DEL. HB 180. Breaches of Security involving Personal Information.
Jump to navigation Jump to search
|DEL. HB 180. Breaches of Security involving Personal Information.
|DEL. HB 180. Breaches of Security involving Personal Information.
|State or Province
|Scope of the Law
|Exclusion, Identification, Insecurity
Text of the law
- HOUSE OF REPRESENTATIVES
- 149th GENERAL ASSEMBLY
- HOUSE BILL NO. 180
- AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO BREACHES OF SECURITY INVOLVING PERSONAL INFORMATION. BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:
- Section 1. Amend Chapter 12B, Title 6 of the Delaware Code by making deletions as shown by strike through and insertions as shown by underline and renumbering accordingly as follows:
- Any person who conducts business in this State and owns, licenses, or maintains personal information shall implement and maintain reasonable procedures and practices to prevent the unauthorized access to or acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.
- § 12B-101. Definitions.
- For purposes of this chapter:
- (1) “Breach of security” means as follows:
- a. The unauthorized acquisition or disclosure of electronic or paper files, media, databases, or other data that compromises the security, confidentiality, or integrity of personal information. Good faith acquisition of personal information by an employee or agent of any person for the purposes of such person is not a breach of security, provided that the personal information is not used or subject to further unauthorized disclosure.
- b. The intentional unauthorized access to, use, or modification of personal information.
- c. The unauthorized access to or the acquisition, or disclosure of electronic or paper files, media, databases, or other data is not a breach of security to the extent that such electronic or paper files, media, databases, or other data are encrypted, unless such unauthorized access, acquisition, or disclosure includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render that personal information readable or useable.
- (2) “Encrypted” means electronic or paper files, media, databases, or other data that is rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security.
- “Encryption key” means the confidential key or process designed to render the encrypted data useable, readable, and decipherable.
- (3) "Notice" means any of the following:
- a. Written notice.
- b. Telephonic notice.
- c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 of Title 15 of the United States Code, but electronic notice is not permitted if the breach involves a username or email address, in combination with a password or security question and answer that would permit access to the online account that would receive the notice.
- d. Substitute notice, if the person required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000, or that the affected class of Delaware residents to be notified exceeds 100,000 residents, or that the individual or the commercial entity person does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
- 1. Electronic notice if the individual person has e-mail addresses for the members of the affected class of Delaware residents.
- 2. Conspicuous posting of the notice on the web site page of the person if the person maintains one.
- 3. Notice to major statewide media, including newspapers, radio, and television and publication on the major social media platforms of the person providing notice.
- (4) a."Personal information" means a Delaware resident's first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual: Identification
- (1) “Breach of security” means as follows:
- 1. Social Security number.
- 2. Driver's license number or state or federal identification card number.
- 3. Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.
- 4. Passport number.
- 5. Shared secrets or security tokens that are known to be used for data-based authentication.
- 6. A username or email address, in combination with a password or security question and answer that would permit access to an online account.
- 7. A marriage certificate or marriage certificate number.
- 8. Full date of birth or birth certificate.
- 9. Medical history, mental or physical condition, medical treatment, or diagnosis by a health care professional or deoxyribonucleic acid profile.
- 10. Health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the person or information related to a person’s application or claims history.
- 11. Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
- 12. An individual taxpayer identification number.
- 13. Information or data collected through the use or operation of an automated license plate recognition system.
- 14. Unique electronic identification number or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- 15. An individual’s digital or electronic signature.
- b.“Personal information"does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely-distributed media.
- § 12B-102. Disclosure of breach of security; notice. Insecurity, Exclusion
- (a) Any person who conducts business in this State and who owns or licenses electronic or paper files, media, databases, or other data that includes personal information shall provide notice of any breach of security following the discovery of the breach of security to any resident of this State whose personal information was breached or is reasonably believed to have been breached, unless, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.
- (b) A person that maintains electronic or paper files, media, databases, or other data that includes personal information that the person does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach the security immediately following discovery of the breach of security. For purposes of this subsection, “cooperation” includes sharing with the owner or licensee information relevant to the breach.
- (c) Notice required by § 12B-102(a) of this chapter must be made without unreasonable delay but not later than 60 days after the discovery of the breach, unless a shorter time is required under federal law or if a law enforcement agency determines that the notice will impede a criminal investigation and such law enforcement agency has made a request of the person that the notice be delayed. Any such delayed notice must be made after such law enforcement agency determines that notice will not compromise the criminal investigation and so notifies the person of such determination.
- (d) If the affected class of Delaware residents to be notified exceeds 500 residents, the person required to provide notice shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General.
- (e) If the breach of security includes a complete social security number, the person shall offer to each resident, whose personal information, including social security number, was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such services must be provided at no cost to such resident for a period of not less than 1 year. Such person shall provide all information necessary for such resident to enroll in such services and shall include information on how such resident can place a credit freeze on such resident’s credit file. Such services are not required if, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.
- (f) The Director of Consumer Protection of the Department of Justice shall promulgate regulations setting forth the required form and content of a notice under this chapter.
- Section 2. Amend § 12B-103, Title 6 of the Delaware Code by making deletions as shown by strike through and insertions as shown by underline as follows:
- § 12B-103. Procedures deemed in compliance with security breach requirements.
- (a) Under this chapter, a person that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notice requirements of this chapter if the person notifies affected Delaware residents in accordance with its policies in the event of a breach of security.
- (b) Under this chapter, a person that is regulated by state or federal law and that maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the notifies affected Delaware residents in accordance with the maintained procedures when a breach occurs.
- Section 3. Amend § 12B-104, Title 6 of the Delaware Code by making deletions as shown by strike through and insertions as shown by underline as follows:
- § 12B-104. Violations.
- (a) Pursuant to the enforcement duties and powers of the Director of Consumer Protection of the Department of Justice under Chapter 25 of Title 29, the Attorney General may bring an action in law or equity to address the violations of this chapter and for other relief that may be appropriate to ensure proper compliance with this chapter or to recover direct economic damages resulting from a violation, or both. The provisions of this chapter are not exclusive and do not relieve a person subject to this chapter from compliance with all other applicable provisions of law.
- (b) Any person harmed by a violation of § 12B-102 of this title may bring an action for recovery of damages.
- (c) Nothing in this chapter may be construed to nullify or impair any right which a person may have at common law, by statute, or otherwise.
- This Act amends Chapter 12B of Title 6 to update Delaware's law regarding computer security breaches by doing the following:
- 1. Creating a requirement that any person who conducts business in Delaware and maintains personal information must safeguard that information.
- 2. Updating the definition of breach of security by including the unauthorized access, use, modification, or disclosure of personal information and the information that is included in the definition of personal information.
- 3. Adding definitions for encryption.
- 4. Creating a "safe harbor" if the data included in an breach is encrypted or protected by an encryption key that prevents the data from being read or used.
- 5. Strengthening the consumer protections when a security breach is discovered including requiring that the entity that experienced the breach provide identity theft protection services if Social Security Numbers were included in the information breached.
- This Act also makes technical corrections to conform to the standards of the Delaware Legislative Drafting Manual, including the use of the term "person" to mean both an individual and an artificial entity.
Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.