Delaware House Moves Bill to Expand Data Breach Notice Law

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Leslie A. Pappas

The Delaware House has moved legislation that would strengthen the state’s data breach notification law.

The bill would require any person doing business in Delaware to safeguard personal information. It would expand the definition of personal information to include medical information, biometric data, user names and passwords, passport numbers, routing numbers to accounts, and individual taxpayer identification numbers.

The bill would also add a new requirement that companies notify the state attorney general of breaches affecting more than 500 residents.

The bill brings clarity to the rules for businesses that hold personal information and balances their needs with increased protections for Delaware residents, William R. Denny, privacy partner at Potter Anderson & Corroon LLP, in Wilmington, Del., who was involved in drafting the measure on behalf of the Delaware State Bar Association, told Bloomberg BNA June 29.

Delaware’s law on data breaches hasn’t changed since 2005 and is “in dire need of an update,” he said.

The bill would also require companies to provide a year of identity theft protection services to any Delaware resident whose Social Security number is compromised in a security breach. If passed, Delaware would become the third state in the country, after California and Connecticut, to enact such a measure, Denny said.

Creating a uniform policy “is one of the hallmarks of the bill,” Rep. Paul Baumbach (D), the bill’s sponsor, told Bloomberg BNA when the measure was first introduced in May.

Baumbach said that he expects a Senate vote June 30, the last day of the legislative session. Gov. John Carney (D) supports the measure and is expected to sign it, the governor’s office told Bloomberg BNA June 29.

Data Breach Bill Changes

The bill would apply to any legal or commercial entity in the state that uses personal information, unless the company is part of an industry already covered by more stringent data protection measures under state or federal law, such as the health care and finance industries, Baumbach said.

The bill would also:

  •  tweak the definition of personal information to include biometric data, user names and passwords, individual taxpayer identification numbers;
  •  add a clear timeline for notification, requiring business owners investigate and notify consumers of a data breach within 60 days; and
  •  clarify the risk-of-harm analysis, obligating businesses to notify consumers of a security breach unless an investigation shows the breach is unlikely to result in harm.
The House June 28 voted 37-3 to approved an amended substitute version of the bill, House Substitute 1 for House Bill 180, which revised some terminology to reflect input from a wide group of stakeholders.

Stakeholders included Delaware’s Department of Justice and Department of Technology and Information, the governor’s office, small business groups, and an industry coalition of companies that use consumer data, including Facebook Inc., Alphabet Inc.'s Google, Inc., Comcast Corp., and Verizon Communications Inc., Denny said.

To contact the reporter on this story: Leslie A. Pappas in Philadelphia at

To contact the editor responsible for this story: Donald Aplin at

For More Information

House Bill 108 (revised version) is at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law