The launching of the website, recently announced by the Delaware attorney general, is part of an effort to assist companies in meeting the notification requirements of the state’s recently amended data breach law.
As we previously reported Delaware amended its data breach law for the first time in 12 years on April 17, 2017. The amendments went into effect on April 14, 2018, and are discussed in detail in a Morgan Lewis blog post.
A year after the passage and coincident with the effective date of the new law, Delaware Attorney General Matt Denn announced on April 16, 2018, the launching of an online data security breach reporting resource for both companies and consumers.[1]
The website provides approved template forms for companies to use if they are required by the amendments to notify the Delaware attorney general[2] or consumers of a data breach. The website also provides a link for consumers to file a complaint with the Delaware attorney general.
Below is a review of the new obligations the amendments impose on businesses and individuals.
As a starting point, the amendments require that individuals and businesses take preventive measures to establish procedures and practices that prevent data breaches. Specifically, the law now requires that “[a]ny person who conducts business” in Delaware and owns, licenses, or maintains individuals’ personal information must “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, and modification, disclosure or destruction of personal information collected or maintained in regular course of business.”[3]
The amendments update and expand the definition of “Personal Information.”[4] Personal Information now includes a resident’s first name or first initial and last name in combination with any one of the following:
The amendments also expand the exceptions to the definition of “Personal Information” to include not just federal, state, or local government records, but also “widely-distributed media.”[5] This term likely includes information publicly disseminated or available on social media websites and applications such as Instagram, Facebook, and Twitter.
Businesses and individuals aware of a breach are now required to notify the Delaware attorney general if a breach occurs that affects more than 500 Delaware residents.[6]
Businesses and individuals aware of a breach are now required to notify all affected individuals of a data breach within 60 days.[7]
Businesses and individuals are permitted to provide “substitute notice” if they can establish that:
“Substitute Notice” is defined to consist of all of the following:
If a data breach occurs, businesses are now required to offer and pay for credit monitoring services to those impacted by the data breach for one year.[8]
A business may be exempt from this requirement, however, if they can show that “after an appropriate investigation” it can be reasonably determined that the breach of security is unlikely to result in harm to the individuals whose personal information was breached.
Finally, the amendments make clear that Delaware’s data breach law should not be construed to impact or modify any individual’s common law rights, or rights under any federal or state statute.[9]
For more information, or if you have any questions regarding the issues discussed in this Alert, please contact any of the following lawyers:
Philadelphia
Greg Parks
Ezra Church
San Francisco
Reece Hirsch
Wilmington
Justin Victor
Jody Barillare
[1] The resources can be found here and here.
[2] See the forms here and here.
[3] § 12B-100. Protection of personal information.
[4] § 12B-101(4)(a)(1)-(9). Definitions: Personal Information.
[5] § 12B-101(b). Definitions: Personal Information.
[6] § 12B-102(d). Disclosure of Breach.
[7] § 12B-102(c). Disclosure of Breach.
[8] § 12B-102(e). Disclosure of Breach.
[9] § 12B-104(b). Violations.