Delaware Governor Enacts Amendments to Computer Security Code
On August 17, Delaware Governor John Carney signed into law amendments (House Substitute No. 1) to the state’s code regarding computer security breaches involving personal information. Among other changes, the amendments include the following: (i) any person who conducts business in Delaware and maintains personal information must implement and maintain safeguard procedures to protect personal information; (ii) the definition of a “breach of security”—defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information”—eliminates “good faith acquisition” breaches where information is not used for unauthorized purposes, as well as instances where breached data is encrypted or protected by an unavailable encryption key; (iii) adds to the definition of “personal information” items such as passport numbers, email addresses and passwords, medical history information, health insurance and tax identification numbers, and biometric data; (iv) strengthens consumer protections, including requirements that notices to consumers must be sent no later than 60 days after it has been determined that a breach has occurred, a notification must be sent to the state Attorney General for breaches affecting more than 500 residents, and free credit monitoring services must be provided to residents involved in the breach of a social security number. The amendments become effective on April 14, 2018.