TITLE 6

Commerce and Trade

SUBTITLE II

Other Laws Relating to Commerce and Trade

CHAPTER 12B. COMPUTER SECURITY BREACHES [EFFECTIVE UNTIL APR. 14, 2018]


For purposes of this chapter:

(1) "Breach of the security of the system'' means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure;

(2) "Commercial entity'' includes corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit;

(3) "Notice'' means:

a. Written notice;

b. Telephonic notice;

c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 of Title 15 of the United States Code; or

d. Substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $75,000, or that the affected class of Delaware residents to be notified exceeds 100,000 residents, or that the individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:

1. E-mail notice if the individual or the commercial entity has e-mail addresses for the members of the affected class of Delaware residents; and

2. Conspicuous posting of the notice on the web site page of the individual or the commercial entity if the individual or the commercial entity maintains one; and

3. Notice to major statewide media.

(4) "Personal information'' means a Delaware resident's first name or first initial and last name in combination with any 1 or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:

a. Social Security number;

b. Driver's license number or Delaware Identification Card number; or

c. Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.

The term "personal information'' does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records;

75 Del. Laws, c. 61, § 1.;

(a) An individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information about a resident of Delaware shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Delaware resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

(b) An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Delaware resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach.

(c) Notice required by this chapter may be delayed if a law-enforcement agency determines that the notice will impede a criminal investigation. Notice required by this chapter must be made in good faith, without unreasonable delay and as soon as possible after the law-enforcement agency determines that notification will no longer impede the investigation.

75 Del. Laws, c. 61, § 1.;

(a) Under this chapter, an individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notice requirements of this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with its policies in the event of a breach of security of the system.

(b) Under this chapter, an individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with the maintained procedures when a breach occurs.

75 Del. Laws, c. 61, § 1.;

Pursuant to the enforcement duties and powers of the Consumer Protection Division of the Department of Justice under Chapter 25 of Title 29, the Attorney General may bring an action in law or equity to address the violations of this chapter and for other relief that may be appropriate to ensure proper compliance with this chapter or to recover direct economic damages resulting from a violation, or both. The provisions of this chapter are not exclusive and do not relieve an individual or a commercial entity subject to this chapter from compliance with all other applicable provisions of law.

75 Del. Laws, c. 61, § 1; 77 Del. Laws, c. 282, § 16.;

Any person who conducts business in this State and owns, licenses, or maintains personal information shall implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.

81 Del. Laws, c. 129, § 1.;

For purposes of this chapter:

(1) "Breach of security'' means as follows:

a. The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Good faith acquisition of personal information by an employee or agent of any person for the purposes of such person is not a breach of security, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

b. The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information is not a breach of security to the extent that personal information contained therein is encrypted, unless such unauthorized acquisition includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render that personal information readable or useable.

(2) "Determination of the breach of security'' means the point in time at which a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.

(3) "Encrypted'' means personal information that is rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security.

(4) "Encryption key'' means the confidential key or process designed to render the encrypted personal information useable, readable, and decipherable.

(5) "Notice'' means any of the following:

a. Written notice.

b. Telephonic notice.

c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 of Title 15 of the United States Code or if the person's primary means of communication with the resident is by electronic means.

d. Substitute notice, if the person required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000, or that the affected number of Delaware residents to be notified exceeds 100,000 residents, or that the person does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:

1. Electronic notice if the person has email addresses for the members of the affected class of Delaware residents.

2. Conspicuous posting of the notice on the web site page of the person if the person maintains one.

3. Notice to major statewide media, including newspapers, radio, and television and publication on the major social media platforms of the person providing notice.

(6) "Person'' means an individual; corporation; business trust; estate trust; partnership; limited liability company; association; joint venture; government; governmental subdivision, agency, or instrumentality; public corporation; or any other legal or commercial entity.

(7)a. "Personal information'' means a Delaware resident's first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual:

1. Social Security number.

2. Driver's license number or state or federal identification card number.

3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.

4. Passport number.

5. A username or email address, in combination with a password or security question and answer that would permit access to an online account.

6. Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile.

7. Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person.

8. Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

9. An individual taxpayer identification number.

b. "Personal information'' does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely-distributed media.

75 Del. Laws, c. 61, § 1; 81 Del. Laws, c. 129, § 1.;

(a) Any person who conducts business in this State and who owns or licenses computerized data that includes personal information shall provide notice of any breach of security following determination of the breach of security to any resident of this State whose personal information was breached or is reasonably believed to have been breached, unless, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.

(b) A person that maintains computerized data that includes personal information that the person does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of security immediately following determination of the breach of security. For purposes of this subsection, "cooperation'' includes sharing with the owner or licensee information relevant to the breach.

(c) Notice required by subsection (a) of this section must be made without unreasonable delay but not later than 60 days after determination of the breach of security, except in the following situations:

(1) A shorter time is required under federal law.

(2) A law-enforcement agency determines that the notice will impede a criminal investigation and such law-enforcement agency has made a request of the person that the notice be delayed. Any such delayed notice must be made after such law-enforcement agency determines that notice will not compromise the criminal investigation and so notifies the person of such determination.

(3) When a person otherwise required by subsection (a) of this section to provide notice, could not, through reasonable diligence, identify within 60 days that the personal information of certain residents of this State was included in a breach of security, such person must provide the notice required by subsection (a) of this section to such residents as soon as practicable after the determination that the breach of security included the personal information of such residents, unless such person provides or has provided substitute notice in accordance with § 12B-101(5)d. of this title.

(d) If the affected number of Delaware residents to be notified exceeds 500 residents, the person required to provide notice shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General.

(e) If the breach of security includes a Social Security number, the person shall offer to each resident, whose personal information, including Social Security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to such resident for a period of 1 year. Such person shall provide all information necessary for such resident to enroll in such services and shall include information on how such resident can place a credit freeze on such resident's credit file. Such services are not required if, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.

(f) In the case of a breach of security involving personal information defined in § 12B-101(7)a.5. of this title for login credentials of an email account furnished by the person, the person cannot comply with this section by providing the security breach notification to such email address, but may instead comply with this section by providing notice by another method described in § 12B-101(5) of this title or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person knows the resident customarily accesses the account.

75 Del. Laws, c. 61, § 1; 81 Del. Laws, c. 129, § 1.;

(a) Under this chapter, a person that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notice requirements of this chapter if the person notifies affected Delaware residents in accordance with its policies in the event of a breach of security.

(b) Under this chapter, a person that is regulated by state or federal law, including the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, as amended) and the Gramm Leach Bliley Act (15 U.S.C. § 6801 et seq., as amended) and that maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the person notifies affected Delaware residents in accordance with the maintained procedures when a breach of security occurs.

75 Del. Laws, c. 61, § 1; 81 Del. Laws, c. 129, § 1.;

(a) Pursuant to the enforcement duties and powers of the Director of Consumer Protection of the Department of Justice under Chapter 25 of Title 29, the Attorney General may bring an action in law or equity to address the violations of this chapter and for other relief that may be appropriate to ensure proper compliance with this chapter or to recover direct economic damages resulting from a violation, or both. The provisions of this chapter are not exclusive and do not relieve a person subject to this chapter from compliance with all other applicable provisions of law.

(b) Nothing in this chapter may be construed to modify any right which a person may have at common law, by statute, or otherwise.

75 Del. Laws, c. 61, § 1; 77 Del. Laws, c. 282, § 16; 81 Del. Laws, c. 129, § 1.;