Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018. Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all information necessary for the resident to enroll in such services as well as instructions for how to implement a credit freeze. This makes Delaware the second state to require credit monitoring services be provided to residents at no cost following a breach. (Connecticut has a similar provision.)
Additional changes include:
- A 60-day notice deadline (with exceptions) to Delaware residents whose personal information has been or is reasonably believed to have been compromised in a security breach.
- A requirement that any entity conducting business in Delaware that “owns, licenses, or maintains personal information . . . implement and maintain reasonable procedures and practices” to protect residents’ personal information.
- A “breach of security” will now exclude unauthorized acquisition of encrypted data unless the acquisition includes, or is reasonably believed to include, the encryption key and the person who owns or licenses the data has a reasonable belief that the encryption key could render that personal information readable or useable.
- Mandatory reporting to the Attorney General if the number of affected residents exceeds 500.
- Electronic notice is permitted when the entity’s “primary means of communication with the resident is by electronic means.”
- “Personal information” will be expanded to mean a Delaware resident’s first name or initial and last name in combination with:
- Social Security number;
- Driver’s license number or state or federal identification card number;
- Account number, or credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
- Passport number;
- A username or email address, in combination with a password or security question and answer that would permit access to an online account;
- Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile;
- Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person;
- Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes;
- An individual taxpayer identification number.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
Norton Rose Fulbright nominated for Cyber Law Firm of the Year
Norton Rose Fulbright has been shortlisted for ‘Cyber law firm of the year’ at the Insurance Insider Cyber Ranking Awards 2017. Voting is now open, and you can show your support for Norton Rose Fulbright by casting your vote ahead of the award ceremony on 29 September 2017.
The category of “Cyber law firm of the year” is a new addition to the Cyber Ranking Awards and provides brokers and underwriters with a chance to vote for the law firm that they believe has contributed the most to bringing innovative solutions to market over the past 12 months. We are honored to be included as a nominee, and believe that it reflects our leading experience within the cyber insurance sector.
Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.