Council Foundation Logo Leaders Edge

August 25, 2017

Delaware Governor John Carney signed legislation last week amending its data breach notification law, making it more explicative and encompassing. This effort continues the increasing trend of data security interest and data breach reporting across states.

While the federal government has stayed at arm’s length from legislation mandating cybersecurity requirements or data breach reporting laws, leaving it up to the states, the government does tend to prefer the words “voluntarily adoption” when it comes to cybersecurity.

As far as data breach reporting goes, there are currently 47 separate statewide data breach notification laws, each with its own set of definitions, requirements and penalties. While the discussion for a unified federal data breach notification law is one for another day, we have begun to see states increase their efforts to protect their residents when personal identifiable information (PII) is compromised following a data breach.

In the case of Delaware’s data breach notification law, effective April 14, 2018, the amendments tightened the definition of PII, and now require breached companies to notify affected individuals within 60 days (opposed of the previous “as soon as possible” timeframe).

Affected organizations must also now give notice to the Attorney General if a breach affects more than 500 Delaware residents and requires breached organizations to “offer credit-monitoring services to affected individuals at no cost for one year if the breach included a Delaware resident’s Social Security number.” Delaware follows Connecticut to be among the first states to mandate free credit monitory services following a breach involving state residents.

According to the amendment, “companies will also be required to ensure that reasonable procedures and practices are in place to protect Delaware residents’ personal information collected through the course of business.” However, Delaware’s law does not define or elaborate on any specifics on what procedures and practices qualify as acceptable, unlike New York State’s recent District of Financial Services (NYDFS) cybersecurity rule, which mandates extremely specific and costly comprehensive cybersecurity requirements for financial firms operating within the state.

As the government becomes more pressed to be involved in the private sector’s cybersecurity practices, it remains unknown whether the states will follow New York, and implement specific and expensive mandates, or wait for the federal government to step in…only time will tell.