Delaware’s “Computer Security Breaches” Law Needs an Overhaul
I suspect this may surprise most Delawareans. In 2005, Delaware Governor Ruth Ann Minner signed into law House Bill 116. That bill, now codified as 6 Del. C. §§ 12B-101 et seq., requires individuals or commercial entities, upon becoming aware of unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or commercial entity, to make, in good faith, a “reasonable and prompt” investigation “to determine the likelihood that personal information has been or will be misused.” “Personal Information” is specifically defined to include a Delaware resident’s first name or first initial and last name in combination with (a) a social security number, (b) driver’s license number or Delaware Identification Card number, or (c) account number, credit or debit card number, alone or in combination with a security code, access code, or password that would permit access to a resident’s financial account.
The law is applicable to any individual or commercial entity conducting business in Delaware that owns or licenses computerized data that includes personal information. Upon discovery of a breach, notice must be given “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach . . . .”
If a breach that warrants notice occurs, notice may be written, telephonic or electronic (if the notice is consistent with 15 U.S.C. §§ 7001 et seq.). If the cost of providing notice will exceed $75,000 or must be made to more than 100,000 Delaware residents, there are provisions for “substitute notice.” The law can be enforced by the Consumer Protection Division of the Delaware Department of Justice, but provides no express independent cause of action to an injured Delaware citizen.
In my view, the current law has serious shortcomings. First, a law that provides only for prompt and reasonable notice after undertaking an investigation as to whether personal information has been or will be misused has little teeth. Who is it that makes the determination of whether personal information “has been” or “will be” misused. How can one possibly make that determination? In this age of daily headlines announcing data breaches by criminals and foreign governments, it should be fair to presume that the personal data obtained in a breach will be misused.
Second, Delaware residents whose unencrypted personal information has been improperly obtained or revealed have a vested interest being notified before the data can be misused. This weighs in favor of prompt notification – perhaps after a stated period of time, but without regard to the outcome of the investigation.
Third, limiting enforcement power to the Consumer Protection Division of the Department of Justice denies Delaware citizens a potential avenue to seek redress for unauthorized dissemination of their personal information.
Moreover, in the ten years since its enactment, it appears that the Delaware Department of Justice has not filed a single enforcement action. Based on this, one could conclude that, as a mere “notice” statute, anyone who has suffered a breach has followed the notice provisions appropriately and thus there is no basis for enforcement. Or one could conclude that while breaches may have occurred, the entities suffering the breach were subject to one of the statute’s safe harbors, i.e. they were encrypting the personal information that was breached. These are not reasonable conclusions.
In the data security environment, an often heard mantra is “It’s not if, but when, you will suffer a data security breach.” That is, trying to protect against a breach might be a losing proposition. If that is the current reality, it is simply unreasonable to believe that no breaches have occurred. Rather, it is more likely that individuals and entities do not know they have been breached, thus arguably not triggering the notice requirements. Moreover, even if a breach has occurred, and notice is given, proving – or even alleging – actual damages may be extremely difficult.
Apparently sensing shortcomings in the existing law, on June 4, 2013, Senators Sokola and Peterson and Representatives Baumbach, Johnson, Paradee and Carson proposed amending the law (S.B. 102, 147th General Assembly).
The proposed amendments added to the definition of “Personal Information” a person’s name, address and birthdate “in combination with any other personal information with which there would be an increased likelihood of identity theft.”
The amendments also defined a “digital data breach,” making clear that a breach “occurs when a person or entity intentionally, recklessly or negligently and without express authorization . . . makes or causes to be made a display, use, disclosure or copy, in any form of an individual’s digital personal information.”
The amendments additionally proposed that any person or entity that commits a digital data breach shall be subject to damages for the greater of (i) consequential damages and profits derived from the unauthorized use, or both, or (ii) $1000 per breach per person if no actual damages can be proven. Consequential damages would include lifetime monitoring of a claimant’s credit as well as technical expert consultation fees and cost of equipment replacement. Finally, punitive damages may be awarded against a person found to have willfully violated the statute.
