Delaware, the second-smallest state but the leader in business incorporations, at least within the USA, has updated its legal framework regarding data breach notifications. Beginning on August 14, 2018, companies that experience a data breach must notify any affected individuals in Delaware within 60 days. In addition, credit monitoring – free of charge, of course – is now a legal requirement, not a “favor” or “show of goodwill” on the part of the companies.
And there’s more, much more.
Changes, Long Time Coming
Delaware is famous for being a pro-business state; there’s a reason why over 60% of Fortune 500 business are legally incorporated there. Indeed, it’s so pro-business that sometimes it seems that Delaware residents take a back seat to their “legally-people” brethren. Case in point: the original data breach laws Delaware passed in 2005, and all the problems it had.
Well, in less than one year, real people will see their rights elevated:
- Reasonable protection of personal information.
- Includes an update on the definition of “encryption.”
- A change in the language so that, if encryption is compromised in the data breach, encryption as safe harbor doesn’t kick in.
- Updated definition of “personal information.”
- Under the new law, medical information; biometric data; user names and passwords; health insurance policy numbers; passport numbers; financial account routing numbers; and individual taxpayer identification numbers, among others, have been added as personal information.
- Notification to residents within 60 days of a data breach.
- Notification to the Attorney General if more than 500 people are affected.
- Free credit monitoring for one year.
Obviously, the above doesn’t cover everything. The legislature included a handy synopsis in the bill, copied verbatim below. As you read over the list, you’ll notice that an effort was made to remove certain things, which is interesting as well.
This Act revises HB 180 to reflect input from a wide group of stakeholders. This Substitute Act differs from HB 180 as follows:
- Terminology has been revised to be more accurate and consistent.
- A definition of “person” is added and includes government, consistent with current law.
- A definition of “determination of breach of security” is added.
- Marriage certificates, full birth dates and birth certificates, shared secrets and security tokens, and digital or electronic signatures are removed from the definition of “personal information.”
- An application for health insurance is removed from the definition of personal information because all of the information in an application that is of concern is separately listed in the definition of personal information.
- Removes the requirement that the Department of Justice develop regulations and a model form of notice.
- Clarifies how to provide notice if a breach involves login credentials of an email account that is the basis of the breach.
- Clarifies that notice of a breach can be provided after 60 days from discovery when it is determined at a later time that the breach includes additional residents.
- Provides examples of federal laws that can be complied with to constitute compliance with this chapter.
- Removes the private right of action for the failure of a person to provide notice under this chapter. The Common Law cause of action for actual damages as a result of a breach is unaffected by this change.
On providing credit monitoring for free, some have pointed out the potential outsized effect on small and medium sized businesses.
In this day and age when it’s easier than ever to compile extremely large databases, even for the smallest mom-and-pop store, the concerns are more than valid. Indeed, when you think about it, many things work against small businesses, especially when it comes to data security. For example, they ostensibly have less money than a megacorporation, meaning they cannot afford the best digital security on offer. Nor can they afford to upgrade their existing security as often. Nor can they guarantee access to dedicated IT professionals who could potentially lower the risk of a data breach in their day-to-day jobs.
On the other hand, hackers don’t give breaks just because you happen to be an SMB. And, at the end of the day, if 100,000 people (or more!) are affected by a data breach, the damage is the same whether the breached entity is a business operated by two people or twenty-thousand people.
Related Articles and Sites: