Data Breach Legislation in the State of Delaware

Data Breach Legislation in the State of Delaware

Del. Code tit. 6, § 12B-101 is a data breach notification law that was passed in the U.S. state of Delaware in 2017. As the state of Delaware does not have a comprehensive state privacy law at the state level, Del. Code tit. 6, § 12B-101 sets forth the requirements that businesses and organizations within the state must abide by in the event that said entities experience a data breach that leads to the unauthorized disclosure of personal information concerning Delaware citizens. Furthermore, the law also establishes the penalties and sanctions that businesses and organizations within Delaware stand to face should they fail to adhere to the various provisions that were enacted in the law.

How is a data breach defined?

Under Del. Code tit. 6, § 12B-101, a data breach is defined as “the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI. The unauthorized acquisition of such data is not a breach of security to the extent that PI contained therein is encrypted, unless such unauthorized acquisition includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render PI readable or useable.” Alternatively, the “good -faith acquisition of personal information by an employee or agent of an entity for the purposes of the entity” does not constitute a data breach under the provisions of Del. Code tit. 6, § 12B-101.”

What are the requirements?

Under Del. Code tit. 6, § 12B-101, businesses, agencies, and organizations that conduct operations within the state of Delaware are responsible for providing citizens of the state with data breach notifications in the event that their personal information is improperly disclosed as a result of a data breach. These notices must be provided to Delaware residents without unreasonable delay, but no later than 60 days after a business entity or organization has discovered that they have experienced a data breach. Moreover, in instances where a data breach affects more than 500 residents within the state, businesses and organizations must also provide breach notices to the Deleware Attorney General.

In terms of the contents of these notices, organizations and businesses must provide consumers with details concerning the categories of personal information that were disclosed, as well as any measures that were taken to prevent such disclosures, among other pertinent details. Additionally, Del. Code tit. 6, § 12B-101 mandates that data breach notices are made using one of the following methods:

  • Written notice.
  • “Telephonic notice”
  • “Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act) or if the person’s primary means of communication with the resident is by electronic means.”

What categories of personal information are covered?

Under Del. Code tit. 6, § 12B-101, the following categories of personal information a covered under the law, in conjunction with A Delaware “resident’s first name or first initial and last name”:

  • Social security numbers.
  • Driver license numbers and state or federal identification card numbers
  • Passport numbers.
  • Account numbers, debit card numbers, or debit card numbers, in combination with any required security codes, access codes, or passwords that could be used to permit access to an individual’s financial account.
  • Usernames or email addresses, in combination with passwords or security questions that could be used to permit access to an individual’s online account.
  • “Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile.”
  • Health insurance policy numbers, subscriber identification numbers, or any other forms of unique identifiers that could be used by a healthcare insurer to identify a particular individual.
  • “Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.”
  • Individual taxpayer identification numbers.

What are the penalties for violating Del. Code tit. 6, § 12B-101?

In terms of the enforcement of Del. Code tit. 6, § 12B-101, the provisions set forth in the law are enforced by the Deleware Attorney General. As such, the Delaware Attorney General has the authority to impose “appropriate damages and penalties” against organizations and businesses within Delaware that are found to be in violation of the law. What’s more, Del. Code tit. 6, § 12B-101 also permits citizens of the state of Delaware to bring a private right of action lawsuits against businesses and organizations within the state that violate their rights under the law. Such lawsuits have a “cap of triple the damages plus costs and attorney’s fees”. Additionally, if the personal information that has been breached includes social security numbers, the business or organization that experienced the breach must also provide free credit monitoring services to all affected residents for at least 1 year.

Through the enactment of Del. Code tit. 6, § 12B-101, citizens of the state of Delaware were provided with legal protections in the event that their personal information is improperly disclosed as a result of a data breach or other related security incident. In lieu of a federal comprehensive data protection law that provides privacy protection to all residents of the U.S. irrespective of where they live, such as the EU’s General Data Protection Regulation or GDPR, state laws such as Del. Code tit. 6, § 12B-101 are the primary means by which the personal information of the average U.S. citizen is protected. As such, many states around the U.S. will have to continue to pass legislation addressing the issues of data protection and personal privacy, with the goal of ensuring that every U.S. citizen can protect their personal data from harm and misuse.