Delaware Ramps Up Data Breach Compliance Mandates

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sara Merken

Delaware companies now face more stringent data security and breach notification requirements under changes to state law, including an undefined requirement to maintain reasonable corporate security.

All 50 states and the District of Columbia have data breach notice laws. Delaware’s revised law makes it one of the few states to require companies, under specified circumstances, to provide one year of free credit monitoring services to individuals affected by a breach. California and Connecticut have similar requirements.

The amended Delaware law expands the definition of personal information, the breach of which triggers a duty to notify affected residents, to include medical and biometric information. It also sets a specific 60-day time frame for notifying state residents affected by a breach. The amendments to the law, which took effect April 14, include data breach notification requirements similar to those of other states, including the obligation to maintain reasonable security and expansion of the categories of personal information.

While companies have grown accustomed to complying with data breach notice laws, some entities in the state—particularly smaller companies with fewer resources—might be less prepared to demonstrate that their security procedures were reasonable or provide free credit monitoring in the case of a breach, attorneys told Bloomberg Law.

Although there has been a lot of publicity around the new requirements, William Denny, cybersecurity and data privacy partner at Potter Anderson Coroon LLP in Wilmington said he fears “that many companies are still not paying attention.” Complying with the reasonable security standards requires a proactive approach, but companies “may not focus on whether they have implemented reasonable security until after there is a problem,” Denny told Bloomberg Law.

What’s Reasonable?

The most significant change in the new statute, which updates the state’s 2005 data breach notification law, is that companies are required to “implement and maintain reasonable procedures and practices” to prevent data breaches, Ryan Keating, a member of Wilmington, Del.-based Morris James LLP’s data privacy and information governance group, told Bloomberg Law.

The amended statute does not offer guidance on what constitutes “reasonable” security, so companies developing security programs “would be wise to consider security standards published by NIST and other organizations,” Keating said, referring to the Commerce Department’s National Institute of Standards and Technology.

Change to Time Frame, Personal Data Definition

The changes enacted in August 2017 trends other states’ breach notification laws expand the categories of personal protected information and tighten the time frame for notifying residents after a breach occurs, Edward McAndrew, a data security attorney who leads the cyber incident response team at Ballard Spahr LLP, told Bloomberg Law.

Companies will now be required to tell state residents affected by a data breach within 60 days and notify the state attorney general if a breach affects more than 500 residents.

Some aspects of the law, such the fact that it applies broadly to any “person,” which includes individuals and all types of public and private entities, will “likely catch some smaller organizations by surprise,” McAndrew said.

The amendments also expand the definition of personal information to include online usernames and passwords, personal medical and health insurance information, and biometric data, and some companies “may not realize its broad application to data and to them,” McAndrew said.

The expansion of the personal information definition increases the percentage of breaches that will require notification, Keating said.

Notification Standard Is Easier to Trigger

The notification requirement is “more easily triggered” under the new statute, Keating said. Under the previous version of the law, companies were only obligated to notify affected residents “if it was determined that the ‘misuse of information’ ‘has occurred or is reasonably likely to occur.’”

The new law requires notice “unless ‘after an appropriate investigation,’ it is determined that the breach is ‘unlikely’ to harm the affected residents,” he said, quoting from the statute.

The previous statute did not require notification to the attorney general’s office, which sees this as one of the “more notable improvements” of the new law, Carl Kanefsky, public information officer with the state’s Department of Justice, told Bloomberg Law. Kanesfky said the attorney general’s office has done outreach to inform businesses of the new requirements, and plans to do more.

To contact the reporter on this story: Sara Merken in Washington at smerken@bloomberglaw.com

To contact the editor responsible for this story: Barbara Yuill at byuill@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security