Click here to review text of state statute (see Del. Code Ann. tit. 6 § 12B)
Information Covered / Important Definitions
Personal information of Delaware residents.
Definition includes (i) passport number; (ii) medical history, medical treatment by a health-care professional, diagnosis of mental or physical condition by a health-care professional, or deoxyribonucleic acid profile; (iii) health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person; (iv) unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; (v) an individual taxpayer identification number.
“Security Breach” means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
“Encrypted” means personal information that is rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security.
“Encryption key” means the confidential key or process designed to render the encrypted personal information useable, readable, and decipherable.
Covered Entities* / Third Party Recipients
Subject to statute:
An individual or entity that owns or licenses computerized data that includes personal information about a Delaware resident.
Third party recipients:
If a covered entity maintains computerized data that includes personal information that the covered entity does not own or license, the covered entity must notify and cooperate with the owner or licensee of the information of any security breach immediately following determination of the breach of security.
Notice Procedures & Timing / Other Obligations
Written, telephonic or electronic notice must be provided to victims of a security breach without unreasonable delay but no later than sixty (60) days following the discovery of the breach, unless a shorter time is required by federal law, or a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $75,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information.
- If a resident’s social security number was compromised in the breach, complimentary credit monitoring services must be offered to the resident for one year; notice may not be given by e-mail to a resident whose related online account has been compromised.
- Notice not required if, after an appropriate investigation, the entity responsible for the personal information determines that the breach of security is unlikely to result in harm to individuals whose personal information has been breached.
Covered entities must implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if personal information subject to a security breach is encrypted, unless an unauthorized acquisition includes, or is reasonably believed to include, an encryption key that could render the personal information readable or useable.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity so long as personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the Delaware statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Delaware statute.
A covered entity is deemed in compliance with the Delaware statute if it is regulated by state or federal law, including HIPAA and GLBA, and it complies with requirements or procedures imposed by its primary or functional state or federal regulator which are consistent with the Delaware statute.
Notification to Regulator / Waiver
Delaware attorney general must be notified if a breach involves over 500 residents.
A determination of no likelihood of harm:
Does not require notification to attorney general.
Attorney general may bring actions in law or equity to seek appropriate relief, including direct economic damages resulting from a violation.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute (See Del. Code Ann. tit. 6 § 12B)