What's Changed Under Delaware's New Data Breach Law
For the first time in 12 years, Delaware has updated its data breach disclosure law and has enacted new requirements for businesses to safeguard personal information. Gov. John Carney, describing cyberthreat as “one of the most serious economic challenges we face,” signed the measure on Aug. 17, 2017. The new law will take effect on April 14, 2018. It imposes additional obligations on businesses, while at the same time clarifying their notification obligations and bringing the law into line with the recent trends in other states.
New Data Security Requirement
Delaware joins a small but growing number of states that impose data security requirements on persons conducting business in the state and owning, licensing or maintaining personal information of Delaware residents. The new law requires such persons to “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.”1 This provision is intended to raise awareness among businesses of all sizes of their obligation to protect data, and may give the Delaware Department of Justice greater leverage in its investigation of data breaches.
The Revised Notice Requirement
Under the previous version of the law, known as Computer Security Breaches,2 a person doing business in Delaware and suffering a data breach involving the personal information of a Delaware resident had an obligation to conduct a reasonable and prompt investigation “to determine the likelihood that personal information has been or will be misused.” The law imposed no obligation to notify Delaware residents of the breach unless and until an investigation actually determined that misuse of the information either “has occurred or is reasonably likely to occur.” Such a standard left businesses unsure of their obligations following a data breach and gave them every incentive to avoid or delay providing notice without fear of consequence. Under the new law, the same person suffering a data breach will have a 60-day period within which to provide notice, unless, during that time, the person reasonably determines after an appropriate investigation that the breach of security is “unlikely to result in harm.” Thus, under the new formulation, the risk of harm analysis is no longer a trigger to provide notice, but rather is a limited exception to the notice requirement.
Moreover, there is a significant difference in the level of harm analysis, with notice under the previous version of the law required only when harm is “likely to occur,” which will almost never be the case unless there is clear evidence that harm is already occurring. In contrast, under the new version, notice is required unless the breach is “unlikely to result in harm.” This is likely to require the person suffering the data breach to provide notice in most cases, unless it is clear that the information is unlikely to have fallen into the wrong hands. The new law thus provides a stronger bias toward providing notice.
As in the previous version of the law, businesses are encouraged to encrypt their sensitive data, as this provides a safe harbor in the event of breach. If the breached data is encrypted, there is no notice obligation. However, the new law provides an exception to this safe harbor. If the breach involves not only encrypted data but also the encryption key that could render the encrypted data readable, then the safe harbor of encryption does not apply. The moral of this story is that companies should keep encryption keys safe, locked down, and segmented from the encrypted data.
The new Delaware law also revises the obligation of vendors to notify their customers of data breach in a way that will benefit businesses that rely heavily on vendors. Under the new law, “a person that maintains computerized data that includes personal information that the person does not own or license” (i.e., a vendor) must give immediate notice to “the owner or licensee of the information” (i.e., its customer) upon its determination that there has been a breach of security. Under the previous version of the law, a vendor is only required to notify its customer of a data breach when the vendor determines that misuse of the information had “occurred or is reasonably likely to occur.” In other words, the vendor conducts its own risk of harm analysis and has no obligation to notify its customer unless its investigation satisfies a high, and highly subjective, threshold. Under the new version of the law, the vendor must provide immediate notice without any consideration of whether there is a risk of harm. It is up to the customer, the one who owns or licenses the information, to conduct the risk of harm analysis with the cooperation of the vendor. Thus, the law assigns responsibility for the risk of harm analysis where it rightfully belongs, with the person that owns or licenses the information. The business that owns its own customer and employee data has greater incentive to investigate a potential breach of this data than does its vendor, which has no direct relationship with the customers or employees of the business.
Delaware has opted not to prescribe the contents of the notice required to be sent to its residents in the event of breach. Rather, it has left development of a required form of notice to the director of consumer protection of the Delaware Department of Justice under its regulatory powers. We expect that the Department of Justice will be providing guidance as to the form of notice prior to the new law’s effective date.
Credit Monitoring Services Required
Delaware becomes the second state, after Connecticut, to require that its residents shall be offered credit monitoring services at no cost to the residents for a period of one year if the breach of security includes Social Security numbers. Under Connecticut law, if a breach involves a Connecticut resident’s name and Social Security number, the person suffering breach must offer the affected individual “appropriate identity theft prevention services and, if applicable, identity theft mitigation services.”3 In contrast to what has been reported in some legal publications, California does not require mandatory offering of credit monitoring. Rather, California law only imposes certain obligations on companies regarding identity theft prevention and mitigation services if they choose to offer such services to the affected persons.4
Is there a distinction between credit monitoring services and identity theft prevention and mitigation services? Delaware law specifies credit monitoring services while the laws of Connecticut and California refer to identity theft prevention and mitigation services. The law does not define these services, so companies faced with these obligations would likely resort to the commonly understood meaning of the phrases. While closely related to identity theft prevention, it is likely that credit monitoring represents a subset of identity theft prevention services and presumably is less expensive.
Expanded Definition of Personal Information
Delaware has followed a trend in other states expanding the categories of information qualifying as “personal information” that is subject to the protections of the law. As in the previous version of the law, to be personal information, the various categories of information must be associated with a Delaware resident’s first name or initial and last name. In addition to Social Security number, driver’s license number and financial account numbers in combination with any required password or security code, the new categories include (1) passport number, (2) a username or email address in combination with a password or security question that would permit access to the account, (3) medical information, (4) health insurance information, (5) DNA profile, (6) biometric data used for authentication purposes, and (7) an individual taxpayer identification number.
Along with expanding the definition of personal information, Delaware also expands the carveout of what would be considered publicly available, and so not covered by the law. In addition to the existing carveout of information lawfully made available to the general public from government records, the revised law adds “widely distributed media.” Thus, presumably, information that an individual publishes on his or her public Facebook page would presumably no longer be considered “personal information” for purposes of Delaware’s data breach disclosure law.
For the first time, the Delaware attorney general must be notified if the affected number of Delaware residents to be notified exceeds 500. Previously, the Delaware Department of Justice has not been notified of breaches unless the person suffering the breach had voluntarily reported the breach to law enforcement or a person receiving a notice of breach had contacted the attorney general. Because of both this lack of notice and the lack of clarity regarding when there was a duty to notify, there appear to have been no enforcement actions under the previous law. With enhanced notice requirements, greater clarity of the obligation to notify and additional obligations to implement and maintain reasonable data security, it is reasonable to conclude that Delaware may see more enforcement actions in the future.
1. 6 Del. C. §12B-100.
2. 6 Del. C. §§12B-101 et seq.
3. Conn. Gen. Stat. §36a-701b.
4. Cal. Civ. Code §1798.82(d)(2).
This article was originally published by Law360 on August 24, 2017.