Advanced Search
View Mobile Site
ExperiencePracticesProfessionalsOfficesEventsNews/BlogsFirmDiversityCareers

Delaware


Del. Code Tit. 6, ch. 12B § 101 et seq.

H.B. 116 (signed into law June 28, 2005)

Effective June 28, 2005

H.B. 247 (signed into law June 10, 2010)

Effective June 10, 2010 
Application. Any individual or commercial entity (collectively, Entity) that conducts business in DE and that owns or licenses computerized data that includes PI about a resident of DE. 
    • The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on DE residents, whether or not the Entity conducts business in DE. 
Security Breach Definition.  An unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity. 
    • Good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used or subject to further unauthorized disclosure.
Notification Obligation.  Any Entity to which the statute applies shall, when it becomes aware of a breach of the security of the system, notify the affected DE resident.
    • Notification is not required if after a good-faith, reasonable, and prompt investigation the Entity determines there is no reasonable likelihood of harm to consumers.
Third-Party Data Notification.  An Entity that maintains computerized data that includes PI that the Entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of the breach, if misuse of PI about a DE resident occurred or is reasonably likely to occur.  Cooperation includes sharing with the owner or licensee information relevant to the breach.

Timing of Notification.  Notice shall be made in good faith, in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

Personal Information Definition.  A DE resident’s first name or first initial and last name, in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:
    • Social Security Number;

    • Driver license number or DE identification card number; or

    • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required.  Notice may be provided by one of the following methods:
    • Written notice;

    • Telephonic notice; or

    • Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Substitute Notice Available.  If the Entity demonstrates that the cost of providing notice will exceed $75,000, or that the affected class of DE residents to be notified exceeds 100,000 residents, or the Entity does not have sufficient contact information to provide notice.  Substitute notice shall consist of all of the following:
    • Email notice if the Entity has email addresses for the members of the affected class of DE residents;

    • Conspicuous posting of the notice on the Web site of the Entity if the Entity maintains one; and

    • Notice to major statewide media.
Exception: Own Notification Policy.  An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of the statute, is deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected DE residents in accordance with its policies in the event of a breach of the security of the system.

Exception:  Compliance with Other Laws.
    • Primary Regulator.  Notification pursuant to laws, rules, regulations, guidances, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.
Other Key Provisions:
    • Delay for Law Enforcement.  Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation.  Notice required by the statute must be made without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

    • AG Enforcement.
Contact Us  ·  Mobile Access  ·  Site Map  ·  Terms Of Use  ·  Privacy Policy  ·  Legal Disclaimer  · Alumni ·  Perkins Coie Trust Company LLC
2012 Perkins Coie LLP