Del. Code Title 6, §§ 12B-100, et seq. |
---|
Type of Data Covered | Deadline for Notification | Government Notice |
---|---|---|
Electronic. | Without unreasonable delay but no later than 60 days after determination of the breach of security, unless a shorter time if required under federal law, with a rolling notice requirement for later-identified affected persons. | Yes. Notice to the Attorney General. |
Subject Entities |
All individuals, businesses, and government agencies. Entities that are subject to and in compliance with the privacy and security standards under HIPAA and the GLBA may be exempted from particular provisions of the law. |
Definition of Personal Information |
First name or first initial and last name in combination with any one or more of the following unencrypted data sets:
|
Definition of Breach |
Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a subject entity, excluding certain good faith acquisitions. |
Type of Data Covered |
Electronic. |
Encryption Safe Harbor |
Statute does not apply to encrypted data. |
Risk of Harm Analysis |
Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach of security is unlikely to result in harm to the individual whose personal information had been breached. |
Consumer Notice Requirements |
Timing: Must be made without unreasonable delay but no later than 60 days after determination of the breach. If a subject entity is not able, through reasonable diligence, to identify all affected residents within 60 days of discovery, the subject entity must provide notice to such residents as soon as practicable after determining breach affected their personal information. Method: Notice to an affected resident shall be by written notice, telephonic notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Notice can also be made electronically if the entity’s primary means of communication with the resident is by electronic means. Substitute notice may be available under certain conditions. However, if the breach involved access to an individual’s email address and login credentials, the subject entity must use a method other than email to notify the affected individual. Credit Monitoring and Related Information: If the breach of security affects Social Security numbers, the entity shall offer to each resident Social Security number was affected credit monitoring services at no cost for one (1) year. In addition, the notice must include information necessary to enroll in the services and information about how the resident can place a credit freeze on their credit file. |
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice will exceed $75,000, the affected class of residents to be notified exceeds 100,000 residents, or the subject entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
Major statewide media includes newspapers, radio, and television and publication on the major social media platforms of the entity providing notice. |
Government Notice Requirement |
Timing: Must be made without unreasonable delay but no later than 60 days after determination of the breach, unless a shorter time is required under federal law. If a subject entity is not able, through reasonable diligence, to identify all affected residents within 60 days of discovery, the subject entity must provide notice to such residents as soon as practicable after determining the breach affected their personal information.
|
Delayed Notice Requirements |
Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation, and law enforcement has requested that the notice be delayed. |
Third Party Notice Requirements |
If an entity maintains personal information on behalf of a third party, the entity must notify and cooperate with the third party immediately following discovery of the breach. |
Potential Penalties |
Violations may result in civil penalties. |
Government Agency Notice Requirements |
Please see statute for specific requirements and/or penalties for applicable government agencies. |
Last updated: January 2024