Data Breach Notification in Delaware
What are the data breach notification laws in Delaware?
Statute Codes
Breach notification in Delaware is covered under a section of state law called Computer Security Breaches. The official designation is Del. Code Ann. tit. 6 § 12B-101 et seq. It includes H.B. 116, which became law June 28, 2005, and was rendered effective June 28, 2005. H.B. 247 is also included, and was made law June 10, 2010, and signed on the same day. Also, Delaware’s Computer Security Breaches law includes House Substitute 1 for HB 180, which was signed on August 17, 2017, and made effective April 14, 2018.
Legal Requirements and Purpose
Laws pertaining to breach notification in Delaware apply to entities. Entities include individuals, partnerships, corporations, business trusts, LLCs, associations, governments, joint ventures, subdivisions of government, government agency or instrumentality, corporation of a public kind, or basically any operation or individual defined as an entity in the legal or commercial sense. Delaware law additionally applies to entities exterior to the state who may manage PI of state residents. If you’ve got any PI on Delaware residents, breach notification laws apply to you.
Delaware describes a security breach as unauthorized access of computerized PI; specifically: data that involves integrity, security, or confidentiality of that PI. If PI is
encrypted, and it is accessed in an unauthorized way, this isn’t a breach unless those who have obtained such encrypted data can decrypt it. If there’s a reason to believe someone can decrypt the encrypted data, breach notification is also required. If you suspect there’s a decryption key out there, you’d better notify the proper parties. However, good-faith acquisition of PI isn’t a breach, provided it’s also used in good faith.
Breach Reporting Timeframes
It’s required in Delaware that breach notification take place should PI of any Delaware resident be compromised, or if entities can reasonably believe such data may have been compromised. If, after investigation appropriately conducted, it is determined breached data won’t threaten affected parties, notification isn’t required.
If there are more than 500 residents affected, the entity must contact the AG. This contact must happen no later than the notification of affected residents, and ideally sooner. Credit monitoring services must also be provided should a DE resident’s SSN be compromised. You must, under the law, provide credit monitoring services for a year, for free, if an SSN has been compromised or is believed to have been compromised. Also, Delaware law requires entities to give affected individuals all the information they need to enroll in such credit monitoring services and help them understand how to place a credit freeze on their file. Again, if the investigation shows harm won’t come to affected individuals, notification isn’t necessary.
Pertaining to third parties, if an entity who has PI for them when a breach happens must let them know as soon as reasonably possible. If it’s feasible, this notification should be sent out immediately once a breach has been identified. This notification should include cooperation with third parties and sharing of licensee information if such sharing becomes necessary. Such notification can’t be made later than 60 days in Delaware. If there’s a shorter federal law, then that takes precedence. If it can’t be determined within 60 days that PI was compromised in a breach, then the entity must, as soon as it is feasible to provide notice to affected residents. This is unless substitute notice, which will subsequently be defined, has already been given.
Should it be determined that the cost of providing notice exceeds $75,000, or more than 100,000 residents, or there’s no contact information of affected parties, then three substitute notice efforts are required.
Contact Security Compliance Associates Today
SCA has years of experience helping organizations across the United States to prevent and manage potential data breaches. Contact us today at 727-571-1141 to schedule a no-cost consultation. You can also download our free Data Breach Response Guide to learn more about breach notification law in your state.