CLIENT ALERT: Update to Delaware Data Breach Disclosure Law
Delaware’s data breach disclosure law has been amended to clarify rules for businesses that hold the personal information of Delaware residents, to provide further protections to those residents, and to align our law with current practices and recent trends. Governor Carney signed the new bill into law on August 17, 2017, with the new law to take effect 240 days after signing, i.e., on April 14, 2018.
All entities (including governments, private sector companies and individuals) that conduct business in Delaware and that own, license or maintain computerized data containing personal information are subject to this law -- and have been since 2005. What is new and noteworthy about the recent legislative amendments?
Data Security Requirement
The new law will mandate that all persons and entities doing business in Delaware implement and maintain reasonable security to protect personal information. Delaware will be one of only 14 states to impose explicit data security obligations on the private sector. Failure to implement required measures can result in enforcement action by the Attorney General and may form the basis for individual causes of action for harm caused by failure to implement reasonable security. The law does not define “reasonable security;” technology is evolving and reasonableness depends on the sensitivity and volume of data held, the size and complexity of operations, and the cost of available tools to improve security. For guidance, businesses would do well to look at one or more widely adopted sets of security guidelines, such as the Center for Internet Security’s Critical Security Controls, https://www.cisecurity.org/controls/.
Expanded Definition of Personal Information
In addition to social security number, driver’s license number, financial account numbers, and access codes, the new law will expand the definition of personal information to include passport number, user names and passwords for online accounts, medical treatments and diagnoses by health care professionals, DNA profiles, health insurance information, biometric data used for authentication purposes, and individual taxpayer identification numbers. Definitions of personal information can vary widely by state, but Delaware’s new definition will bring it more in line with current trends. Businesses that store such information should therefore review their data security classifications, delete any such data that is no longer needed, and take steps to ensure that the information being maintained receives the proper level of protection.
Clarified Triggers for Notification Obligation
The new law will create one notification obligation for owners or licensees of data and another for their vendors. Only owners or licensees of data will have the obligation to notify Delaware residents whose information has been breached. In contrast, vendors, i.e., those who maintain computerized data for the owners or licensees of that data, will be required to notify only the data owners or licensees (their customers) upon discovery of a breach. Owners and licensees will be obligated to provide notice to Delaware residents whose information has been breached within 60 days of determination that a breach of security has occurred. A safe harbor provision will excuse the entity from the obligation to provide notice if it reasonably determines within the 60-day period that the breach of security is unlikely to result in harm to the individual. Vendors, in contrast, must notify their customers immediately upon determination of a breach of security, and there is no safe harbor based on risk of harm. In other words, the determination of whether a breach poses a risk of harm to the Delaware resident is always left to the data owner or licensee.
As before, the notification requirement will be subject to a law enforcement exception, allowing the entity providing notice to delay notification at the request of a law enforcement agency. There also will be a carve-out for those entities who are subject to other laws on breach notification, such as HIPAA or GLBA, so that compliance with those other laws will be deemed to be compliance with the Delaware law.
Other Significant Changes
An unauthorized acquisition of data will not be considered a breach if the data is encrypted, unless the encryption key that could render the personal information readable has also been accessed. If a data security breach affects more than 500 Delaware residents, then the entity required to provide notice will be required also to notify the Attorney General. If the breach of security includes social security numbers, then the entity providing notice will have to provide credit monitoring services at no cost to the resident for one year.
Takeaways for Business Entities
Entities should reduce the risk of breaches by instituting a reasonable written information security program. They should know what data they possess and where it is located, and properly dispose of any sensitive data that is no longer needed. They should implement and rehearse an incident response plan (IRP); preparing a response in advance is essential for legal compliance and business continuity. The IRP should include a public relations strategy to inform customers of a breach of security within the requirements of Delaware’s and other states’ breach notification laws. Finally, businesses should consider carrying cyber liability insurance that covers the costs of data breach investigation, response, and remediation.
These preventive and proactive measures may not prevent a breach of security or forestall all lawsuits, but they will protect the company’s reputation and limit its risks in the face of inevitable attacks.