Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Sara Merken
Delaware companies now face more stringent data security and breach notification requirements under changes to state law, including an undefined requirement to maintain reasonable corporate security.
All 50 states and the District of Columbia have data breach notice laws. Delaware’s revised law makes it one of the few states to require companies, under specified circumstances, to provide one year of free credit monitoring services to individuals affected by a breach. California and Connecticut have similar requirements.
The amended Delaware law expands the definition of personal information, the breach of which triggers a duty to notify affected residents, to include medical and biometric information. It also sets a specific 60-day time frame for notifying state residents affected by a breach. The amendments to the law, which took effect April 14, include data breach notification requirements similar to those of other states, including the obligation to maintain reasonable security and expansion of the categories of personal information.
While companies have grown accustomed to complying with data breach notice laws, some entities in the state—particularly smaller companies with fewer resources—might be less prepared to demonstrate that their security procedures were reasonable or provide free credit monitoring in the case of a breach, attorneys told Bloomberg Law.
Although there has been a lot of publicity around the new requirements, William Denny, cybersecurity and data privacy partner at Potter Anderson Coroon LLP in Wilmington said he fears “that many companies are still not paying attention.” Complying with the reasonable security standards requires a proactive approach, but companies “may not focus on whether they have implemented reasonable security until after there is a problem,” Denny told Bloomberg Law.
The most significant change in the new statute, which updates the state’s 2005 data breach notification law, is that companies are required to “implement and maintain reasonable procedures and practices” to prevent data breaches, Ryan Keating, a member of Wilmington, Del.-based Morris James LLP’s data privacy and information governance group, told Bloomberg Law.
The amended statute does not offer guidance on what constitutes “reasonable” security, so companies developing security programs “would be wise to consider security standards published by NIST and other organizations,” Keating said, referring to the Commerce Department’s National Institute of Standards and Technology.
The changes enacted in August 2017 trends other states’ breach notification laws expand the categories of personal protected information and tighten the time frame for notifying residents after a breach occurs, Edward McAndrew, a data security attorney who leads the cyber incident response team at Ballard Spahr LLP, told Bloomberg Law.
Companies will now be required to tell state residents affected by a data breach within 60 days and notify the state attorney general if a breach affects more than 500 residents.
Some aspects of the law, such the fact that it applies broadly to any “person,” which includes individuals and all types of public and private entities, will “likely catch some smaller organizations by surprise,” McAndrew said.
The amendments also expand the definition of personal information to include online usernames and passwords, personal medical and health insurance information, and biometric data, and some companies “may not realize its broad application to data and to them,” McAndrew said.
The expansion of the personal information definition increases the percentage of breaches that will require notification, Keating said.
The notification requirement is “more easily triggered” under the new statute, Keating said. Under the previous version of the law, companies were only obligated to notify affected residents “if it was determined that the ‘misuse of information’ ‘has occurred or is reasonably likely to occur.’”
The new law requires notice “unless ‘after an appropriate investigation,’ it is determined that the breach is ‘unlikely’ to harm the affected residents,” he said, quoting from the statute.
The previous statute did not require notification to the attorney general’s office, which sees this as one of the “more notable improvements” of the new law, Carl Kanefsky, public information officer with the state’s Department of Justice, told Bloomberg Law. Kanesfky said the attorney general’s office has done outreach to inform businesses of the new requirements, and plans to do more.
To contact the reporter on this story: Sara Merken in Washington at email@example.com
To contact the editor responsible for this story: Barbara Yuill at firstname.lastname@example.org
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)