Delaware Data Breach Notification Statute Summary

Subject Entities

All individuals, businesses, and government agencies. Entities that are subject to and in compliance with the privacy and security standards under HIPAA and the GLBA may be exempted from particular provisions of the law.

Definition of Personal Information

First name or first initial and last name in combination with any one or more of the following unencrypted data sets:

• Social Security number;
• Driver’s license number or state or federal identification card number;
• Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
• Passport number;
• Username or email address, in combination with a password or security question and answer that would permit access to an online account;
• Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or DNA profile;
• Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person;
• Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; or
• Individual taxpayer identification number.

Definition of Breach

Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a subject entity, excluding certain good faith acquisitions.

Type of Data Covered

Electronic.

Encryption Safe Harbor

Statute does not apply to encrypted data.

Risk of Harm Analysis

Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach of security is unlikely to result in harm to the individual whose personal information had been breached.

Consumer Notice Requirements

Timing: Must be made without unreasonable delay but no later than 60 days after determination of the breach. If a subject entity is not able, through reasonable diligence, to identify all affected residents within 60 days of discovery, the subject entity must provide notice to such residents as soon as practicable after determining breach affected their personal information.

Method: Notice to an affected resident shall be by written notice, telephonic notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Notice can also be made electronically if the entity’s primary means of communication with the resident is by electronic means. Substitute notice may be available under certain conditions. However, if the breach involved access to an individual’s email address and login credentials, the subject entity must use a method other than email to notify the affected individual.

Credit Monitoring and Related Information: If the breach of security affects Social Security numbers, the entity shall offer to each resident Social Security number was affected credit monitoring services at no cost for one (1) year. In addition, the notice must include information necessary to enroll in the services and information about how the resident can place a credit freeze on their credit file.

Substitute Notice Requirements

Substitute notice may be provided if the cost of providing notice will exceed $75,000, the affected class of residents to be notified exceeds 100,000 residents, or the subject entity does not have sufficient contact information to provide notice.

Substitute notice consists of all of the following:

• Email notice if the entity has email addresses for the affected residents;
• Conspicuous posting of the notice on the entity’s webpage if it maintains one; and
• Notice to major statewide media.

Major statewide media includes newspapers, radio, and television and publication on the major social media platforms of the entity providing notice.

Government Notice Requirement

Timing: Must be made without unreasonable delay but no later than 60 days after determination of the breach, unless a shorter time is required under federal law. If a subject entity is not able, through reasonable diligence, to identify all affected residents within 60 days of discovery, the subject entity must provide notice to such residents as soon as practicable after determining the breach affected their personal information.

Method: Notice to an affected resident shall be by written notice, telephonic notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Notice can also be made electronically if the entity’s primary means of communication with the resident is by electronic means. Substitute notice may be available under certain conditions. However, if the breach involved access to an individual’s email address provided by the subject entity and login credentials, the subject entity must use a method other than email to notify the affected individual.

Credit Monitoring and Related Information: If the breach of security affects Social Security numbers, the entity shall offer to each resident whose Social Security number was affected credit monitoring services at no cost for one (1) year. In addition, the notice must include information necessary to enroll in the services and information about how the resident can place a credit freeze on their credit file.

Delayed Notice Requirements

Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation, and law enforcement has requested that the notice be delayed.

Third Party Notice Requirements

If an entity maintains personal information on behalf of a third party, the entity must notify and cooperate with the third party immediately following discovery of the breach.

Potential Penalties

Violations may result in civil penalties.

Government Agency Notice Requirements

Please see statute for specific requirements and/or penalties for applicable government agencies.