Delaware recently amended its data breach notification law to include the following requirements:
- Expanded definition of “personal information” to include biometric data, medical information, passport numbers, routing numbers for accounts, individual taxpayer identification numbers and usernames in addition to the traditional forms of PII such as birth date and social security numbers.
- Notice to affected individuals within 60 days.
- Notice to the Delaware Attorney General if the breach affects more than 500 residents of Delaware.
- Provide one year of free identity theft protection services in breaches where Social Security numbers were compromised (joining CA and CT).
Companies are not required to notify individuals if, after an appropriate investigation (i.e., performing a risk assessment), the company reasonable determines there is no risk of harm to the individuals.
On the cybersecurity side of things, the new law requires companies to “implement and maintain reasonable security” to protect the information a company collects and holds for Delaware residents.
The effective date of the new law is April 14, 2018.