- Delaware Governor John Carney signed a bill last week to update the state’s data breach notification requirements. As part of extending cybersecurity protections, the law accounts for medical information being compromised in data breaches.
Carney said in a statement that House Substitute 1 for House Bill 180 is important as the cybersecurity threats increase and threaten personal data.
“It makes sense to offer additional protections for Delawareans who may have their information compromised in a cybersecurity breach,” he explained. “At the same time, we will continue to connect businesses to training and resources that will help them safeguard and protect their data.”
Delaware last updated its data breach notification law in 2005.
The bill passed in the House with a 39-2 vote, and passed in the Senate with 19 “Yes” votes while two representatives were absent.
The bill requires that “any person who conducts business in Delaware and maintains personal information must safeguard that information.” A security breach also now includes unauthorized access, use, modification, or disclosure of personal information.
Personal information includes a state resident’s first name or first initial and last name in combination with one or more of the following:
- Social Security number
- Driver’s license number
- Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account
- Passport number
- Shared secrets or security tokens that are known to be used for data-based authentication.
- A username or email address, in combination with a password or security question and answer that would permit access to an online account
- A marriage certificate or marriage certificate number
- Full date of birth or birth certificate
- An individual taxpayer identification number
- Information or data collected through the use or operation of an automated license plate recognition system
- Unique electronic identification number or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- An individual’s digital or electronic signature.
For health information, the bill states that an individual’s medical history is also part of the “personal information.” This includes mental or physical condition, medical treatment, or diagnosis by a healthcare professional or deoxyribonucleic acid profile.
A health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer for identification must also be protected. Finally, “unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes” was also added into the legislation.
The bill also added definitions for data encryption and created a “safe harbor” for “if the data included in a breach is encrypted or protected by an encryption key that prevents the data from being read or used.”
The term “person” can now mean an individual and an artificial entity, the updated bill reads.
Companies must also notify state residents within 60 days if they are potentially affected by a data breach. The Delaware Attorney General must also be notified if the breach affects more than 500 individuals.
State residents must also be offered identity theft protection services of Social Security numbers were included in the information that was breached, according to the bill.
State Representative Paul Baumbach sponsored the legislation, and said that personal information being breached is becoming too common. The law was a way to address those data breach concerns.
“This is a meaningful step forward in addressing these breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyber-attack,” Baumbach explained in a statement. “In particular, the bill focuses on notification requirements and additional help with identity theft mitigation services in cases where Social Security numbers are breached.”
University of Delaware Small Business Development Center Manager of Technology Business Development Daniel Eliot also praised the bill.
“For the last two years, we have worked closely with the state and other stakeholders, focused on providing training and resources to help Delaware’s small businesses make a reasonable effort to secure their businesses,” Eliot said. “It’s a matter of fact: all businesses today are technology-based businesses and are vulnerable to cyber breach. We want to be sure Delaware’s businesses are technologically and behaviorally prepared to combat such attacks.”