Computer Security Breaches

On August 17, 2017, Delaware Governor John Carney signed legislation (H.B. 180) amending state law regarding computer security breaches.

Among other things, the bill:

  • Requires any person who conducts business in Delaware and owns, licenses, or maintains personal information to implement and maintain reasonable practices and procedures to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.
  • Amends the definition of “breach of security” and creates a safe harbor if the data included in a breach is encrypted or protected by an encryption key that prevents the data from being read or used.
  • Expands the definition of “personal information” to include:
    • Passport number;
    • A username or email address, in combination with a password or security question and answer that would permit access to an online account;
    • Medical history, mental or physical condition, medical treatment or diagnosis by a health care professional, or deoxyribonucleic acid profile;
    • Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person;
    • Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and
    • An individual taxpayer identification number.
  • Requires entities affected by a data breach to give notice to affected state residents immediately following a determination that a breach occurred. The bill also requires notification within 60 days unless the investigation reasonably determines that breach of security is unlikely to result in harm to the individuals whose personal information has been breached, or law enforcement has requested a delay in notification.
  • Requires entities that experience a security breach to provide identity theft protection services for one year if Social Security numbers were included in the information breached.
  • Requires entities to provide notice to the Attorney General if more than 500 residents are affected by a breach.

The law goes into effect on or about April 14, 2018.

Read DE H.B. 180