.com/article/delaware-passes-amendment-to-data-breach-notification-law

For the first time since 2005, Delaware has amended its data breach
notification law (DE Code Tit. 6, 12B-101-104). Whereas Delaware’s previous
law only required companies to notify affected residents of a breach “as
soon as possible” after determining that “misuse of information about a
Delaware resident has occurred or is reasonably likely to occur,” House
Substitute 1 for House Bill 180
<https://legis.delaware.gov/BillDetail/26009> strengthens the requirements
for companies that conduct business in Delaware in several ways.
Reasonable Data Security

Any “person” who conducts business in Delaware and “owns, licenses, or
maintains” personal information is required to “implement and maintain
reasonable procedures and practices to prevent the unauthorized
acquisition, use, modification, disclosure, or destruction of personal
information collected or maintained in the regular course of business.”
This puts Delaware in line with 14 other states that require private
organizations to maintain reasonable data security practices. It also makes
private organization susceptible to liability for failing to maintain
adequate security procedures, even where notification of a breach is not
required.
Definition of Personal Information

Delaware’s law previously defined “personal information” as a Delaware
resident’s first name or first initial and last name in combination with
their (1) Social Security number, (2) driver’s license number or state
identification number, or (3) account number, credit card number or debit
card number in combination with any required security code, access code or
password that would permit access to a financial account. The revised law
adds the following data elements to the definition of “personal
information,” which continues a trend of states focused on protecting
information related to health, technology and personal finance:

   -

   Federal identification number
   -

   Passport number
   -

   Username or email address in combination with a password or security
   question and answer that would permit access to an online account
   -

   Medical history, treatment or diagnosis by a health care professional
   -

   DNA profile
   -

   Health insurance identification number
   -

   Taxpayer identification number.

Threshold for Notification – Risk of Harm & Encryption Safe Harbor

Notification to affected individuals (and in certain instances the Delaware
Attorney General) is not required if the company reasonably determines
through an investigation that the data breach is unlikely to result in harm
to the affected individuals. Notification also is not required if the
breach involves encrypted data, unless the breach includes the encryption
key that could reasonably render the data readable or useable, which is
another new element of the law.
Timing

Notification to affected individuals must be made “without unreasonable
delay” and within 60 days after discovering the breach. Some states have
more restrictive timelines, such as Florida, which requires notification
within 30 days, and Vermont, Ohio, Rhode Island and Washington, which
require notification within 45 days. Whereas the previous law required
notification “in the most expedient time possible,” the amendment offers
clear guidance. The amendment further notes that the new timing requirement
does not apply where a shorter time is required under federal law or if law
enforcement requests that notice be delayed so as not to impede a criminal
investigation.
Attorney General Notification

If the breach affects more than 500 Delaware residents, companies are
required to notify the Delaware Attorney General “not later than the time
when notice is provided to the resident.” Similar to the previous law, the
Attorney General may bring an action in law or equity to ensure proper
compliance or to “recover direct economic damages resulting from a
violation.”
Credit Monitoring Now Required

If the breach includes an individual’s Social Security number, companies
are required to offer credit monitoring and identity theft protection
services for one year. California and Connecticut are the only other states
with such a requirement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170904/97412b66/attachment.html>