In effect, the proposed amendments would allow Delaware residents, injured (or not) by a computerized date breach to assert claims against the “breachor” – the person or entity who breached the system – while the “breachee” – the person or entity whose system was breached has a mere duty of notification. This is not to say that the victimized Delaware resident might not have claims against the breachee, but those claims will need to be pursued under other theories based in contract and tort, with required and sometimes difficult burdens to prove that the victim has sustained actual damages.
In the nearly 2 years since its introduction and submission to the Senate Judiciary Committee, however, no action has been taken on the proposed amendments.
Notwithstanding that the amendments have not been enacted, like the law itself, the proposed amendments are also flawed. First, as a general matter, the amendments do not use the terminology defined in the existing law. For example, the amendments use the term “entity” instead of the defined term from the current law, “commercial entity.” Likewise, the amendments use the term “person” rather than the current law’s “individual.” Are they intended to mean something different? This distinction could be important, as a corporation can be viewed as a “person,” but not generally as an “individual.” The amendment also uses the term “digital personal information.” While one might presume this means personal information maintained electronically, that too is unclear.
Second, personal information is now defined to include information which “in combination with any other personal information . . . [would lead to] an increased likelihood of identity theft.” Should the new definition also include email addresses? Should that be specified? And as for what would lead to an “increased likelihood of identity theft,” what does that mean? Where does the scale tip? The amendments are simply not carefully tailored to advise entities and individuals what they must protect, or how they must protect it.
Third, in an apparent effort to grant direct enforcement rights to Delaware residents, the amendment grants standing to claimants by allowing claimants to recover damages even in the event that actual damages cannot be shown. Yet, the amendment proposes only that the “breachor” may be sued for committing the digital data breach, but what about the “breachee?” One may never determine who the breachor is; but the breachee will be well known. Limiting individual redress to claims against the breachor undermines the stated intent of the original law: to “help ensure that personal information about Delaware residents is protected by encouraging data brokers to provide reasonable security for personal information.” (H.B. 116, 143rd Gen. Assembly, Synopsis). If the Delaware legislature wants to encourage commercial entities and individuals to take reasonable precautions to protect personal information, then it should consider writing a law that requires something more than mere notice that a breach has occurred.
Lastly, the proposed amendment provides that punitive damages are only available against “a person found to have willfully violated this Chapter.” It appears that punitive damages might not be available against an “entity” (or perhaps a “commercial entity”). Moreover, while the amendments would sanction “intentional” breaches, punitive damages are available for “willful” breaches. While these terms can, in some instances, be used interchangeably, why are different terms used here?
The original law was written nearly ten years ago, long before data breaches and data privacy were the hot topics they are today. If, as was intended, the purpose of the law is to encourage holders of personal information to take reasonable steps to safeguard such information, it falls far short. Unfortunately, the proposed amendments do nothing to shore up the shortcomings of the original. I would encourage the Delaware General Assembly to go back to the drawing board and craft a reasonable, rational statute that (i) requires reasonable protection of Delaware residents’ personal information in digital, electronic, paper or other form; (ii) requires prompt notice to any Delaware resident that his/her personal information may have been breached; (iii) provides standing to a Delaware resident to bring actions against any individual or commercial entity – whether breachee or breachor – for any actual damages sustained, or for damages even without proof of actual damages (which might include reasonable (not lifetime) credit monitoring and other measures to protect against identity theft).
Ten years ago, when the original law was drafted, only the State of California had anything similar. (H.B. 116, 143rd Gen. Assembly, Synopsis). Now 47 states have breach notification laws. Much has changed in the last ten years, and the Delaware law needs a substantial overhaul to have any relevance today.
Please visit our website, the Morris James Data Privacy and Information Governance Group, or follow us on Twitter for more information.