Delaware has joined the growing list of states that have recently amended their data breach laws. With passage of the first significant amendments to its data breach law since 2005, Delaware continues a state-law trend of creating new, widely applicable obligations to implement reasonable security measures; protect additional types of personal information; notify individuals, regulators, and other businesses of breaches; and mitigate harm flowing from cyber incidents.

Ballard Spahr Partner Edward J. McAndrew, a Practice Leader of the firm's Privacy & Data Security Group, was part of a group of Delaware attorneys who provided suggested revisions to the Delaware data breach statute. The most significant aspects of Delaware's amended law—which takes effect 240 days after enactment—include:

• Maintaining Reasonable Procedures and Practices to Protect Personal Information. Every "person" subject to the amended law is now required to implement and maintain reasonable security procedures and practices. More specifically, "[a]ny person" conducting business and owning, licensing, or maintaining personal information must implement reasonable security measures "to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business." The definition of "person" has been expanded to include any business form, governmental entity, "or any other legal or commercial entity."

• Expanding the Definition of "Personal Information." Delaware broadened the types of protected personal information to include personal health information (including medical history, diagnosis of physical or mental conditions, DNA profile, health insurance identifiers, or other information); biometric data; passport and taxpayer identification numbers; and online account credentials (usernames and email addresses, in combination with passwords or security questions/answers). Delaware's amended definition continues a trend of states focused on protecting additional types of information in the health and technology sectors.

• Defining a "Breach of Security." Delaware continues to limit the definition of a breach to "unauthorized acquisition" of qualifying data. The new law adds an express encryption exception to its definition of a "breach of security," while also deleting the qualifying phrase "of the system" from that definition. The new encryption exception applies unless the acquisition is reasonably believed to include, or actually includes, the decryption key. A "breach" determination is now focused on the unauthorized acquisition of qualifying personal information, not on whether the "system" of a "person" who owns, licenses, or maintains that data has been compromised. The "determination of a breach of security" is expressly defined as "the point in time at which [the data owner/licensor/custodian] has sufficient evidence to conclude that a breach of security of such computerized data has taken place."

• Disclosing a "Breach of Security." Delaware largely rewrote its breach notification provision. Those who own or license computerized personal information must notify Delaware residents within 60 days after a determination of the breach (or a "reasonable belie[f]" of a breach) of such information, unless the owner/licensor "after an appropriate investigation . . . reasonably determines that the breach of security is unlikely to result in harm . . ." The 60-day window "rolls" forward as a reasonably diligent investigation identifies additional residents whose personal information has been breached. A person who maintains qualifying personal information must "immediately" notify and "cooperate with" the owner/licensor upon determination of a breach of qualifying information. Notification also must be provided to the state Attorney General "not later than the time when notice is provided to the resident" if the breach involves more than 500 Delaware residents. For breaches involving login credentials, notice of the breach cannot be sent to a compromised email address. Instead, notice can be provided by writing or telephone, or by "clear and conspicuous notice delivered to the resident online when the resident is connected to an online account from an Internet Protocol address or online location from which the person knows the resident customarily accesses the account."

• Delaying Notice and Complying With Other Applicable Laws. Delaware's law includes express exceptions for "procedures for a breach of security" maintained under federal or state "laws, rules, regulations, guidance, or guidelines established by [a person's] primary or functional state or federal regulator," including the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. Delaware's 60-day notification window can be narrowed if required under federal law. Notification can be delayed at "the request" of a law enforcement agency.

• Providing Credit Monitoring. Delaware law now requires the provision of one year of "credit monitoring services"—at no cost to the resident—where a resident's social security number "was breached or is reasonably believed to have been breached." The notifying person must provide "all information necessary for such resident to enroll in such services and shall include information on how such resident can place a credit freeze of such resident's credit file." These services are not required if an appropriate investigation confirms that the breach is unlikely to result in harm.

• Maintaining Existing Remedies. The Delaware Attorney General remains empowered to enforce the law, including through civil actions in law or equity. Such actions may seek "direct economic damages." The new law expressly states that it does not "modify any right which a person may have at common law, by statute, or otherwise." The legislature rejected the creation of a private cause of action for damages resulting from a breach under the law.