On August 17, 2017, Delaware became the latest state to strengthen its cybersecurity laws. Under the newly enacted House Substitute 1 for House Bill 180, businesses who suffer cybersecurity breaches will face far more stringent notification requirements.
According to Representative Baumbach, D-Newark, who sponsored the bill, the legislation “is a meaningful step forward in addressing [cybersecurity] breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyber-attack.”
Under existing Delaware law, businesses that experience a cybersecurity breach are required only to notify the affected Delawareans “without unreasonable delay.” Effective April 14, 2018, companies will need to provide notice within 60 days, except in limited circumstances. If the breach affects over 500 residents, the statute also requires the company to notify the Delaware Attorney General within the same time frame.
The law further expands the types of incidents that could give rise to consumer notification requirements by expanding the definition of “personal information.” Currently, “personal information” includes only a social security number, a driver’s license or government identification card number, or an account number in combination with a code that would allow the user to access a financial account. As enacted, “personal information” will now also include:
- Passport numbers,
- An email address or username in combination with additional information that would permit access to an account,
- Medical history and treatment information,
- Health insurance policy numbers,
- Unique biometric data, and
- Individual taxpayer identification numbers.
Under the new law, when a breach involving social security numbers occurs, businesses will also be required to provide credit monitoring services at no cost to the affected Delaware residents for a year.
As Delaware Governor John Carney noted when signing the bill into law, “cyber threat is one of the most serious economic challenges we face” in this digital age. Businesses should expect more states to follow Delaware’s lead.