Delaware has become the latest among fourteen states to set requirements on the private sector for better data security practice. On Thursday August 17th, Governor John Carney signed House Substitute 1 for House Bill 180 into law. This new amendment requires companies to provide additional protections for personal information of citizens of Delaware. The modified law has also expanded definitions as conditions online have changed over the last 10 years since the original law was approved. Any businesses, large and small, have until April 2018 to get into compliance with the updated legislation. Delaware and Connecticut are quickly being recognized as leaders in cyber security legislation in the United States, and it’s expected that many other states will follow.
Core Changes and Requirements
The law that Governor Carney signed into law isn’t a new one, but was a significant modification of a law from 2005. State law has been seeing a rising trend in addressing cyber security. The key changes have been in the areas of: definition expansions, risk of harm trigger, attorney general notice, and credit monitoring.
In any legal document words matter a lot. Which is why in this amendment definitions have been expanded for both “person” and “personal information” to meet the needs of cyber security today. The new definition of “person” is required to maintain reasonable security procedures, and the word “person” now applies to all forms of business, government, and legal entities.
For “personal information,” there seems to be generating much more buzz among media outlets. The definition of “personal information” has been expanded to now include: passport numbers, login credentials, email addresses, passwords, security questions, all medical history, current conditions and treatments, deoxyribonucleic acid profiles, health insurance policy numbers, subscriber ID numbers, biometric data, and taxpayer identification numbers.
Risk of Harm Trigger / Data Breach Notification
The updated law now requires companies to notify state residents within 60 days if they’ve been impacted by a data breach. However, this doesn’t mean that a business can procrastinate for the full 60 days as the legislation explicitly states that residents must be notified “as soon as possible” after an investigation has been concluded. The only two exceptions to this rule is if the investigation concludes that the data breach is unlikely to cause any harm to impacted individuals; or if police explicitly request a delay in the notification.
Attorney General Notice
If the breach has impacted more than 500 residents, then the company is also required to notify the attorney general as well.
What has quickly become de facto practice among larger companies in the private sector will now be enshrined in law. Credit monitoring is now required to be paid for by the breached business if a resident’s social security number was compromised. So if a breach does occur, the business will now have an additional cost to cover each and every resident’s credit monitoring needs for a minimum of 12 months. The residents will have no cost on them. Connecticut also now has a similar requirement for business operating in their state.
Impacts on Small Business
The Delaware State Chamber of Commerce did help in the development of the amendment but stopped supporting the measure because of the disproportionate impact it would have on small businesses. The primary provision that’s of concern is the credit monitoring one. Bloomberg BNA discussed the issue with James DeChene, Senior Vice PResident of Government Affairs for the Chamber, and he stated that even just one breach under this legislation would “…open them [small businesses] up to a level of liability that is large enough to put them out of business,” he continued by saying, “If a breach involved several hundred customers, for example, that can rack up pretty quickly into large dollar amounts. There’s no insurance policy that a business could take out to prevent an attack.” He ultimately said that in order for small business to be adequately prepared, they would need the law to be very well publicized.
However, Daniel Eliot, Manager of Technology Business Development at UD’s Small Business Development Center, has stated that, “for the last two years, we’ve worked closely with the state and other stakeholders, focused on providing training and resources to help Delaware’s small businesses make a reasonable effort to secure their businesses. It’s a matter of fact: all businesses today are technology-based businesses and are vulnerable to cyber breach. We want to be sure Delaware’s businesses are technologically and behaviorally prepared to combat such attacks.” The University of Delaware has been active in training small businesses in the identification of threats and helping them understand how to protect their business and customer data.
Despite some of the challenges that come with creating a state level law that address the needs of large and small business, the legislative victory is clear. Many states across the U.S. seem to be taking these matters into their own hands and will be looking to frontrunners, such as Connecticut and Delaware, for support around the topic.