Delaware now has the strictest breach notification requirements of any state following the first amendment to its data breach notification law in a decade. The House Bill 180 was passed earlier this month, and new law has an effective date of April 14, 2018.
Under the new rules, any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information. Furthermore, the organisation must offer breach victims complimentary credit monitoring services for 12 months. Those affected by the breach must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach.
Although Connecticut was the first state to introduce such laws, Delware’s amendments mean that their legislation is stricter. The state of California also requires the provision of credit monitoring services to breach victims. Delaware joins 13 other states in requiring companies operating in the state to implement “reasonable” security measures to safeguard personal information.
In the amendment, the definition of ‘personal information’ was expanded and now includes usernames/email addresses in combination with a password/answers to security questions, password numbers, driver’s license numbers, mental health and physical condition, medical histories, health insurance policy numbers, subscriber identification numbers, medical treatment information, medical diagnoses, DNA profiles, unique biometric data (including fingerprints/retina scans), and tax payer identification numbers.
If data is encrypted prior to a cyberattack or other security incident, companies do not need to send notifications or provide credit monitoring services. These services only need to be provided if there is reasonable evidence that the breach also resulted in the encryption key being compromised.
Rep. Paul Baumbach, D-Newark, who sponsored the bill, said the new legislation is “A meaningful step forward in addressing these breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyberattack.”