On August 17, 2017, Delaware Governor John Carney signed into law HB 180, completing an update to a nearly 12-year old breach notification statute that had little teeth, and no enforcement. The new law, which applies to “Any person who conducts business in this State and owns licenses or maintains personal information” requires that such person “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure or destruction of personal information collected or maintained in the ordinary course of business.” The law contains substantive provisions that will require significant preparation and education before it becomes effective on April 14, 2018.
Material amendments to the new law include the following:
- With the law applying to “Any person who conducts business in this State and owns, licenses or maintains personal information . . . ,” it is now clear that governmental entities are also included. Such entities had previously been carved out of the prior law.
- The law is restricted to computerized data. It does not address data kept in any other medium.
- The law does not apply to encrypted data unless any unauthorized acquisition of the data also includes, or is reasonably believed to include, the encryption key.
- Personal information now includes the first name, or first initial, and last name of any Delaware resident in combination with any of the following elements:
- Social Security Number
- Driver’s license number, or state or federal identification number
- An account number, credit card number or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
- Passport number
- Username or email address, in combination with a password or security question and answer that would permit access to an online account.
- Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or deoxyribonucleic acid (DNA) profile.
- Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person.
- Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes
- An individual taxpayer identification number.
- A person who owns or licenses personal identification must provide notification of a breach to any Delaware resident whose personal information was breached or is reasonably believed to have been breached unless, after an appropriate investigation, the person reasonably determines that the breach is unlikely to result in harm.
- A person who maintains computerized data that includes personal information must immediately provide notice to and cooperate with the owner or licensor of the information, including providing information relevant to the breach.
- Notice to Delaware residents must be made without unreasonable delay, but not later than 60 days after a determination that a breach has occurred, unless
- Federal law requires a shorter notification time
- A law enforcement agency determines that providing notice will impede a criminal investigation, and the law enforcement agency has requested that notice should be delayed.
- If notice must be made to more than 500 Delaware residents, notice of the breach must also be provided to the Delaware Attorney General.
- If a breach includes social security numbers, credit monitoring services must be provided to each affected Delaware resident for a period of not less than 1 year.
- The Delaware Attorney General may bring actions to address any violations of the new law, including seeking recovery for direct economic damages resulting from a violation.
- The new law does not create a private right of action.
All persons subject to the law should make a concerted effort to determine the types of personal information they might have or maintain and take appropriate steps to secure such information. This may include classifying information in a particular way, and segmenting one’s system to help prevent inadvertent acquisition or disclosure of personal information. Other steps may involve encrypting personal information and storing encryption keys in a safe place away from the encrypted data.
Additional precautions may include training employees to recognize personal information subject to the law and understand ways to prevent its inadvertent disclosure. Preventing breaches has been, and will continue to be, a team effort between management, IT staff, and all employees.
The clock is ticking. Slightly more than 3 months remain before this new law goes effective. With a Delaware governor focused on cybersecurity, it is reasonable to expect that the Attorney General’s office will be active in enforcing this new law.