Delaware recently amended its data breach notification laws through House Bill 180, which now expands the definition of breach and personal information. It is now among 14 states to impose explicit data security obligations on businesses. While revisions to the law are in some ways more stringent, they are also more balanced by including a risk of harm requirement.

Under the amended law, which will go into effect on April 14, 2018, the definition of breach has been expanded to include not only unauthorized acquisition, but also disclosure of electronic or paper files, media, databases or other data.  The law also broadens the scope of personal information to include user name or email address, in combination with a password or security question, and answer medical information, and unique biometric data.

The amended law includes a risk of harm requirement which means that notice is not required if it can be established that the breach is unlikely to result in harm to the individual.  Otherwise, notice is required not later than 60 days after the discovery of the breach.  Further, if the affected class of Delaware residents to be notified exceeds 500 residents, the Attorney General must be notified of the breach.

Finally, if the breach of security includes a complete social security number, the law requires that identify theft prevention and mitigation services be provided unless it can be determined that the breach of security is unlikely to result in harm to the individuals whose personal information was breached.

Footnote: Drinker Biddle, working on behalf of firm clients and with other interested stakeholders, engaged in lobbying efforts during passage of this bill.