Delaware Amends Data Breach Notification Law

2 Minute Read

August 21, 2017

Categories: Cybersecurity, Information Security, Security Breach, U.S. State Law

As reported in BNA Privacy Law Watch, on August 17, 2017, Delaware amended its data breach notification law, effective April 14, 2018. The Delaware law previously required companies to give notice of a breach to affected Delaware residents “as soon as possible” after determining that, as a result of the breach, “misuse of information about a Delaware resident has occurred or is reasonably likely to occur.” The prior version of the law did not require regulator notification.

The amendments include several key provisions:

Definition of Personal Information. Under the revised law, the definition of “personal information” is expanded and now includes a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security number; (2) driver’s license or state or federal identification card number; (3) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a financial account; (4) passport number; (5) a username or email address in combination with a password or security question and answer that would permit access to an online account; (6) medical history, treatment or diagnosis by a health care professional, or DNA profile; (7) health insurance identification number; (8) biometric data; and (9) an individual taxpayer identification number.
Timing. Companies will be required to notify affected individuals of a data breach within 60 days.
Notice to the Attorney General. Companies will be required to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.
Harm Threshold. The amendments change the law’s harm threshold for notification. Under the revised law, notification to affected individuals (and the Attorney General, if applicable) is required unless, after an appropriate investigation, the company reasonably determines that the breach is unlikely to result in harm to affected individuals.
Credit Monitoring. Companies will be required to offer credit monitoring services to affected individuals at no cost for one year if the breach includes a Delaware resident’s Social Security number. California’s breach notification law contains a similar requirement.

Tags: Compliance, Credit Monitoring, Delaware, Personal Information, Social Security Number

You May Also Be Interested In

3 Minute Read

March 25, 2026

Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

2 Minute Read

March 25, 2026

UK ICO Publishes Guidance on Recognized Legitimate Interest Basis

On March 23, 2026, the UK Information Commissioner's Office released new guidance clarifying the use of the new recognized legitimate interest lawful basis for processing personal information under UK data protection law.

2 Minute Read

March 9, 2026

CalPrivacy Reaches Settlement with Ford Motor Company Over CCPA Opt-Out Right Violations

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

2 Minute Read

February 26, 2026

UK ICO Fines Reddit £14.47 Million for Failing to Protect Children’s Privacy

On February 24, 2026, the UK ICO announced that it had fined Reddit, Inc. £14.47 million following an investigation into the company’s handling of children’s personal information.

Privacy & Cybersecurity Law Blog

You May Also Be Interested In

Search

Recent Posts

Categories

Tags

Archives